Reputation: 1
Graylog2 ssh stream rules
I have gotten a task to setup a new stream that catches all failed ssh logins. I have never used graylog before and iam really bad at regex.
I have figured out that you need to create a new stream, make so that all the failed ssh login messages gets caught in that stream and then make an alarm on that.
Upvotes: 0
Views: 2561
Answers (2)
Reputation: 385
Check out https://github.com/sshlog/agent/
It's a Linux daemon that monitors OpenSSH for logins, commands run, failed attempts, file uploads, etc.
Adapting their config sample for "send_to_syslog" you can configure the following to send all failed login attempts to Graylog via syslog:
# Description:
# Logs all events (e.g., login, command start, file upload) to a remote syslog server
events:
- event: log_activity_to_syslog
triggers:
- connection_auth_failed
filters:
ignore_existing_logins: True
actions:
- action: syslog_to_graylog
plugin: syslog_action
server_address: address_to_graylog
port: 5140
udp: True
output_json: False
program_name: sshlog
Upvotes: 0
Reputation: 292
You can create a stream just for an example then let us call it SSH accepted/failed
Then create a rule where you enter
field : messages
type : match regular expression
value for failed: Failed password for.+ from .+
and then create a new rule for the same stream with the value : Accepted password for.+ from .+
Then you will have a Stream there is collecting Failed and Accepted logins for your SSH
Upvotes: 0
Related Questions
- Graylog Search with Regex
- Graylog2 Stream filter rule
- logstash and kafka and graylog and order of messages
- Automating creating streams in Graylog
- Send existing log file to graylog?
- How to read multiple servers log files in graylog?
- How do I send logs received at one graylog to another graylog?
- How to change rules in seccomp filter of openssh
- Logstash unable to send messages to Graylog
- unable to send messages to graylog server using logstash