Splunk Search

Field Extraction from vcenter sshd logs


Hi team, I would like to extract the following fields from vcenter logs that are being sent to Splunk on a dedicated port.

Sample log as below:

2021-01-18T06:21:11.752139+00:00 test101 sshd[21656] Accepted password for root from 76.87.981.72 port 49881 ssh2

I am already using the Splunk_TA_vcenter from splunk_add_on_from_vmware but no luck in extraction.

Need to extract the following fields:

Field name    Field value

app                    sshd

user                   root

src_ip               76.87.981.72

dest                   test101

action               success

tag                      authentication 

thanks in advance.

Labels (1)
Tags (1)
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!