aurore-logs/roles/logstash/templates/pam_unix.conf.j2

{{ ansible_managed | comment }}

filter {
	if [facility] == "authpriv" {
    grok {
      patterns_dir => ["/etc/logstash/patterns"]
      patterns_files_glob => "*.grok"
      match => {
        "message" => "^pam_unix%{PAM_PREFIX}: authentication failure; logname=(%{USERNAME:pam_logname})? uid=%{INT:pam_uid} euid=%{INT:pam_euid} tty=%{TTY:pam_tty} ruser=(%{USERNAME:pam_ruser})? rhost=(%{HOSTNAME:pam_rhost})? user=%{USERNAME:pam_user}$"
      }
      add_tag => ["pam_unix", "pam_unix_auth_fail"]
      tag_on_failure => []
    }
    grok {
      patterns_dir => ["/etc/logstash/patterns"]
      patterns_files_glob => "*.grok"
      match => {
        "message" => "^pam_unix%{PAM_PREFIX}: session opened for user (%{USERNAME:pam_user})?(\(uid=%{INT:pam_uid}\))? by (%{USERNAME:pam_by_user})?(\(uid=%{INT:pam_by_uid}\))?$"
      }
      add_tag => ["pam_unix", "pam_unix_session_opened"]
      tag_on_failure => []
    }
    grok {
      patterns_dir => ["/etc/logstash/patterns"]
      patterns_files_glob => "*.grok"
      match => {
        "message" => "^pam_unix%{PAM_PREFIX}: session closed for user %{USERNAME:pam_user}$"
      }
      add_tag => ["pam_unix", "pam_unix_session_closed"]
      tag_on_failure => []
    }
	}
}
Publication de la configuration. 2020-09-19 21:39:57 +02:00			`{{ ansible_managed \| comment }}`

			`filter {`
			`if [facility] == "authpriv" {`
			`grok {`
			`patterns_dir => ["/etc/logstash/patterns"]`
			`patterns_files_glob => "*.grok"`
			`match => {`
			`"message" => "^pam_unix%{PAM_PREFIX}: authentication failure; logname=(%{USERNAME:pam_logname})? uid=%{INT:pam_uid} euid=%{INT:pam_euid} tty=%{TTY:pam_tty} ruser=(%{USERNAME:pam_ruser})? rhost=(%{HOSTNAME:pam_rhost})? user=%{USERNAME:pam_user}$"`
			`}`
			`add_tag => ["pam_unix", "pam_unix_auth_fail"]`
			`tag_on_failure => []`
			`}`
			`grok {`
			`patterns_dir => ["/etc/logstash/patterns"]`
			`patterns_files_glob => "*.grok"`
			`match => {`
			`"message" => "^pam_unix%{PAM_PREFIX}: session opened for user (%{USERNAME:pam_user})?(\(uid=%{INT:pam_uid}\))? by (%{USERNAME:pam_by_user})?(\(uid=%{INT:pam_by_uid}\))?$"`
			`}`
			`add_tag => ["pam_unix", "pam_unix_session_opened"]`
			`tag_on_failure => []`
			`}`
			`grok {`
			`patterns_dir => ["/etc/logstash/patterns"]`
			`patterns_files_glob => "*.grok"`
			`match => {`
			`"message" => "^pam_unix%{PAM_PREFIX}: session closed for user %{USERNAME:pam_user}$"`
			`}`
			`add_tag => ["pam_unix", "pam_unix_session_closed"]`
			`tag_on_failure => []`
			`}`
			`}`
			`}`