I want to extract the following information make it as a field as "error message" .
index=os source="/var/log/syslog" "*authentication failure*" OR "Generic preauthentication failure"
Events example :
Nov 28 01:02:31 server1 sssd[ldap_child[12010]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Generic preauthentication failure. Unable to create GSSAPI-encrypted LDAP connection.
Nov 28 01:02:29 server2 proxy_child[1939385]: pam_unix(system-auth-ac:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.177.46.57 user=hippm
What defines the start and end of the error text in each of those examples and how much of that do you want to get in error_message
You could very simply do this
| rex "\]:\s(?<error_message>.*)"
which would take everything after the ]: to the end of the event