Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
MIT Kerberos Logstash filter
# Kerberos krb5kdc/kadmind/kpropd
if [program] == "kadmind" {
grok {
match => { "syslog_msg" => "^Request: %{DATA:kadmind_request}, client=%{DATA:kadmind_client}, service=%{DATA:kadmind_service}, addr=%{IP:kadmind_addr}$" }
match => { "syslog_msg" => "^%{DATA:kadmind_other}$" }
add_tag => [ "kadmind" ]
}
}
if [program] == "krb5kdc" {
grok {
match => { "syslog_msg" => "^(?<krb5kdc_reqtype>AS_REQ|TGS_REQ) \(%{NUMBER:krb5kdc_etypes_count} etypes \{%{DATA:krb5kdc_client_etypes}\}\) %{IP:krb5kdc_clientip}: %{DATA:krb5kdc_req_status}: %{DATA:krb5kdc_client}@%{DATA:krb5kdc_client_realm} for %{DATA:krb5kdc_server}@%{DATA:krb5kdc_server_realm}, %{DATA:krb5kdc_req_status_msg}$" }
match => { "syslog_msg" => "^(?<krb5kdc_reqtype>AS_REQ|TGS_REQ) \(%{NUMBER:krb5kdc_etypes_count} etypes \{%{DATA:krb5kdc_client_etypes}\}\) %{IP:krb5kdc_clientip}: (?<krb5kdc_req_status>ISSUE): authtime %{NUMBER}, etypes {rep=%{DATA:krb5kdc_etype_rep} tkt=%{DATA:krb5kdc_etype_tkt} ses=%{DATA:krb5kdc_etype_ses}}, %{DATA:krb5kdc_client}@%{DATA:krb5kdc_client_realm} for %{DATA:krb5kdc_server}@%{DATA:krb5kdc_server_realm}$" }
match => { "syslog_msg" => "^%{DATA:krb5kdc_other}$" } # catch-all
add_tag => [ "krb5kdc" ]
}
if [krb5kdc_req_status] == "ISSUE" {
mutate { add_tag => [ "%{krb5kdc_reqtype}-success", "%{krb5kdc_reqtype}" ] }
} else if [krb5kdc_req_status] {
mutate { add_tag => [ "%{krb5kdc_reqtype}-failure", "%{krb5kdc_reqtype}" ] }
} else {
mutate { add_tag => [ "krb5kdc_other" ] }
}
mutate { split => { "krb5kdc_client_etypes" => " " } }
translate {
dictionary_path => "/etc/logstash/dicts/krb5_etypes.yaml"
field => "krb5kdc_client_etypes"
destination => "krb5kdc_client_etypes_str"
}
translate {
dictionary_path => "/etc/logstash/dicts/krb5_etypes.yaml"
field => "krb5kdc_etype_rep"
destination => "krb5kdc_etype_rep_str"
}
translate {
dictionary_path => "/etc/logstash/dicts/krb5_etypes.yaml"
field => "krb5kdc_etype_tkt"
destination => "krb5kdc_etype_tkt_str"
}
translate {
dictionary_path => "/etc/logstash/dicts/krb5_etypes.yaml"
field => "krb5kdc_etype_ses"
destination => "krb5kdc_etype_ses_str"
}
}
"1": "des-cbc-crc"
"2": "des-cbc-md4"
"3": "des-cbc-md5"
"5": "des3-cbc-md5"
"7": "des3-cbc-sha1"
"9": "dsaWithSHA1-CmsOID"
"10": "md5WithRSAEncryption-CmsOID"
"11": "sha1WithRSAEncryption-CmsOID"
"12": "rc2CBC-EnvOID"
"13": "rsaEncryption-EnvOID"
"14": "rsaES-OAEP-ENV-OID"
"15": "des-ede3-cbc-Env-OID"
"16": "des3-cbc-sha1-kd"
"17": "aes128-cts-hmac-sha1-96"
"18": "aes256-cts-hmac-sha1-96"
"19": "aes128-cts-hmac-sha256-128"
"20": "aes256-cts-hmac-sha384-192"
"23": "rc4-hmac"
"24": "rc4-hmac-exp"
"25": "camellia128-cts-cmac"
"26": "camellia256-cts-cmac"
"65": "subkey-keymaterial"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment