Hello,
I'm trying to filter logs from auth.log on a linux server. I want to tag with "ssh_successful_login", "ssh_failed_login", "ssh_brute_force".
Mar 3 16:56:22 test sshd[8510]: Failed password for user1 from 192.168.2.3 port 34852 ssh2
Mar 3 16:56:25 test sshd[8510]: Accepted password for user1 from 192.168.2.3 port 34852 ssh2
Mar 3 16:57:46 test sshd[5328]: Failed password for invalid user user2 from 192.168.2.3 port 45512 ssh2
You could e.g. use multiple grok filters.
filter {
if "grokked" not in [tags] {
grok {
match => ["message", "... Failed password ... "]
add_tag = ["ssh_failed_login", "grokked"]
}
}
if "grokked" not in [tags] {
grok {
match => ["message", "... Accepted password ... "]
add_tag = ["ssh_successful_login", "grokked"]
}
}
}
Hey,
Thanks for your help. The logic was enough to help me get where I wanted. Below is what I ended up with.
filter {
if [type] == 'auth' {
grok { match => { 'message' => '%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME} %{WORD:program}%{GREEDYDATA:msgsplit}' }
}
# SSH successful login
if "grokked" not in [tags] and "sshd" == [program] {
grok { match => [ "msgsplit", "[%{BASE10NUM}]: Accepted password for %{USERNAME:user} from %{IP:src_ip} port %{BASE10NUM}\s+ssh%{BASE10NUM}" ]
add_tag => [ "ssh_successful_login", "grokked" ]
tag_on_failure => [ ]
}
}
# SSH failed login
if "grokked" not in [tags] and "sshd" == [program] {
grok { match => [ "msgsplit", "[%{BASE10NUM}]: Failed password for %{USERNAME:user} from %{IP:src_ip} port %{BASE10NUM}\s+ssh%{BASE10NUM}" ]
add_tag => [ "ssh_failed_login", "grokked" ]
tag_on_failure => [ ]
}
}
# SSH Brute force attemp
if "grokked" not in [tags] and "sshd" == [program] {
grok { match => [ "msgsplit", "[%{BASE10NUM}]: Failed password for invalid user %{USERNAME:user} from %{IP:src_ip} port %{BASE10NUM}\s+ssh%{BASE10NUM}" ]
add_tag => [ "ssh_brute_force", "grokked" ]
tag_on_failure => [ ]
}
}
# Remove excess data
if "grokked" in [tags] and "sshd" == [program]{
mutate {
remove_field => [ "message", "fields", "input_type", "offset", "source", "program", "msgsplit" ]
remove_tag => [ "beats_input_codec_plain_applied" ]
}
}
} #End if[type] == "auth"
} # End Filter
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.