aurore-logs/roles/logstash/templates/sshd.conf.j2

{{ ansible_managed | comment }}

filter {
	if [program] == "sshd" and [facility] == "auth" {
    grok {
      patterns_dir => ["/etc/logstash/patterns"]
      patterns_files_glob => "*.grok"
      match => {
        "message" => "^Accepted %{WORD:sshd_auth_method} for %{USERNAME:sshd_auth_user} from %{IP:sshd_client_ip} port %{INT:sshd_client_port} %{WORD:sshd_proto_version}(: %{WORD:sshd_key_type} %{WORD:sshd_key_hash_type}:%{BASE64:sshd_key_hash})?$"
      }
      add_tag => ["sshd", "sshd_accepted_auth"]
      tag_on_failure => []
    }
    grok {
			match => {
        "message" => "^Received disconnect from %{IP:sshd_client_ip} port %{INT:sshd_client_port}:%{INT:sshd_disconnect_reason}: %{GREEDYDATA:sshd_disconnect_msg}$"
      }
      add_tag => ["sshd", "sshd_received_disconnect"]
      tag_on_failure => []
		}
    grok {
      match => {
        "message" => "^Disconnected from user %{USERNAME:sshd_auth_user} %{IP:sshd_client_ip} port %{INT:sshd_client_port}$"
      }
      add_tag => ["sshd", "sshd_disconnected"]
      tag_on_failure => []
    }
    grok {
      match => {
        "message" => "^Server listening on %{IP:sshd_listen_ip} port %{INT:sshd_listen_port}.$"
      }
      add_tag => ["sshd", "sshd_listening"]
      tag_on_failure => []
    }
    grok {
      match => {
        "message" => "^Received signal %{INT:sshd_signal}; %{GREEDYDATA:sshd_signal_action}.$"
      }
      add_tag => ["sshd", "sshd_received_signal"]
      tag_on_failure => []
    }
	}
}
Publication de la configuration. 2020-09-19 21:39:57 +02:00			`{{ ansible_managed \| comment }}`

			`filter {`
			`if [program] == "sshd" and [facility] == "auth" {`
			`grok {`
			`patterns_dir => ["/etc/logstash/patterns"]`
			`patterns_files_glob => "*.grok"`
			`match => {`
			`"message" => "^Accepted %{WORD:sshd_auth_method} for %{USERNAME:sshd_auth_user} from %{IP:sshd_client_ip} port %{INT:sshd_client_port} %{WORD:sshd_proto_version}(: %{WORD:sshd_key_type} %{WORD:sshd_key_hash_type}:%{BASE64:sshd_key_hash})?$"`
			`}`
			`add_tag => ["sshd", "sshd_accepted_auth"]`
			`tag_on_failure => []`
			`}`
			`grok {`
			`match => {`
			`"message" => "^Received disconnect from %{IP:sshd_client_ip} port %{INT:sshd_client_port}:%{INT:sshd_disconnect_reason}: %{GREEDYDATA:sshd_disconnect_msg}$"`
			`}`
			`add_tag => ["sshd", "sshd_received_disconnect"]`
			`tag_on_failure => []`
			`}`
			`grok {`
			`match => {`
			`"message" => "^Disconnected from user %{USERNAME:sshd_auth_user} %{IP:sshd_client_ip} port %{INT:sshd_client_port}$"`
			`}`
			`add_tag => ["sshd", "sshd_disconnected"]`
			`tag_on_failure => []`
			`}`
			`grok {`
			`match => {`
			`"message" => "^Server listening on %{IP:sshd_listen_ip} port %{INT:sshd_listen_port}.$"`
			`}`
			`add_tag => ["sshd", "sshd_listening"]`
			`tag_on_failure => []`
			`}`
			`grok {`
			`match => {`
			`"message" => "^Received signal %{INT:sshd_signal}; %{GREEDYDATA:sshd_signal_action}.$"`
			`}`
			`add_tag => ["sshd", "sshd_received_signal"]`
			`tag_on_failure => []`
			`}`
			`}`
			`}`