SSH Access Rule

To detect SSH access, I'm using the rule below:

## External access (warning: these can be expensive to audit).
-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access

This is generating a lot of events so I'm interested to fine tune the rule to catch the SSH events only. Ideally, this can be done without dropping the events via the auditbeat processor to make it less expensive on the host to monitor. Any guidance on how that can be done?


Are you asking a question here? It's not really clear given you have only posted two lines of text from somewhere.

sorry, I accidentally posted before finishing typing. I've updated my original post.

1 Like

Solved by using Filebeat system module which collects logs from /var/log/auth.log

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.