Hi there,
let me say that I am totally new to graylog and this content pack has got me started looking at a few things. I am using graylog2 beta2.
ssh_login_username
(should this not extract all user names and aggregate them showing which user logged in how often?)
**current: _"Accepted password for (.+) from (.+) port"
_rather: Accepted keyboard-interactive/pam for USER from IP port 61470 ssh2
or maybe: pam_unix(sshd:session): session opened for user root by (uid=0)
SSH Connection Dropped
(not sure about this one, are we only looking for dropped/blocked sessions by iptables?)
**current: _IPTables Packet Dropped" AND iptables_dport:22
_rather: pam_unix(sshd:session): session closed for user root
or: Received disconnect from 87.156.164.7: 11: disconnected by user
Fail2ban Ban
current: application_name:fail2ban.actions AND message:"NOTICE [sshd] Ban"
rather: application_name:fail2ban.actions AND (message:"WARNING [ssh] Ban" OR message:"WARNING [ssh-ddos] Ban")
Fail2ban Unban
current: application_name:fail2ban.actions AND message:"NOTICE [sshd] Unban"
rather: application_name:fail2ban.actions AND (message:"WARNING [ssh] Unban" OR message:"WARNING [ssh-ddos] Unban")
Root Login
current: message:" Accepted publickey for root " OR message:" Accepted password for root "
rather: message:"Accepted keyboard-interactive/pam for root"
SSH Login
current: message:" Accepted publickey for " OR message:" Accepted password for "
rather: see above but needs exception for root user
*Some dashboards don't add up: *
**SSH login failed server _reports a count of 38 and this is correct.
_using: message:" Failed publickey for " OR message:" Failed password for " OR (message:"Invalid user" AND message:from)
Failed SSHD Metrics reports: 56 and this is wrong as the 38 above are correct.
using: application_name:sshd AND (message:"Failed" OR message:"Invalid user")
Also, SSH Login Failed Source IP shows a total of 27, while SSH Failure count, SSH Login failures and SSH login failed server all show a total of 38.
Would you have a look if you can replicate this?
I'd like to get this working properly but maybe I am misunderstanding something?
Hi there,
let me say that I am totally new to graylog and this content pack has got me started looking at a few things. I am using graylog2 beta2.
ssh_login_username
(should this not extract all user names and aggregate them showing which user logged in how often?)
**current: _"Accepted password for (.+) from (.+) port"
_rather: Accepted keyboard-interactive/pam for USER from IP port 61470 ssh2
or maybe: pam_unix(sshd:session): session opened for user root by (uid=0)
SSH Connection Dropped
(not sure about this one, are we only looking for dropped/blocked sessions by iptables?)
**current: _IPTables Packet Dropped" AND iptables_dport:22
_rather: pam_unix(sshd:session): session closed for user root
or: Received disconnect from 87.156.164.7: 11: disconnected by user
Fail2ban Ban
current: application_name:fail2ban.actions AND message:"NOTICE [sshd] Ban"
rather: application_name:fail2ban.actions AND (message:"WARNING [ssh] Ban" OR message:"WARNING [ssh-ddos] Ban")
Fail2ban Unban
current: application_name:fail2ban.actions AND message:"NOTICE [sshd] Unban"
rather: application_name:fail2ban.actions AND (message:"WARNING [ssh] Unban" OR message:"WARNING [ssh-ddos] Unban")
Root Login
current: message:" Accepted publickey for root " OR message:" Accepted password for root "
rather: message:"Accepted keyboard-interactive/pam for root"
SSH Login
current: message:" Accepted publickey for " OR message:" Accepted password for "
rather: see above but needs exception for root user
*Some dashboards don't add up: *
**SSH login failed server _reports a count of 38 and this is correct.
_using: message:" Failed publickey for " OR message:" Failed password for " OR (message:"Invalid user" AND message:from)
Failed SSHD Metrics reports: 56 and this is wrong as the 38 above are correct.
using: application_name:sshd AND (message:"Failed" OR message:"Invalid user")
Also, SSH Login Failed Source IP shows a total of 27, while SSH Failure count, SSH Login failures and SSH login failed server all show a total of 38.
Would you have a look if you can replicate this?
I'd like to get this working properly but maybe I am misunderstanding something?