Filebeat on Centos 8 doesn't seem to properly parse /var/log/secure

AndersBolager · October 28, 2020, 4:29pm

Hi.

I have a fresh install of the Elastic Stack 7.9.3, including FileBeat with the system module enabled. I have created the following three test log lines:

Oct 28 16:46:54 ELASTIC01 sshd[17840]: Invalid user test from 192.168.20.20 port 56640
Oct 28 16:46:54 ELASTIC01 sshd[17840]: error: maximum authentication attempts exceeded for invalid user test from 192.168.20.20 port 56640 ssh2 [preauth]
Oct 28 16:46:54 ELASTIC01 sshd[17840]: Disconnecting invalid user test 192.168.20.20 port 56640: Too many authentication failures [preauth]

From these, I get three documents in the filebeat-... index

For the last, I get message: field with the complete log line. This what I was expecting.

The two others create the following fields with parts of the log line:
Log line 1:
system.auth.ssh.event: Invalid

Log line 2:
system.auth.ssh.event: error:
system.auth.ssh.method: maximum authentication attempts exceeded

Complete documents:

{
  "_index": "filebeat-7.9.3-2020.10.23-000001",
  "_type": "_doc",
  "_id": "Ggjkb3UB-NatCz6dIqqL",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "hostname": "ELASTIC01.dc.commfides.com",
      "name": "ELASTIC01.dc.commfides.com",
      "id": "b1da9a65-f3ed-4512-97bd-defb448cd30c",
      "type": "filebeat",
      "ephemeral_id": "4326b00a-8337-4a45-bed2-40104fd1d269",
      "version": "7.9.3"
    },
    "process": {
      "name": "sshd",
      "pid": 17840
    },
    "log": {
      "file": {
        "path": "/var/log/secure"
      },
      "offset": 16129
    },
    "source": {
      "ip": "192.168.20.20"
    },
    "fileset": {
      "name": "auth"
    },
    "input": {
      "type": "log"
    },
    "@timestamp": "2020-10-28T16:46:54.000+01:00",
    "system": {
      "auth": {
        "ssh": {
          "event": "Invalid"
        }
      }
    },
    "ecs": {
      "version": "1.5.0"
    },
    "related": {
      "ip": [
        "192.168.20.20"
      ],
      "user": [
        "test"
      ]
    },
    "service": {
      "type": "system"
    },
    "host": {
      "hostname": "ELASTIC01",
      "os": {
        "kernel": "4.18.0-193.19.1.el8_2.x86_64",
        "codename": "Core",
        "name": "CentOS Linux",
        "family": "redhat",
        "version": "8 (Core)",
        "platform": "centos"
      },
      "ip": [
        "192.168.20.142",
        "fe80::79a7:2eb:d457:9255"
      ],
      "containerized": false,
      "name": "ELASTIC01.dc.commfides.com",
      "id": "3d79e460a96b4aa79157c7f691c5d97e",
      "mac": [
        "00:50:56:9d:71:77"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "timezone": "+01:00",
      "kind": "event",
      "module": "system",
      "action": "ssh_login",
      "type": [
        "authentication_failure",
        "info"
      ],
      "category": [
        "authentication"
      ],
      "dataset": "system.auth",
      "outcome": "failure"
    },
    "user": {
      "name": "test"
    }
  },
  "fields": {
    "@timestamp": [
      "2020-10-28T15:46:54.000Z"
    ],
    "suricata.eve.timestamp": [
      "2020-10-28T15:46:54.000Z"
    ]
  },
  "sort": [
    1603900014000
  ]
}

{
  "_index": "filebeat-7.9.3-2020.10.23-000001",
  "_type": "_doc",
  "_id": "Gwjkb3UB-NatCz6dIqqL",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "hostname": "ELASTIC01.dc.commfides.com",
      "name": "ELASTIC01.dc.commfides.com",
      "id": "b1da9a65-f3ed-4512-97bd-defb448cd30c",
      "type": "filebeat",
      "ephemeral_id": "4326b00a-8337-4a45-bed2-40104fd1d269",
      "version": "7.9.3"
    },
    "process": {
      "name": "sshd",
      "pid": 17840
    },
    "log": {
      "file": {
        "path": "/var/log/secure"
      },
      "offset": 16216
    },
    "source": {
      "port": 56640,
      "ip": "192.168.20.20"
    },
    "fileset": {
      "name": "auth"
    },
    "input": {
      "type": "log"
    },
    "@timestamp": "2020-10-28T16:46:54.000+01:00",
    "system": {
      "auth": {
        "ssh": {
          "method": "maximum authentication attempts exceeded",
          "event": "error:"
        }
      }
    },
    "ecs": {
      "version": "1.5.0"
    },
    "related": {
      "ip": [
        "192.168.20.20"
      ],
      "user": [
        "test"
      ]
    },
    "service": {
      "type": "system"
    },
    "host": {
      "hostname": "ELASTIC01",
      "os": {
        "kernel": "4.18.0-193.19.1.el8_2.x86_64",
        "codename": "Core",
        "name": "CentOS Linux",
        "family": "redhat",
        "version": "8 (Core)",
        "platform": "centos"
      },
      "containerized": false,
      "ip": [
        "192.168.20.142",
        "fe80::79a7:2eb:d457:9255"
      ],
      "name": "ELASTIC01.dc.commfides.com",
      "id": "3d79e460a96b4aa79157c7f691c5d97e",
      "mac": [
        "00:50:56:9d:71:77"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "timezone": "+01:00",
      "kind": "event",
      "module": "system",
      "dataset": "system.auth"
    },
    "user": {
      "name": "test"
    }
  },
  "fields": {
    "@timestamp": [
      "2020-10-28T15:46:54.000Z"
    ],
    "suricata.eve.timestamp": [
      "2020-10-28T15:46:54.000Z"
    ]
  },
  "sort": [
    1603900014000
  ]
}

{
  "_index": "filebeat-7.9.3-2020.10.23-000001",
  "_type": "_doc",
  "_id": "IAjkb3UB-NatCz6dNqoO",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "hostname": "ELASTIC01.dc.commfides.com",
      "name": "ELASTIC01.dc.commfides.com",
      "id": "b1da9a65-f3ed-4512-97bd-defb448cd30c",
      "ephemeral_id": "4326b00a-8337-4a45-bed2-40104fd1d269",
      "type": "filebeat",
      "version": "7.9.3"
    },
    "process": {
      "name": "sshd",
      "pid": 17840
    },
    "log": {
      "file": {
        "path": "/var/log/secure"
      },
      "offset": 16370
    },
    "fileset": {
      "name": "auth"
    },
    "message": "Disconnecting invalid user test 192.168.20.20 port 56640: Too many authentication failures [preauth]",
    "input": {
      "type": "log"
    },
    "@timestamp": "2020-10-28T16:46:54.000+01:00",
    "system": {
      "auth": {}
    },
    "ecs": {
      "version": "1.5.0"
    },
    "service": {
      "type": "system"
    },
    "host": {
      "hostname": "ELASTIC01",
      "os": {
        "kernel": "4.18.0-193.19.1.el8_2.x86_64",
        "codename": "Core",
        "name": "CentOS Linux",
        "family": "redhat",
        "version": "8 (Core)",
        "platform": "centos"
      },
      "containerized": false,
      "ip": [
        "192.168.20.142",
        "fe80::79a7:2eb:d457:9255"
      ],
      "name": "ELASTIC01.dc.commfides.com",
      "id": "3d79e460a96b4aa79157c7f691c5d97e",
      "mac": [
        "00:50:56:9d:71:77"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "timezone": "+01:00",
      "kind": "event",
      "module": "system",
      "dataset": "system.auth"
    }
  },
  "fields": {
    "@timestamp": [
      "2020-10-28T15:46:54.000Z"
    ],
    "suricata.eve.timestamp": [
      "2020-10-28T15:46:54.000Z"
    ]
  },
  "sort": [
    1603900014000
  ]
}

ChrsMark · October 29, 2020, 11:28am

Hi!

I see that the module is tested with various environments: https://github.com/elastic/beats/tree/13a54632caa9c69f1126733addbfa2e69a34f2d4/filebeat/module/system/auth/test

Would you like to open a Github issue and let the team know about your case and ask to evaluate if this should be supported too?

Thanks!

Topic		Replies	Views
Filebeat module system don't parse auth log Beats filebeat	2	411	June 29, 2021
Auth logs not parsed in filebeat 5.4.0 Beats filebeat	6	1573	July 4, 2017
Filebeat: secure/messages for centos Beats	6	1739	April 18, 2018
Using Filebeat for logging ssh log in Beats filebeat	13	13833	August 5, 2018
Problem Using Filebeat for logging ssh log in Beats filebeat	4	1528	March 16, 2021

Filebeat on Centos 8 doesn't seem to properly parse /var/log/secure

Related topics