aurore-logs/roles/logstash/templates/pam_unix.conf.j2

33 lines
1.2 KiB
Text
Raw Normal View History

2020-09-19 21:39:57 +02:00
{{ ansible_managed | comment }}
filter {
if [facility] == "authpriv" {
grok {
patterns_dir => ["/etc/logstash/patterns"]
patterns_files_glob => "*.grok"
match => {
"message" => "^pam_unix%{PAM_PREFIX}: authentication failure; logname=(%{USERNAME:pam_logname})? uid=%{INT:pam_uid} euid=%{INT:pam_euid} tty=%{TTY:pam_tty} ruser=(%{USERNAME:pam_ruser})? rhost=(%{HOSTNAME:pam_rhost})? user=%{USERNAME:pam_user}$"
}
add_tag => ["pam_unix", "pam_unix_auth_fail"]
tag_on_failure => []
}
grok {
patterns_dir => ["/etc/logstash/patterns"]
patterns_files_glob => "*.grok"
match => {
"message" => "^pam_unix%{PAM_PREFIX}: session opened for user (%{USERNAME:pam_user})?(\(uid=%{INT:pam_uid}\))? by (%{USERNAME:pam_by_user})?(\(uid=%{INT:pam_by_uid}\))?$"
}
add_tag => ["pam_unix", "pam_unix_session_opened"]
tag_on_failure => []
}
grok {
patterns_dir => ["/etc/logstash/patterns"]
patterns_files_glob => "*.grok"
match => {
"message" => "^pam_unix%{PAM_PREFIX}: session closed for user %{USERNAME:pam_user}$"
}
add_tag => ["pam_unix", "pam_unix_session_closed"]
tag_on_failure => []
}
}
}