Hi.
I have a fresh install of the Elastic Stack 7.9.3, including FileBeat with the system module enabled. I have created the following three test log lines:
Oct 28 16:46:54 ELASTIC01 sshd[17840]: Invalid user test from 192.168.20.20 port 56640
Oct 28 16:46:54 ELASTIC01 sshd[17840]: error: maximum authentication attempts exceeded for invalid user test from 192.168.20.20 port 56640 ssh2 [preauth]
Oct 28 16:46:54 ELASTIC01 sshd[17840]: Disconnecting invalid user test 192.168.20.20 port 56640: Too many authentication failures [preauth]
From these, I get three documents in the filebeat-... index
For the last, I get message: field with the complete log line. This what I was expecting.
The two others create the following fields with parts of the log line:
Log line 1:
system.auth.ssh.event: Invalid
Log line 2:
system.auth.ssh.event: error:
system.auth.ssh.method: maximum authentication attempts exceeded
Complete documents:
{
"_index": "filebeat-7.9.3-2020.10.23-000001",
"_type": "_doc",
"_id": "Ggjkb3UB-NatCz6dIqqL",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"hostname": "ELASTIC01.dc.commfides.com",
"name": "ELASTIC01.dc.commfides.com",
"id": "b1da9a65-f3ed-4512-97bd-defb448cd30c",
"type": "filebeat",
"ephemeral_id": "4326b00a-8337-4a45-bed2-40104fd1d269",
"version": "7.9.3"
},
"process": {
"name": "sshd",
"pid": 17840
},
"log": {
"file": {
"path": "/var/log/secure"
},
"offset": 16129
},
"source": {
"ip": "192.168.20.20"
},
"fileset": {
"name": "auth"
},
"input": {
"type": "log"
},
"@timestamp": "2020-10-28T16:46:54.000+01:00",
"system": {
"auth": {
"ssh": {
"event": "Invalid"
}
}
},
"ecs": {
"version": "1.5.0"
},
"related": {
"ip": [
"192.168.20.20"
],
"user": [
"test"
]
},
"service": {
"type": "system"
},
"host": {
"hostname": "ELASTIC01",
"os": {
"kernel": "4.18.0-193.19.1.el8_2.x86_64",
"codename": "Core",
"name": "CentOS Linux",
"family": "redhat",
"version": "8 (Core)",
"platform": "centos"
},
"ip": [
"192.168.20.142",
"fe80::79a7:2eb:d457:9255"
],
"containerized": false,
"name": "ELASTIC01.dc.commfides.com",
"id": "3d79e460a96b4aa79157c7f691c5d97e",
"mac": [
"00:50:56:9d:71:77"
],
"architecture": "x86_64"
},
"event": {
"timezone": "+01:00",
"kind": "event",
"module": "system",
"action": "ssh_login",
"type": [
"authentication_failure",
"info"
],
"category": [
"authentication"
],
"dataset": "system.auth",
"outcome": "failure"
},
"user": {
"name": "test"
}
},
"fields": {
"@timestamp": [
"2020-10-28T15:46:54.000Z"
],
"suricata.eve.timestamp": [
"2020-10-28T15:46:54.000Z"
]
},
"sort": [
1603900014000
]
}
{
"_index": "filebeat-7.9.3-2020.10.23-000001",
"_type": "_doc",
"_id": "Gwjkb3UB-NatCz6dIqqL",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"hostname": "ELASTIC01.dc.commfides.com",
"name": "ELASTIC01.dc.commfides.com",
"id": "b1da9a65-f3ed-4512-97bd-defb448cd30c",
"type": "filebeat",
"ephemeral_id": "4326b00a-8337-4a45-bed2-40104fd1d269",
"version": "7.9.3"
},
"process": {
"name": "sshd",
"pid": 17840
},
"log": {
"file": {
"path": "/var/log/secure"
},
"offset": 16216
},
"source": {
"port": 56640,
"ip": "192.168.20.20"
},
"fileset": {
"name": "auth"
},
"input": {
"type": "log"
},
"@timestamp": "2020-10-28T16:46:54.000+01:00",
"system": {
"auth": {
"ssh": {
"method": "maximum authentication attempts exceeded",
"event": "error:"
}
}
},
"ecs": {
"version": "1.5.0"
},
"related": {
"ip": [
"192.168.20.20"
],
"user": [
"test"
]
},
"service": {
"type": "system"
},
"host": {
"hostname": "ELASTIC01",
"os": {
"kernel": "4.18.0-193.19.1.el8_2.x86_64",
"codename": "Core",
"name": "CentOS Linux",
"family": "redhat",
"version": "8 (Core)",
"platform": "centos"
},
"containerized": false,
"ip": [
"192.168.20.142",
"fe80::79a7:2eb:d457:9255"
],
"name": "ELASTIC01.dc.commfides.com",
"id": "3d79e460a96b4aa79157c7f691c5d97e",
"mac": [
"00:50:56:9d:71:77"
],
"architecture": "x86_64"
},
"event": {
"timezone": "+01:00",
"kind": "event",
"module": "system",
"dataset": "system.auth"
},
"user": {
"name": "test"
}
},
"fields": {
"@timestamp": [
"2020-10-28T15:46:54.000Z"
],
"suricata.eve.timestamp": [
"2020-10-28T15:46:54.000Z"
]
},
"sort": [
1603900014000
]
}
{
"_index": "filebeat-7.9.3-2020.10.23-000001",
"_type": "_doc",
"_id": "IAjkb3UB-NatCz6dNqoO",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"hostname": "ELASTIC01.dc.commfides.com",
"name": "ELASTIC01.dc.commfides.com",
"id": "b1da9a65-f3ed-4512-97bd-defb448cd30c",
"ephemeral_id": "4326b00a-8337-4a45-bed2-40104fd1d269",
"type": "filebeat",
"version": "7.9.3"
},
"process": {
"name": "sshd",
"pid": 17840
},
"log": {
"file": {
"path": "/var/log/secure"
},
"offset": 16370
},
"fileset": {
"name": "auth"
},
"message": "Disconnecting invalid user test 192.168.20.20 port 56640: Too many authentication failures [preauth]",
"input": {
"type": "log"
},
"@timestamp": "2020-10-28T16:46:54.000+01:00",
"system": {
"auth": {}
},
"ecs": {
"version": "1.5.0"
},
"service": {
"type": "system"
},
"host": {
"hostname": "ELASTIC01",
"os": {
"kernel": "4.18.0-193.19.1.el8_2.x86_64",
"codename": "Core",
"name": "CentOS Linux",
"family": "redhat",
"version": "8 (Core)",
"platform": "centos"
},
"containerized": false,
"ip": [
"192.168.20.142",
"fe80::79a7:2eb:d457:9255"
],
"name": "ELASTIC01.dc.commfides.com",
"id": "3d79e460a96b4aa79157c7f691c5d97e",
"mac": [
"00:50:56:9d:71:77"
],
"architecture": "x86_64"
},
"event": {
"timezone": "+01:00",
"kind": "event",
"module": "system",
"dataset": "system.auth"
}
},
"fields": {
"@timestamp": [
"2020-10-28T15:46:54.000Z"
],
"suricata.eve.timestamp": [
"2020-10-28T15:46:54.000Z"
]
},
"sort": [
1603900014000
]
}