Skip to content

Instantly share code, notes, and snippets.

@FlorianHeigl
Forked from spuder/ssh.md
Created August 13, 2017 02:39
Show Gist options
  • Save FlorianHeigl/b4fdca03e9540efa5b214779ca149e8c to your computer and use it in GitHub Desktop.
Save FlorianHeigl/b4fdca03e9540efa5b214779ca149e8c to your computer and use it in GitHub Desktop.
logstash-grok-ssh ignore root user

I have ssh connections from multiple users. I want to log all connectsion except those from the user 'git'. How dow you create an exception to a filter ?

input {

  file {
     path => "/var/log/auth.log"
     type => "syslog"
  }
}

filter {
  if [type] == "syslog"
    #May 14 14:27:59 gitlab sshd[25048]: Accepted publickey for git from 10.0.6.220 port 52535 ssh2
    grok {
    match   => [ "message", "%{SYSLOGTIMESTAMP} %{HOSTNAME} %{PROG}\[%{NUMBER:pid}\]: Accepted %{WORD:authtype} for %{USER} from %{IPV4} port %{NUMBER:port} %{WORD:protocol}" ]
    add_tag => [ "ssh_connection"]
    }
    
    # Untag all the ssh connectsion from user git
    grok {
    match   => [ "message", "%{SYSLOGTIMESTAMP} %{HOSTNAME} %{PROG}\[%{NUMBER:pid}\]: Accepted %{WORD:authtype} for git from %{IPV4} port %{NUMBER:port} %{WORD:protocol}" ]
    remove_tag => [ "ssh_connection"]
    }
}

output {

  if "ssh_connection" in [tags] {
    email {
      to      => "foo@bar.com"
      from    => "logstash@foobar.com"
      subject => "Intruder Alert"
    }
  }
  redis {
   ...
  }

}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment