GROK not match

Elastic Stack Logstash
1

Pls help..
I don't know why my logstash filter config doesn't match system message "Failed password for invalid user bbbbbbbbbbbbbb from 10.10.64.74 port 62561 ssh2"

My filter config:

filter {
  if [fileset][module] == "system" {
    if [fileset][name] == "auth" {
      grok {
        match => { "message" => ["%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} %{DATA:[system][auth][ssh][method]} for (invalid user )?%{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]} port %{NUMBER:[system][auth][ssh][port]} ssh2(: %{GREEDYDATA:[system][auth][ssh][signature]})?",
                  "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} user %{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]}",
                  "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: Did not receive identification string from %{IPORHOST:[system][auth][ssh][dropped_ip]}",
                  "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sudo(?:\[%{POSINT:[system][auth][pid]}\])?: \s*%{DATA:[system][auth][user]} :( %{DATA:[system][auth][sudo][error]} ;)? TTY=%{DATA:[system][auth][sudo][tty]} ; PWD=%{DATA:[system][auth][sudo][pwd]} ; USER=%{DATA:[system][auth][sudo][user]} ; COMMAND=%{GREEDYDATA:[system][auth][sudo][command]}",
                  "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} groupadd(?:\[%{POSINT:[system][auth][pid]}\])?: new group: name=%{DATA:system.auth.groupadd.name}, GID=%{NUMBER:system.auth.groupadd.gid}",
                  "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} useradd(?:\[%{POSINT:[system][auth][pid]}\])?: new user: name=%{DATA:[system][auth][user][add][name]}, UID=%{NUMBER:[system][auth][user][add][uid]}, GID=%{NUMBER:[system][auth][user][add][gid]}, home=%{DATA:[system][auth][user][add][home]}, shell=%{DATA:[system][auth][user][add][shell]}$",
                  "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} %{DATA:[system][auth][program]}(?:\[%{POSINT:[system][auth][pid]}\])?: %{GREEDYMULTILINE:[system][auth][message]}"] }
        pattern_definitions => {
          "GREEDYMULTILINE"=> "(.|\n)*"
        }
        remove_field => "message"
      }
      date {
        match => [ "[system][auth][timestamp]", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
      }
      geoip {
        source => "[system][auth][ssh][ip]"
        target => "[system][auth][ssh][geoip]"
      }
    }
    else if [fileset][name] == "syslog" {
      grok {
        match => { "message" => ["%{SYSLOGTIMESTAMP:[system][syslog][timestamp]} %{SYSLOGHOST:[system][syslog][hostname]} %{DATA:[system][syslog][program]}(?:\[%{POSINT:[system][syslog][pid]}\])?: %{GREEDYMULTILINE:[system][syslog][message]}"] }
        pattern_definitions => { "GREEDYMULTILINE" => "(.|\n)*" }
        remove_field => "message"
      }
      date {
        match => [ "[system][syslog][timestamp]", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
      }
    }
  }
}

This is result:

{
  "_index": "filebeat-7.6.2-2020.04.28",
  "_type": "_doc",
  "_id": "bG4PwHEB8SV2kjxDVn84",
  "_version": 1,
  "_score": null,
  "_source": {
    "@version": "1",
    "@timestamp": "2020-04-28T09:12:40.907Z",
    "input": {
      "type": "log"
    },
    "ecs": {
      "version": "1.4.0"
    },
    "log": {
      "file": {
        "path": "/var/log/secure"
      },
      "offset": 715
    },
    "message": "Apr 28 16:12:39 ELK-LOGS sshd[11274]: Failed password for invalid user aaaaaaaaaaaaaaaa from 10.64.128.74 port 62511 ssh2",
    "agent": {
      "ephemeral_id": "3862ff3f-8220-45a5-a99e-c70a875b7087",
      "hostname": "ELK-LOGS",
      "version": "7.6.2",
      "type": "filebeat",
      "id": "49f6dd26-9d17-417f-9a63-5ca2b068b101"
    },
    "host": {
      "os": {
        "codename": "Core",
        "name": "CentOS Linux",
        "kernel": "3.10.0-1062.9.1.el7.x86_64",
        "version": "7 (Core)",
        "platform": "centos",
        "family": "redhat"
      },
      "architecture": "x86_64",
      "hostname": "ELK-LOGS",
      "name": "ELK-LOGS",
      "containerized": false,
      "id": "8766f9473ae547108e6e3d00298256a1"
    },
    "service": {
      "type": "system"
    },
    "event": {
      "timezone": "+07:00",
      "module": "system",
      "dataset": "system.auth"
    },
    "fileset": {
      "name": "auth"
    },
    "tags": [
      "beats_input_codec_plain_applied"
    ]
  },
  "fields": {
    "suricata.eve.timestamp": [
      "2020-04-28T09:12:40.907Z"
    ],
    "@timestamp": [
      "2020-04-28T09:12:40.907Z"
    ]
  },
  "highlight": {
    "message": [
      "Apr 28 16:12:39 ELK-LOGS sshd[11274]: Failed password for invalid user @kibana-highlighted-field@aaaaaaaaaaaaaaaa@/kibana-highlighted-field@ from 10.64.128.74 port 62511 ssh2"
    ]
  },
  "sort": [
    1588065160907
  ]
}
2

Your event does not have a [fileset][module] field, so none of those grok filters will be applied.

1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.