Add event type

Author: afeefghannam89

filter-ssh.conf

@@ -4,24 +4,36 @@ filter {
         match => ["message", "%{WORD:[ssh][auth][result]} %{WORD:[ssh][auth][method]} for (invalid user )?%{USERNAME:[user][name]} from %{IPORHOST:[client][address]} port %{NUMBER:[client][port]} %{WORD:[ssh][protocol]}(: %{GREEDYDATA:[ssh][signature]})?"]
         id => "ssh_login"
         tag_on_failure => ["_grokparsefaillure","ssh_login_grok_failed"]
+        add_field => {
+          "[ssh][eventtype]" => "ssh_authentication"
+        }
       }
     } else if [message] =~ /^Invalid/ {
       grok {
         match => ["message","%{DATA:[ssh][auth][event]} user %{USERNAME:[user][name]} from %{IPORHOST:[client][address]}"]
         id => "ssh_login_suspection"
         tag_on_failure => ["_grokparsefaillure","ssh_login_suspection_grok_failed"]
+        add_field => {
+          "[ssh][eventtype]" => "ssh_invalid_login"
+        }
       }
     } else if [message] =~ /pam_unix/ {
       grok {
         match => ["message","pam_unix\(%{DATA:[session][type]}\:session\)\: session %{DATA:[ssh][session][status]} for user %{USERNAME:[user][name]}( by (.*)?\(uid\=%{NUMBER:[uid]}\))?"]
         id => "pam_unix_session"
         tag_on_failure => ["_grokparsefaillure","pam_unix_session_grok_failed"]
+        add_field => {
+          "[ssh][eventtype]" => "ssh_session_status"
+        }
       }
     } else if [message] =~ /^Did not receive identification string/ {
       grok {
         match => ["message","Did not receive identification string from %{IPORHOST:[client][ip]} port %{NUMBER:[client][port]}"]
         id => "ssh_monitoring_noidentstring"
         tag_on_failure => ["_grokparsefaillure","ssh_monitoring_noidentstring_grok_failed"]
+        add_field => {
+          "[ssh][eventtype]" => "ssh_noidentstring"
+        }
       }
     }