Merge pull request #13 from widhalmt/fix-client-12

Fix mixup of client addresses

Author: widhalmt

filter-50-secure-ssh.conf

@@ -2,7 +2,7 @@ filter {
   if [process][name] == "sshd" or [journald][process][name] == "sshd" {
     if [message] =~ /^(Accepted|Failed)/ {
       grok {
-        match => ["message", "%{WORD:[ssh][auth][result]} %{WORD:[ssh][auth][method]} for (invalid user )?%{USERNAME:[user][name]} from %{IPORHOST:[client][address]} port %{NUMBER:[client][port]} %{NOTSPACE:[ssh][protocol]}(: %{GREEDYDATA:[ssh][signature]})?"]
+        match => ["message", "%{WORD:[ssh][auth][result]} %{WORD:[ssh][auth][method]} for (invalid user )?%{USERNAME:[user][name]} from %{IPORHOST:[client][address]} port %{NUMBER:[client][port]} %{WORD:[ssh][protocol]}(: %{GREEDYDATA:[ssh][signature]})?"]
         id => "ssh_login"
         tag_on_failure => ["_grokparsefaillure","ssh_login_grok_failed"]
       }
@@ -28,7 +28,7 @@ filter {
 
     ## Copy client.address to the matching field according to ECS ##
 
-    if [client][address] =~ /^\w/ {
+    if [client][address] =~ /^[a-zA-Z]/ {
       if !("" in [client][domain]) {
         mutate {
           add_field => {