Hi,
I am looking for transaction specific processing in logstash. For example., I am having Linux server having one user account 'aaa' having admin access.
Incase if 'aaa' is trying to login to one Linux server with multiple logins followed by successful login i.e., if the user 'aaa' is trying to type incorrect password for two times and during the third time he is entering the password correctly.
so in /var/log/secure, I will be having below set of logs.
Jan 25 07:41:54 localhost sshd[2347]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2 user=s249635
Jan 25 07:41:56 localhost sshd[2347]: Failed password for s249635 from 10.0.2.2 port 57321 ssh2
Jan 25 07:41:59 localhost unix_chkpwd[2350]: password check failed for user (s249635)
Jan 25 07:42:01 localhost sshd[2347]: Failed password for s249635 from 10.0.2.2 port 57321 ssh2
Jan 25 07:42:03 localhost sshd[2347]: Accepted password for s249635 from 10.0.2.2 port 57321 ssh2
Jan 25 07:42:04 localhost sshd[2347]: pam_unix(sshd:session): session opened for user s249635 by (uid=0)
My requirement is I have to capture the admin user who is trying to access server with multiple logon failures followed by successful login. and the count of failed attempts.
"message",%{SYSLOGTIMESTAMP:syslog_date}%{SYSLOGHOST:syslog_host} sshd([%{POSINT:pid}]):authentication failure%{GREEDYDATA}user=%{USERNAME:username}"
Can you please how can I handle it for the specific transaction