Created
May 20, 2019 07:14
-
-
Save evaristorivi/b124d0c0b2cb136acec3c0462407dcd7 to your computer and use it in GitHub Desktop.
PATTERN auth
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # partly from https://github.com/PCextreme/logstash-grok-patterns/blob/master/auth | |
| # | |
| # ssh | |
| SSH_PUB_LOGIN %{SYSLOGBASE} Accepted publickey for %{USERNAME:username} from %{IPORHOST:remote} port %{BASE10NUM:port:int} %{WORD:protocol} | |
| SSH_PUB_LOGIN_S Accepted publickey for %{USERNAME:username} from %{IPORHOST:remote} port %{BASE10NUM:port:int} %{WORD:protocol} | |
| SSH_OPEN_SESSION session opened for user %{USERNAME:username} by \(uid=%{INT:uid:int}\) | |
| SSH_CLOSE_SESSION session closed for user %{USERNAME:username} | |
| SSH_PASSWORD_LOGIN %{SYSLOGBASE} Accepted password for %{USERNAME:username} from %{IPORHOST:remote} port %{BASE10NUM:port:int} %{WORD:protocol} | |
| SSH_PASSWORD_LOGIN_S Accepted password for %{USERNAME:username} from %{IPORHOST:remote} port %{BASE10NUM:port:int} %{WORD:protocol} | |
| SSH_FAILED_LOGIN %{SYSLOGBASE} Failed password for (invalid user |)%{USERNAME:username} from %{IPORHOST:remote} port %{BASE10NUM:port:int} %{WORD:protocol} | |
| SSH_FAILED_LOGIN_S Failed password for (invalid user |)%{USERNAME:username} from %{IPORHOST:remote} port %{BASE10NUM:port:int} %{WORD:protocol} | |
| SSH_FAILED_AUTH_S authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=%{IPORHOST:rhost} user=%{USERNAME:username} | |
| SSH_DISCONNECT %{SYSLOGBASE} Received disconnect from %{IPORHOST:remote}: %{BASE10NUM:code}: %{GREEDYDATA:reason} | |
| SSH_DISCONNECT_S Received disconnect from %{IPORHOST:remote}: %{BASE10NUM:code}: %{GREEDYDATA:reason} | |
| SSH_SNOOPY %{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} snoopy(?:\[%{POSINT:pid}\])?: \[uid:%{INT:uid:int} sid:%{INT:sid:int} tty:%{DATA:tty} cwd:%{DATA:cwd} filename:%{DATA:filename}\]: %{GREEDYDATA:command} | |
| SSH_ALLOW_USER User %{USERNAME:username} from %{IPORHOST:remote} not allowed because not listed in AllowUsers | |
| # auth | |
| AUTH_LOG_LINE %{SYSLOGBASE} %{GREEDYDATA:logline} | |
| #May 17 13:20:04 HermesTrismegisto gdm-password]: pam_unix(gdm-password:session): session opened for user ejemplo by (uid=0) | |
| #AUTH_LOG_LINE \): session opened for user %{USERNAME:username} by \(uid=%{INT:uid:int}\) | |
| # sudo | |
| SUDO_LOGLINE session opened for user %{USERNAME:userto} by %{USERNAME:username} | |
| SUDO_PROG %{USERNAME:username} : TTY=%{GREEDYDATA:tty} ; PWD=%{GREEDYDATA:pwd} ; USER=%{USERNAME:userto} ; COMMAND=%{GREEDYDATA:command}$ | |
| SUDO_CLOSE session closed for user %{USERNAME:username} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment