filter {
  if "auth" in [tags] {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{NOTSPACE:logsource} %{SYSLOGPROG}: (?:%{SPACE})?%{GREEDYDATA:logmessage}" }
    }
    mutate {
      add_field => { "module" => "auth" }
    }
  }
}