Advertisement
D0cEvil

Logstash - OpenSSHd

Sep 23rd, 2022 (edited)
117
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 1.03 KB | Cybersecurity | 0 0
  1. input {
  2.     file {
  3.         path => [ "/tmp/secure" ]
  4.         sincedb_path => "/dev/null"
  5.         start_position => "beginning"
  6.     }
  7. }
  8.  
  9. filter {
  10.     if "Failed" in [message] {
  11.         grok {
  12.             match => {
  13.                 "message" => "%{SYSLOGBASE} %{WORD:system.auth.ssh.event} %{WORD:system.auth.ssh.method} %{WORD} %{WORD} %{WORD} %{USERNAME:system.auth.user} %{WORD} %{IP:system.auth.ssh.ip} %{WORD} %{WORD:system.auth.ssh.port} %{WORD}"
  14.             }
  15.         }
  16.         if "_grokparsefailure" in [tags] {
  17.             drop { }
  18.         }
  19.     }
  20.     else if "Accepted" in [message] {
  21.         grok {
  22.             match => {
  23.                 "message" => "%{SYSLOGBASE} %{WORD:system.auth.ssh.event} %{WORD:system.auth.ssh.method} %{WORD} %{USERNAME:system.auth.user} %{WORD} %{IP:system.auth.ssh.ip} %{WORD} %{WORD:system.auth.ssh.port} %{WORD}"
  24.             }
  25.         }
  26.         if "_grokparsefailure" in [tags] {
  27.             drop { }
  28.         }      
  29.     }
  30.     else {
  31.         drop { }
  32.     }
  33.     date {
  34.             match => [ "timestamp", "MMM  d HH:mm:ss"]
  35.             target => "@timestamp"
  36.             remove_field => "timestamp"
  37.     }  
  38. }
  39.  
  40. output {
  41.     file {
  42.         path => "/tmp/output.json"
  43.         codec => "json_lines"
  44.     }
  45. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement