Splunk Search

Field Extraction from vcenter sshd logs


Hi team, I would like to extract the following fields from vcenter logs that are being sent to Splunk on a dedicated port.

Sample log as below:

2021-01-18T06:21:11.752139+00:00 test101 sshd[21656] Accepted password for root from 76.87.981.72 port 49881 ssh2

I am already using the Splunk_TA_vcenter from splunk_add_on_from_vmware but no luck in extraction.

Need to extract the following fields:

Field name    Field value

app                    sshd

user                   root

src_ip               76.87.981.72

dest                   test101

action               success

tag                      authentication 

thanks in advance.

Labels (1)
Tags (1)
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.