Add user-defined tag in Grok input

HarimbolaSantatra · December 7, 2025, 9:02am

Is there a way to insert a user-defined tag in a tail input with grok pattern ?

For example, I’m parsing the following line (extracted from /var/log/secure):

Dec  7 11:52:54 myusername sshd-session[24595]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.3.2  user=visitor
Dec  7 11:53:10 myusername sshd-session[24616]: pam_unix(sshd:session): session opened for user visitor(uid=1001) by visitor(uid=0)

I managed to parse it using the telegraf configuration:

[[inputs.tail]]
  files = ["/var/log/secure"]
  data_format = "grok"
  grok_patterns = [
  "sshd-session\\[\\d+\\]: %{WORD:type:tag}\\(sshd:auth\\): authentication failure; logname= uid=%{NUMBER:uid:int} euid=%{NUMBER:euid:int} tty=%{WORD:tty:string} ruser= rhost=%{IP:rhost:string}  user=%{WORD:user:string}",
  "sshd-session\\[\\d+\\]: %{WORD:type:tag}\\(sshd:session\\): session opened for user %{WORD:user:string}\\(uid=\\d+\\)",
  ]

The problem: I want to add a custom tag for each pattern

For example, for a successful or unsuccessfull SSH login, I want to add something like status=success or status=failure.

Thanks!

HarimbolaSantatra · December 7, 2025, 12:22pm

For now, the solution I found is using either the string processor plugin or the default processor.

But I am not sure if it’s the best way to do it.

Topic		Replies	Views
Add tag if grok pattern matched Telegraf grok	6	734	December 15, 2023
Custom log parsing with latest Tail Plugin, GROK and InfluxDB (Grafana ready) Telegraf influxdb , telegraf	7	16145	July 3, 2020
Convert influxdb field into tag value	5	4367	July 22, 2018
Ignore telegraf logs if it contains a particular data using grok Telegraf telegraf , grok	2	656	February 8, 2022
Tag modifier not working with log data Telegraf influxdb , telegraf	0	552	July 1, 2020

Add user-defined tag in Grok input

Related topics