I have conf file in logstash like this
input {
beats {
host => "0.0.0.0"
port => 5044
ssl => false
}
}
filter {
if [fileset][name] == "auth" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} for %{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]} port %{NUMBER:[system][auth][ssh][port]} ssh2" }
add_field => [ "activity","SSH Logins" ]
add_tag => "linux_auth"
}
if "_grokparsefailure" in [tags] { drop {} }
date {
match => [ "[system][auth][timestamp]", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
else if [fileset][name] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_tag => "linux_syslog"
}
}
}
output {
elasticsearch {
hosts => ["192.168.186.157:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}
Then I send auth.log and syslog to logstash.
Here is some auth.log for you to check
Jul 16 06:58:59 kali sshd[5806]: Failed password for kali from 192.168.186.149 port 54760 ssh2
Jul 16 06:58:59 kali sshd[5812]: Failed password for kali from 192.168.186.149 port 54774 ssh2
Jul 16 06:58:59 kali sshd[5807]: Failed password for kali from 192.168.186.149 port 54762 ssh2
Jul 16 06:58:59 kali sshd[5809]: Failed password for kali from 192.168.186.149 port 54766 ssh2
Jul 16 06:58:59 kali sshd[5808]: Failed password for kali from 192.168.186.149 port 54764 ssh2
Jul 16 06:58:59 kali sshd[5811]: Failed password for kali from 192.168.186.149 port 54772 ssh2
Jul 16 06:59:00 kali sshd[5802]: Connection closed by authenticating user kali 192.168.186.149 port 54752 [preauth]
Jul 16 06:59:00 kali sshd[5802]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.186.149 user=kali
Jul 16 06:59:00 kali sshd[5802]: PAM service(sshd) ignoring max retries; 5 > 3
Jul 16 06:59:00 kali sshd[5801]: Connection closed by authenticating user kali 192.168.186.149 port 54750 [preauth]
Jul 16 06:59:00 kali sshd[5801]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.186.149 user=kali
Jul 16 06:59:00 kali sshd[5801]: PAM service(sshd) ignoring max retries; 5 > 3
Jul 16 06:59:00 kali sshd[5799]: Connection closed by authenticating user kali 192.168.186.149 port 54746 [preauth]
Jul 16 06:59:00 kali sshd[5799]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.186.149 user=kali
Jul 16 06:59:00 kali sshd[5799]: PAM service(sshd) ignoring max retries; 5 > 3
Jul 16 06:59:00 kali sshd[5800]: error: maximum authentication attempts exceeded for kali from 192.168.186.149 port 54748 ssh2 [preauth]
Jul 16 06:59:00 kali sshd[5800]: Disconnecting authenticating user kali 192.168.186.149 port 54748: Too many authentication failures [preauth]
Jul 16 06:59:00 kali sshd[5800]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.186.149 user=kali
Jul 16 06:59:00 kali sshd[5800]: PAM service(sshd) ignoring max retries; 5 > 3
Jul 16 06:59:00 kali sshd[5803]: Connection closed by authenticating user kali 192.168.186.149 port 54754 [preauth]
Jul 16 06:59:00 kali sshd[5803]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.186.149 user=kali
Jul 16 06:59:00 kali sshd[5803]: PAM service(sshd) ignoring max retries; 5 > 3
Jul 16 06:59:00 kali sshd[5804]: Connection closed by authenticating user kali 192.168.186.149 port 54756 [preauth]
Jul 16 06:59:00 kali sshd[5804]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.186.149 user=kali
Jul 16 06:59:00 kali sshd[5804]: PAM service(sshd) ignoring max retries; 5 > 3
Jul 16 06:59:00 kali sshd[5798]: Connection closed by authenticating user kali 192.168.186.149 port 54744 [preauth]
Jul 16 06:59:00 kali sshd[5798]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.186.149 user=kali
Jul 16 06:59:00 kali sshd[5798]: PAM service(sshd) ignoring max retries; 5 > 3
Jul 16 06:59:00 kali sshd[5805]: Connection closed by authenticating user kali 192.168.186.149 port 54758 [preauth]
Jul 16 06:59:00 kali sshd[5805]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.186.149 user=kali
Jul 16 06:59:00 kali sshd[5805]: PAM service(sshd) ignoring max retries; 5 > 3
Jul 16 06:59:00 kali sshd[5806]: Connection closed by authenticating user kali 192.168.186.149 port 54760 [preauth]
Jul 16 06:59:00 kali sshd[5806]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.186.149 user=kali
Jul 16 06:59:00 kali sshd[5806]: PAM service(sshd) ignoring max retries; 5 > 3
Jul 16 06:59:00 kali sshd[5812]: Connection closed by authenticating user kali 192.168.186.149 port 54774 [preauth]
Jul 16 06:59:00 kali sshd[5812]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.186.149 user=kali
I have shown my syslog where logstash install and it's in there
Jul 17 19:02:33 ubuntu logstash[3645]: "@version" => "1",
Jul 17 19:02:33 ubuntu logstash[3645]: "host" => {
Jul 17 19:02:33 ubuntu logstash[3645]: "os" => {
Jul 17 19:02:33 ubuntu logstash[3645]: "platform" => "kali",
Jul 17 19:02:33 ubuntu logstash[3645]: "version" => "2020.3",
Jul 17 19:02:33 ubuntu logstash[3645]: "kernel" => "5.7.0-kali1-amd64",
Jul 17 19:02:33 ubuntu logstash[3645]: "type" => "linux",
Jul 17 19:02:33 ubuntu logstash[3645]: "name" => "Kali GNU/Linux",
Jul 17 19:02:33 ubuntu logstash[3645]: "family" => "",
Jul 17 19:02:33 ubuntu logstash[3645]: "codename" => "kali-rolling"
Jul 17 19:02:33 ubuntu logstash[3645]: },
Jul 17 19:02:33 ubuntu logstash[3645]: "ip" => [
Jul 17 19:02:33 ubuntu logstash[3645]: [0] "192.168.186.151",
Jul 17 19:02:33 ubuntu logstash[3645]: [1] "fe80::20c:29ff:fed0:4beb"
Jul 17 19:02:33 ubuntu logstash[3645]: ],
Jul 17 19:02:33 ubuntu logstash[3645]: "name" => "kali",
Jul 17 19:02:33 ubuntu logstash[3645]: "hostname" => "kali",
Jul 17 19:02:33 ubuntu logstash[3645]: "architecture" => "x86_64",
Jul 17 19:02:33 ubuntu logstash[3645]: "mac" => [
Jul 17 19:02:33 ubuntu logstash[3645]: [0] "00:0c:29:d0:4b:eb"
Jul 17 19:02:33 ubuntu logstash[3645]: ],
Jul 17 19:02:33 ubuntu logstash[3645]: "id" => "0c42c6c017eb4a808d334aedb1e3f72f",
Jul 17 19:02:33 ubuntu logstash[3645]: "containerized" => false
Jul 17 19:02:33 ubuntu logstash[3645]: },
Jul 17 19:02:33 ubuntu logstash[3645]: "message" => "Jul 17 08:02:30 kali sshd[1195]: Failed password for kali from 192.168.186.149 port 60216 ssh2"
Jul 17 19:02:33 ubuntu logstash[3645]: }
Jul 17 19:02:33 ubuntu logstash[3645]: {
Jul 17 19:02:33 ubuntu logstash[3645]: "fileset" => {
Jul 17 19:02:33 ubuntu logstash[3645]: "name" => "auth"
Jul 17 19:02:33 ubuntu logstash[3645]: },
Jul 17 19:02:33 ubuntu logstash[3645]: "service" => {
Jul 17 19:02:33 ubuntu logstash[3645]: "type" => "system"
Jul 17 19:02:33 ubuntu logstash[3645]: },
Jul 17 19:02:33 ubuntu logstash[3645]: "event" => {
Jul 17 19:02:33 ubuntu logstash[3645]: "timezone" => "-04:00",
Jul 17 19:02:33 ubuntu logstash[3645]: "dataset" => "system.auth",
Jul 17 19:02:33 ubuntu logstash[3645]: "module" => "system"
Jul 17 19:02:33 ubuntu logstash[3645]: },
Jul 17 19:02:33 ubuntu logstash[3645]: "tags" => [
Jul 17 19:02:33 ubuntu logstash[3645]: [0] "beats_input_codec_plain_applied",
Jul 17 19:02:33 ubuntu logstash[3645]: [1] "linux_auth"
Jul 17 19:02:33 ubuntu logstash[3645]: ],
Jul 17 19:02:33 ubuntu logstash[3645]: "@timestamp" => 2021-07-17T01:02:30.000Z,
Jul 17 19:02:33 ubuntu logstash[3645]: "system" => {
Jul 17 19:02:33 ubuntu logstash[3645]: "auth" => {
Jul 17 19:02:33 ubuntu logstash[3645]: "ssh" => {
Jul 17 19:02:33 ubuntu logstash[3645]: "event" => "Failed password",
Jul 17 19:02:33 ubuntu logstash[3645]: "ip" => "192.168.186.149",
Jul 17 19:02:33 ubuntu logstash[3645]: "port" => "60194"
Jul 17 19:02:33 ubuntu logstash[3645]: },
Jul 17 19:02:33 ubuntu logstash[3645]: "timestamp" => "Jul 17 08:02:30",
Jul 17 19:02:33 ubuntu logstash[3645]: "pid" => "1189",
Jul 17 19:02:33 ubuntu logstash[3645]: "user" => "kali",
Jul 17 19:02:33 ubuntu logstash[3645]: "hostname" => "kali"
Jul 17 19:02:33 ubuntu logstash[3645]: }
Jul 17 19:02:33 ubuntu logstash[3645]: },
Jul 17 19:02:33 ubuntu logstash[3645]: "activity" => "SSH Logins",
Jul 17 19:02:33 ubuntu logstash[3645]: "log" => {
Jul 17 19:02:33 ubuntu logstash[3645]: "file" => {
Jul 17 19:02:33 ubuntu logstash[3645]: "path" => "/var/log/auth.log"
Jul 17 19:02:33 ubuntu logstash[3645]: },
Jul 17 19:02:33 ubuntu logstash[3645]: "offset" => 330238
Jul 17 19:02:33 ubuntu logstash[3645]: },
Jul 17 19:02:33 ubuntu logstash[3645]: "input" => {
Jul 17 19:02:33 ubuntu logstash[3645]: "type" => "log"
Jul 17 19:02:33 ubuntu logstash[3645]: },
Jul 17 19:02:33 ubuntu logstash[3645]: "agent" => {
Jul 17 19:02:33 ubuntu logstash[3645]: "ephemeral_id" => "2cc4e8df-1218-48c4-9b41-aa77c62a356e",
Jul 17 19:02:33 ubuntu logstash[3645]: "type" => "filebeat",
Jul 17 19:02:33 ubuntu logstash[3645]: "version" => "7.13.1",
Jul 17 19:02:33 ubuntu logstash[3645]: "name" => "kali",
Jul 17 19:02:33 ubuntu logstash[3645]: "hostname" => "kali",
Jul 17 19:02:33 ubuntu logstash[3645]: "id" => "f152b60c-88cf-41a2-9a23-0f0119532b35"
Jul 17 19:02:33 ubuntu logstash[3645]: },
Jul 17 19:02:33 ubuntu logstash[3645]: "ecs" => {
Jul 17 19:02:33 ubuntu logstash[3645]: "version" => "1.9.0"
Jul 17 19:02:33 ubuntu logstash[3645]: },
Jul 17 19:02:35 ubuntu logstash[3645]: [2021-07-17T19:02:35,582][DEBUG][logstash.outputs.elasticsearch][main][b139133fa702504a3c994dbba5834e0ddce2f41e64742a611bb9239ae1df99f4] Sending final bulk request for batch. {:action_count=>4, :payload_size=>5192, :content_length=>5192, :batch_offset=>0}
Jul 17 19:02:35 ubuntu logstash[3645]: {
Jul 17 19:02:35 ubuntu logstash[3645]: "fileset" => {
It got the log, but why my Kibana didn't show that? It just shows syslog but not any auth.log.
Does anyone know how to fix this? I really need your help!