1、filebeat    /var/log/secure

2、

  
filter {  
  grok {  
    #type => "syslog"  
    match => ["message", "%{SYSLOGBASE} Failed password for (invalid user |)%{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"]  
    add_tag => "ssh_brute_force_attack"  
  }  
  grok {  
    #type => "syslog"  
    match => ["message", "%{SYSLOGBASE} Accepted password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"]  
    add_tag => "ssh_sucessful_login"  
  }  
  
  geoip {  
    source => "src_ip"  
    target => "geoip"  
    add_tag => [ "ssh-geoip" ]  
    add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]  
    add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]  
    add_field => [ "geoipflag", "true" ]  
  }  
  
}