Logstash transaction processing

Hi,

I am looking for transaction specific processing in logstash. For example., I am having Linux server having one user account 'aaa' having admin access.

Incase if 'aaa' is trying to login to one Linux server with multiple logins followed by successful login i.e., if the user 'aaa' is trying to type incorrect password for two times and during the third time he is entering the password correctly.

so in /var/log/secure, I will be having below set of logs.
Jan 25 07:41:54 localhost sshd[2347]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2 user=s249635
Jan 25 07:41:56 localhost sshd[2347]: Failed password for s249635 from 10.0.2.2 port 57321 ssh2
Jan 25 07:41:59 localhost unix_chkpwd[2350]: password check failed for user (s249635)
Jan 25 07:42:01 localhost sshd[2347]: Failed password for s249635 from 10.0.2.2 port 57321 ssh2
Jan 25 07:42:03 localhost sshd[2347]: Accepted password for s249635 from 10.0.2.2 port 57321 ssh2
Jan 25 07:42:04 localhost sshd[2347]: pam_unix(sshd:session): session opened for user s249635 by (uid=0)

My requirement is I have to capture the admin user who is trying to access server with multiple logon failures followed by successful login. and the count of failed attempts.

"message",%{SYSLOGTIMESTAMP:syslog_date}%{SYSLOGHOST:syslog_host} sshd([%{POSINT:pid}]):authentication failure%{GREEDYDATA}user=%{USERNAME:username}"

Can you please how can I handle it for the specific transaction

Logstash can't do this without custom plugins. This kind of log analysis isn't what Logstash is primarily built to do.

Can you please tell me what plugin I have to use in order to process the transaction ?

I don't think anyone has written and published such a plugin. That's why I indicated that you'd need a custom plugin.

@Monica1

Further to what Magnus said, what you are looking for is a kind of Complex Event Processing - Logstash does Event Stream Processing. The scenario you describe requires a time and context window and the plugin must see all events in order, meaning single worker and other constraints.

See this for a comparison.

We have plans to introduce a form of CEP to LS but some foundation (shared state across threads and instances) work needs to take place first.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.