Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
A simple Logstash conffile with a custom grok filter
input {
tcp {
type => "linux-syslog"
port => 3333
}
file {
type => "linux-syslog"
path => [ "/var/log/auth.log" ]
}
}
filter {
grok {
type => "linux-syslog"
pattern => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sshd\[%{BASE10NUM}\]: Failed password for (invalid user |)%{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"
add_tag => "ssh_brute_force_attack"
}
}
output {
stdout { }
elasticsearch { embedded => true }
}
Owner

juanje commented Jul 10, 2012

This detect lines like:
Jul 9 22:41:51 myserver sshd[4295]: Failed password for invalid user nagios from 220.113.135.154 port 55993 ssh2

And gives me:

(field) timestamp: Jul 9 22:41:51,
(field) host_target: myserver,
(field) username: nagios,
(field) src_ip: 220.113.135.154,
(field) port: 55993,
(metadata) @message: Jul 9 22:41:51 myserver sshd[4295]: Failed password for invalid user nagios from 220.113.135.154 port 55993 ssh2 ,
(metadata) @tags: ssh_brute_force_attack,
(metadata) @timestamp: 2012-07-10T08:01:59.118000Z,
(metadata) @type: linux-syslog,

and also lines like this:
Jul 9 22:43:17 myserver sshd[4638]: Failed password for root from 220.113.135.154 port 58638 ssh2

And gives me:

(field) timestamp: Jul 9 22:43:17,
(field) host_target: myserver,
(field) username: root,
(field) src_ip: 220.113.135.154,
(field) port: 58638,
(metadata) @message: Jul 9 22:43:17 myserver sshd[4638]: Failed password for root from 220.113.135.154 port 58638 ssh2 ,
(metadata) @tags: ssh_brute_force_attack,
(metadata) @timestamp: 2012-07-10T08:01:59.523000Z,
(metadata) @type: linux-syslog,

Thanks dude I used your example to create some more:

grok {
  type => "linux-syslog"
  pattern => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sshd\[%{BASE10NUM}\]: Failed password for invalid user %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"
  add_tag => "ssh_brute_force_attack"
}
grok {
  type => "linux-syslog"
  pattern => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sudo: pam_unix\(sudo:auth\): authentication failure; logname=%{USERNAME:logname} uid=%{BASE10NUM:uid} euid=%{BASE10NUM:euid} tty=%{TTY:tty} ruser=%{USERNAME:ruser} rhost=(?:%{HOSTNAME:remote_host}|\s*) user=%{USERNAME:user}"
  add_tag => "sudo_auth_failure"
}
grok {
  type => "linux-syslog"
  pattern => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sshd\[%{BASE10NUM}\]: Failed password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"
  add_tag => "ssh_failed_login"
}

grok {
  type => "linux-syslog"
  pattern => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sshd\[%{BASE10NUM}\]: Accepted password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"
  add_tag => "ssh_sucessful_login"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment