Aggregate secure/sshd syslog event based on selected events

Sorry if my question is unclear. So basically, I just want to ensure that the user-id seen on the first event and last event match. Therefore, I have store the user-id in the map as a variable called sourceUserid in the first if statement.

m = event.get("message").match(/Accepted password for (\w+) from (.*) port (\d+)/)
                    map["sourceUserid"] = m[1]

Then by doing a comparison in the else if statement using the map["sourceUserid"] in [@metadata][restOfLine]:

else if [@metadata][restOfLine] =~ /session closed/ && map["sourceUserid"] in [@metadata][restOfLine]

I tried this but it just doesn't allow to do so. Just wondering what can be done?

No, I don't think this is possible.

Also, what is the logic behind this conditional? You are already using a unique identifier with the program name + pid to aggregate, and from what you shared this will already match the login event and the logout event.

If you want to use the user name as the identifier for the aggregate filter you would need to parse the field [@metadata][restOfLine] in both types of message and create a field with the user name as the value.

I realized that the sshd[id] is consistent for all the sshd event for root account. But for other users, the sshd[id] might be different between the event, and only consistent for first and last event.

Therefore, I would like to use the username as another identifier to cross check in the else if statement. Just in case there are "same" program name + pid received by multiple input.

How would you parse the field [@metadata][restOfLine] since the username are located in different section in the message:

  1. <86>Mar 24 12:13:13 localhost sshd[19655]: Accepted password for userA from 10.8.4.23 port 55064 ssh2
  2. <86>Mar 24 12:13:16 localhost sshd[19655]: pam_unix(sshd:session): session closed for user userA

So, what is the issue then? You are aggregating the first and last event already.

<86>Mar 24 12:13:13 localhost sshd[19655]: Accepted password for userA from 10.8.4.23 port 55064 ssh2
<86>Mar 24 12:13:16 localhost sshd[19655]: pam_unix(sshd:session): session closed for user userA

In those two messages the sshd[id] is the same.

Can you share an example of it? The messages you shared have the same process and PID.

Also, if you use the user name to aggregate you will not be able to different between different connections.

You are right. I should not be worried about that. Anyway, thanks for your help. I have make some minor adjustment to fit my uses case and it's working now. Appreciate it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.