does someone someone have a complete GROK to parse the auth.log?
Which auth.log do you mean, please be more specific.
on debian-(based)-systems /var/log/auth.log
Maybe you can use filebeat as a example:
ok thanks… I’ll try that…
but its sad that graylog doesn’t have standard build-in things… (like auth.log, apache-access/error.log, etc… )