SSH Access Rule

Alsheh · June 3, 2020, 10:53pm

To detect SSH access, I'm using the rule below:

## External access (warning: these can be expensive to audit).
-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access

This is generating a lot of events so I'm interested to fine tune the rule to catch the SSH events only. Ideally, this can be done without dropping the events via the auditbeat processor to make it less expensive on the host to monitor. Any guidance on how that can be done?

Thanks!

warkolm · June 3, 2020, 10:56pm

Are you asking a question here? It's not really clear given you have only posted two lines of text from somewhere.

Alsheh · June 3, 2020, 10:57pm

sorry, I accidentally posted before finishing typing. I've updated my original post.

Alsheh · June 13, 2020, 3:28am

Solved by using Filebeat system module which collects logs from /var/log/auth.log

system · July 4, 2020, 3:28am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auditbeat disable login log Beats auditbeat	2	419	June 27, 2019
Auditbeat configuration to use the "Modification of OpenSSH binaries" detection rule Beats auditbeat	2	477	December 22, 2021
Auditbeat on Windows core with sshd Beats auditbeat	1	296	September 8, 2022
TTY Auditing User Keystrokes Beats auditbeat	4	797	August 29, 2019
Configuring Auditbeat to only report modifications to files I want to monitor Beats auditbeat	7	1222	October 23, 2018

SSH Access Rule

Related topics