efk/pipelines/secure-login.json

curl -H "Content-Type: application/json" -X PUT http://127.0.0.1:9200/_ingest/pipeline/secure-login -d '
{
    "description" : "secure-login",
    "processors" : [
      {
        "grok" : {
          "field" : "message",
          "patterns" : [
            "^%{LOGIN_TIME:login.time} [^ ]+ %{WORD:login.method}.*: %{RESULT:login.result} %{WORD:login.user} from %{HOSTNAME:login.rhost}",
            "^%{LOGIN_TIME:login.time} [^ ]+ %{WORD:login.method}.*: %{RESULT:login.result} for %{WORD:login.user} from %{HOSTNAME:login.rhost}",
            "^%{LOGIN_TIME:login.time} [^ ]+ %{WORD:login.method}.*: %{RESULT:login.result}; .*ruser=(?:%{WORD:login.ruser}|) rhost=(?:%{HOSTNAME:login.rhost}|)  user=%{WORD:login.user}"
          ],
          "pattern_definitions" : {
            "LOGIN_TIME" : "[^ ]+  ?[^ ]+ [^ ]+",
            "RESULT" : "Invalid user|Accepted publickey|Accepted password|authentication failure"
          },
          "ignore_missing" : true,
          "ignore_failure" : true
        }
      },
      {
        "rename" : {
          "field" : "@timestamp",
          "target_field" : "read_timestamp"
        }
      },
      {
        "date" : {
          "formats" : [
            "MMM  d HH:mm:ss",
            "MMM dd HH:mm:ss"
          ],
          "timezone" : "Asia/Shanghai",
          "field" : "login.time",
          "target_field" : "@timestamp",
          "ignore_failure" : true
        }
      },
      {
        "remove" : {
          "field" : "login.time",
          "ignore_failure" : true
        }
      },
      {
        "remove" : {
          "field" : "message"
        }
      }
    ]
}'