Skip to content

Instantly share code, notes, and snippets.

@dnd

dnd/auth.log

Last active September 4, 2015 14:53
Show Gist options
  • Save dnd/a82b8a22f48b7f7b7ccb to your computer and use it in GitHub Desktop.
Save dnd/a82b8a22f48b7f7b7ccb to your computer and use it in GitHub Desktop.
Download ZIP
filter_syslog.conf
Raw
auth.log
Sep 4 09:30:24 lb1 sshd[29552]: Accepted publickey for steve from 72.64.121.61 port 35652 ssh2: RSA 70:74:08:63:33:7f:28:c2:8c:65:da:70:51:11:fd:c1
Sep 4 10:10:41 app1 sudo: pam_unix(sudo:auth): authentication failure; logname=steve uid=1006 euid=0 tty=/dev/pts/1 ruser=events rhost= user=events
Sep 4 10:14:35 app1 sshd[9274]: Failed password for events from 72.64.121.61 port 38268 ssh2
Sep 4 10:14:37 app1 sshd[9274]: Connection closed by 72.64.121.61 [preauth]
Raw
gistfile1.txt
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
grok {
match => {'syslog_message' => "Failed password for invalid user %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"}
add_tag => "ssh_brute_force_attack"
}
grok {
match => {'syslog_message' => "pam_unix\(sudo:auth\): authentication failure; logname=%{USERNAME:logname} uid=%{BASE10NUM:uid} euid=%{BASE10NUM:euid} tty=%{TTY:tty} ruser=%{USERNAME:ruser} rhost=(?:%{HOSTNAME:remote_host}|\s*) user=%{USERNAME:user}"}
add_tag => "sudo_auth_failure"
}
grok {
match => {"syslog_message" => "Failed password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"}
add_tag => "ssh_failed_login"
}
grok {
match => [
"syslog_message", "Accepted password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2",
"syslog_message", "Accepted publickey for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2: %{WORD:algorithm} %{GREEDYDATA:signature}"
]
add_tag => "ssh_sucessful_login"
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
if !("_grokparsefailure" in [tags]) {
mutate {
replace => [ "@source_host", "%{syslog_hostname}" ]
replace => [ "@message", "%{syslog_message}" ]
}
}
mutate {
remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
}
}
}
Raw
logstash_output
{
"message" => "Sep 4 09:30:24 lb1 sshd[29552]: Accepted publickey for steve from 72.64.121.61 port 35652 ssh2: RSA 67:74:08:63:33:7f:28:c2:8c:65:da:70:51:11:fd:c1",
"@version" => "1",
"@timestamp" => "2015-09-04T13:30:24.000Z",
"type" => "syslog",
"host" => "mgt-logging-app1",
"syslog_program" => "sshd",
"syslog_pid" => "29552",
"received_at" => "2015-09-04T14:52:40.170Z",
"received_from" => "mgt-logging-app1",
"tags" => [
[0] "_grokparsefailure",
[1] "ssh_sucessful_login"
],
"username" => "steve",
"src_ip" => "72.64.121.61",
"port" => "35652",
"algorithm" => "RSA",
"signature" => "67:74:08:63:33:7f:28:c2:8c:65:da:70:51:11:fd:c1",
"syslog_severity_code" => 5,
"syslog_facility_code" => 1,
"syslog_facility" => "user-level",
"syslog_severity" => "notice"
}
{
"message" => "Sep 4 10:10:41 app1 sudo: pam_unix(sudo:auth): authentication failure; logname=steve uid=1006 euid=0 tty=/dev/pts/1 ruser=events rhost= user=events",
"@version" => "1",
"@timestamp" => "2015-09-04T14:10:41.000Z",
"type" => "syslog",
"host" => "mgt-logging-app1",
"syslog_program" => "sudo",
"received_at" => "2015-09-04T14:52:40.172Z",
"received_from" => "mgt-logging-app1",
"tags" => [
[0] "_grokparsefailure",
[1] "sudo_auth_failure"
],
"logname" => "steve",
"uid" => "1006",
"euid" => "0",
"tty" => "/dev/pts/1",
"ruser" => "events",
"user" => "events",
"syslog_severity_code" => 5,
"syslog_facility_code" => 1,
"syslog_facility" => "user-level",
"syslog_severity" => "notice"
}
{
"message" => "Sep 4 10:14:35 app1 sshd[9274]: Failed password for events from 72.64.121.61 port 38268 ssh2",
"@version" => "1",
"@timestamp" => "2015-09-04T14:14:35.000Z",
"type" => "syslog",
"host" => "mgt-logging-app1",
"syslog_program" => "sshd",
"syslog_pid" => "9274",
"received_at" => "2015-09-04T14:52:40.172Z",
"received_from" => "mgt-logging-app1",
"tags" => [
[0] "_grokparsefailure",
[1] "ssh_failed_login"
],
"username" => "events",
"src_ip" => "72.64.121.61",
"port" => "38268",
"syslog_severity_code" => 5,
"syslog_facility_code" => 1,
"syslog_facility" => "user-level",
"syslog_severity" => "notice"
}
{
"message" => "Sep 4 10:14:37 app1 sshd[9274]: Connection closed by 72.64.121.61 [preauth]",
"@version" => "1",
"@timestamp" => "2015-09-04T14:14:37.000Z",
"type" => "syslog",
"host" => "mgt-logging-app1",
"syslog_program" => "sshd",
"syslog_pid" => "9274",
"received_at" => "2015-09-04T14:52:40.172Z",
"received_from" => "mgt-logging-app1",
"tags" => [
[0] "_grokparsefailure"
],
"syslog_severity_code" => 5,
"syslog_facility_code" => 1,
"syslog_facility" => "user-level",
"syslog_severity" => "notice"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment