Using ELK stack for offline SSHD log analysis
To start Elasticsearch + Logstash + Kibana execute:
The container images will be downloaded from docker hub at first run.
Next, import the log file data to logstash
nc localhost 5000 < /var/log/auth.log
The logstash configuration file
logstash-auth.conf contains match rules
for parsing SSHD login records (both failed and successful) from syslog file
into logstash events. Events will contain username, source IP address and geographical
location for each login attempt.
Then connect to Kibana at http://localhost:5601/ and start analyzing the data.
Here are few sample screenshots.