System Integration not Parsing SSH Failures

Elasticsearch/Kibana Version = 8.2

I'm starting a new cluster and want to verify all of the default dashboards and ingest paths are working correctly. I am using Fleet to manage the agents and integrations.

For the System Integration, successful SSH events will produce 'system.auth.ssh.event : Accepted'
BUT failed logins will not produce and 'system.auth.ssh.event' value at all.

The created index is .ds-logs-system.auth-default-YYYY.MM.DD-00000X and the Data Stream is 'logs-system.auth-default.' The associated Index Template is 'logs-system.auth' and the index default pipeline is 'logs-system.auth-1.6.4'

I am pretty sure this worked just fine in version 8.0 but I don't see anyway to downgrade the system integration package to verify - other than blow this away and build a new environment.

Any thoughts

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.