Help needed for scripting for runtime fields

stephenb · March 1, 2023, 4:53pm

What exact integration are you using?

And in the end, you really want a field so you know whether the login is successful or not based on the message... correct?

"I am trying to create a data view for all login attempts. Similar to the pre-loaded ssh login attempts"

I am asking because there are different ways to do this ... This is back to what are you really trying to accomplish...

Your Scale (how much data etc you ingest / search) will determine the correct approach.

There are quick fixes and then there is the right way...

Do you have a sense of the scale how many sources / GB / Day etc?

For example, this will work but it is not very efficient... so I would not suggest it at scale... but if you have a few hosts it will work, it pulls the message from the _source which is not as efficient than pulling from the doc_values which is faster

if(params._source.message == null) {
    emit('No Login Message');
    return;
}

if(params._source.message.contains("Received disconnect")){
  emit('Login Failed');
}
else emit('Login Succes');

If you are going to scale then I would probably take another approach...

jreyes25 · March 6, 2023, 3:28pm

I am using 'Auditd Logs' integration for RHEL.
It is pulling logs from /var/log/audit/audit.log* and /var/log/secure*
If I'm looking at it right, it's using the '.ds-logs-system-auth-default-YYYY.MM.DD-000001' index from Data Stream 'logs-system.auth-default' and collects about 8000 docs (6mb) before rolling over to a new index.
It's a small scale. About 25-30 workstations that I'm monitoring and collecting logs from.

I will try what you recommended now and get back. Thank you again.

jreyes25 · March 6, 2023, 3:55pm

@stephenb , thank you so much and being patient with me. It looks like your code worked!!

So when I added this. It brought too many hits. Over 500 hits when it should only be a few.

if(params._source.message == null) {
    emit('No Login Message');
    return;
}

if(params._source.message.contains("the password for the login keyring was invalid.")){
  emit('Login Failed');
}
else emit('Login Success');

So I changed it to the following to get fewer results (which did work). Is this the most efficient way to write this? ...

if(params._source.message.contains("the password for the login keyring was invalid.")){
  emit('Login Failed');
}

if(params._source.message.contains("unlocked login keyring")){
  emit('Login Success');
}

And for future reference, is 'params._source.message.contains' refers to every doc that comes into ES?

stephenb · March 6, 2023, 4:00pm

I am not sure I understand, the script / runtime field is applied to each and every document within the index.
Within the script / when it is actually executing, the script is applied to a single document.

jreyes25 · March 6, 2023, 5:54pm

Sorry, disregard what I said. I'm still trying to understand this.

So the code does work, but it looks like it's going through every single event within the logs because when I try to create a visualization, I get 30 hits for "Login Successful", 10 hits for "Login Failed", but 90,000 hits for "No Login Message" for just today, which ruins my dashboards.

So I guess my question is... Is there a way to filter out that specific line, so the hits for "No Login Message" does not show up on my visualization? Because without this line, the script does not work.

  if(params._source.message == null) {
 emit('No Login Message');
    return;
}

mhoward · March 6, 2023, 6:26pm

I think you can fix it by adding a filter to your visualization. +Add Filter -> [your message field], Operator = "is not", Value = "No Login Message".

So it won't affect your script, it'll just take that result out of your visualization.

jreyes25 · March 7, 2023, 3:35pm

Thank you, @mhoward . That seemed to work.

system · April 4, 2023, 3:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.