SSH Access Rule

Alsheh · June 3, 2020, 10:53pm

To detect SSH access, I'm using the rule below:

## External access (warning: these can be expensive to audit).
-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access

This is generating a lot of events so I'm interested to fine tune the rule to catch the SSH events only. Ideally, this can be done without dropping the events via the auditbeat processor to make it less expensive on the host to monitor. Any guidance on how that can be done?

Thanks!

warkolm · June 3, 2020, 10:56pm

Are you asking a question here? It's not really clear given you have only posted two lines of text from somewhere.

Alsheh · June 3, 2020, 10:57pm

sorry, I accidentally posted before finishing typing. I've updated my original post.

Alsheh · June 13, 2020, 3:28am

Solved by using Filebeat system module which collects logs from /var/log/auth.log

Topic		Replies	Views
Auditbeat disable login log Beats auditbeat	2	454	June 27, 2019
Log All User's Shell Activity Beats auditbeat	3	3987	September 8, 2018
Auditbeat configuration to use the "Modification of OpenSSH binaries" detection rule Beats auditbeat	2	518	December 22, 2021
Auditbeat on Windows core with sshd Beats auditbeat	1	310	September 8, 2022
Configuring Auditbeat to only report modifications to files I want to monitor Beats auditbeat	7	1320	October 23, 2018

SSH Access Rule

Related topics