System Integration not Parsing SSH Failures

ericbarnes · May 10, 2022, 8:52pm

Elasticsearch/Kibana Version = 8.2

I'm starting a new cluster and want to verify all of the default dashboards and ingest paths are working correctly. I am using Fleet to manage the agents and integrations.

For the System Integration, successful SSH events will produce 'system.auth.ssh.event : Accepted'
BUT failed logins will not produce and 'system.auth.ssh.event' value at all.

The created index is .ds-logs-system.auth-default-YYYY.MM.DD-00000X and the Data Stream is 'logs-system.auth-default.' The associated Index Template is 'logs-system.auth' and the index default pipeline is 'logs-system.auth-1.6.4'

I am pretty sure this worked just fine in version 8.0 but I don't see anyway to downgrade the system integration package to verify - other than blow this away and build a new environment.

Any thoughts

system · June 7, 2022, 10:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat->Kafka->Logstash->Elasticsearch fails for system.auth: "Provided Grok expressions do not match field value" Logstash ingest-pipeline	12	692	February 10, 2023
Filebeat SSH dashboard failing to show events (Kibana 7.0) Beats filebeat	17	3492	May 31, 2019
Monitoring ingress pipelines Elasticsearch ingest-pipeline	2	511	October 9, 2021
SSH login attempts dashboard on kibana Kibana	28	10250	November 14, 2018
Beats' output, logstash or elasticsearh Beats filebeat	4	421	June 4, 2019

System Integration not Parsing SSH Failures

Related topics