Hi,

Below is my configuration file

filter {
if [type] == "sftp_authlog" {
grok {
pattern => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sshd[%{BASE10NUM}]: Failed password for (invalid user |)%{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"

match => { "message" => "fail" }

}
}
}

output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }

email {
#type => "sftp_authlog"
match => [ "fail","%{@message}" ]

match => { "message" => "fail" }

match =>["messageAndSourceMatch", "@message,fail"]
to => "gaurav.gurani@xyz.com"
from => "logstash@xyz.com"
options => [ "smtpIporHost", "x.x.x.x","port", "xx" ]
#from => "logstash@hcentive.com"
subject => "Found '%{matchName}' Alert on %{@source_host}"
#to => "gaurav.gurani@hcentive.com"
body => "Here is the event line that occured: %{@message}"
htmlbody => "

%{matchName}

Full Event

sftp_authlog- this is catching logs from remote host(with logstash-forwarder) and i am applying filter in logstash server.i am not able to receive the mails from above config .but when i am commenting the match inside email block then mail is coming but that was blank mail

Requirement :- i want to receive from logstash when certain login failure attempted

Could you edit your post to make it more readable? It's hard to understand exactly what your configuration looks like. Select the text and click the "Preformatted text" button in the toolbar or press Ctrl+K.

What version of Logstash is this? You're using a couple of constructs that aren't supported in reasonably recent versions.

Hi,

Below are my conf files

file inside logstash server 192.168.0.1

filter {
 if [type] == "sftp_authlog" {
  grok {
pattern => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sshd\[%{BASE10NUM}\]: Failed password for (invalid user |)%{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"
   match => { "message" => "fail" }
 }
}
}

output {
  elasticsearch { host => localhost }
  stdout { codec => rubydebug }


email {
match => [ "fail","%{@message}" 
to => "<gaurav.gurani@abc.com>"
from => "<logstash@abc.com>"
options => [ "smtpIporHost", "192.168.0.25","port", "25" ]
subject => "Found '%{matchName}' Alert on %{@source_host}"
body => "Here is the event line that occured: %{@message}"
htmlbody => "<h2>%{matchName}</h2><br/><br/><h3>Full Event</h3><br/><br/><div align='center'>%{@message}</div>"
}
}

----------------------------------------------------------------------------------------

logstash version:-logstash 1.4.2-modified
---------------------------------------------------------------------------------------
Logstash-forwarder.conf
IP of logstash forwarder 192.168.0.2

{
  "network": {
    "servers": [ "192.168.0.1:5000" ],
    "timeout": 15,
    "ssl certificate": "/etc/pki/tls/apache.star.hcentive.com.crt",
    "ssl key": "/etc/pki/tls/nopwd.key",
    "ssl ca": "/home/mustafa/gd_bundle-g2-g1.crt",
    "ssl strict verify": "false" },


  "files": [
    {
      "paths": [
        "/var/log/auth.log" ],
      "fields": { "type": "sftp_authlog" }
    }
   ]
}

and first of all thanx a lot for quick respose

...and what version of Logstash?

logstash version:-logstash 1.4.2-modified

Okay. That might've worked for older releases of Logstash (I only know 1.4 and 1.5) but for 1.4 there's a lot of craziness in there that just doesn't work. What's it supposed to do? Are you trying to send the email conditionally? On what condition?

i want to send mail alerts when "authentication failure" string found in auth logs

Oh. That's easy:

output {
  if "authentication failure" in [message] {
    email {
      ...
    }
  }
}

This i have to write in output file along with filters? or i have to write in separate file.

Is this correct??

Please check below file

filter {
 if [type] == "sftp_authlog" {
  grok {
pattern => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sshd\[%{BASE10NUM}\]: Failed password for (invalid user |)%{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"
   match => { "message" => "fail" }
 }
}
}

output {
  elasticsearch { host => localhost }
 # stdout { }
  stdout { codec => rubydebug }
if "authentication failure" in [ message ] {
email {
#type => "sftp_authlog"
#match => [ "fail","%{@message}" ]
# match => { "message" => "fail" }
match =>["messageAndSourceMatch", "@message,*fail*"]
to => "<gaurav.gurani@hcentive.com>"
from => "<logstash@hcentive.com>"
options => [ "smtpIporHost", "10.10.0.111","port", "25" ]
#from => "<logstash@hcentive.com>"
subject => "Found '%{matchName}' Alert on %{@source_host}"
#to => "<gaurav.gurani@hcentive.com>"
body => "Here is the event line that occured: %{@message}"
htmlbody => "<br/><br/><h3>Full Event</h3><br/><br/><div align='center'>%{@message}</div>"
}
}}

Your grok filter should look like this:

grok {
  match => [
    "message",
    "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sshd\[%{BASE10NUM}\]: Failed password for (invalid user |)%{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"
  ]
 }

Other comments:

• References to the fields @message and @source_host are incorrect. Those are legacy field names that aren't used in Logstash 1.4. Use message and host instead.
• There's no match parameter to the email output.

Hi Magnusbaeck,

I apply that condition which you mentioned like following, but I received alot alert in email even match single word or multiple alphabet, like au* or fai, I just want to logstash just alert on specific word ! "authentication" , your help would be appreciated .

output {
if "authentication failure" in [message] {
email {
...
}
}
}

@asifalis, please start a new thread for your unrelated problem.