Grok for auth.log

does someone someone have a complete GROK to parse the auth.log?

Which auth.log do you mean, please be more specific.

on debian-(based)-systems /var/log/auth.log

Maybe you can use filebeat as a example:

ok thanks… I’ll try that…
but its sad that graylog doesn’t have standard build-in things… (like auth.log, apache-access/error.log, etc… )