aurore-logs/roles/logstash/templates/sshd.conf.j2

43 lines
No EOL
1.5 KiB
Django/Jinja

{{ ansible_managed | comment }}
filter {
if [program] == "sshd" and [facility] == "auth" {
grok {
patterns_dir => ["/etc/logstash/patterns"]
patterns_files_glob => "*.grok"
match => {
"message" => "^Accepted %{WORD:sshd_auth_method} for %{USERNAME:sshd_auth_user} from %{IP:sshd_client_ip} port %{INT:sshd_client_port} %{WORD:sshd_proto_version}(: %{WORD:sshd_key_type} %{WORD:sshd_key_hash_type}:%{BASE64:sshd_key_hash})?$"
}
add_tag => ["sshd", "sshd_accepted_auth"]
tag_on_failure => []
}
grok {
match => {
"message" => "^Received disconnect from %{IP:sshd_client_ip} port %{INT:sshd_client_port}:%{INT:sshd_disconnect_reason}: %{GREEDYDATA:sshd_disconnect_msg}$"
}
add_tag => ["sshd", "sshd_received_disconnect"]
tag_on_failure => []
}
grok {
match => {
"message" => "^Disconnected from user %{USERNAME:sshd_auth_user} %{IP:sshd_client_ip} port %{INT:sshd_client_port}$"
}
add_tag => ["sshd", "sshd_disconnected"]
tag_on_failure => []
}
grok {
match => {
"message" => "^Server listening on %{IP:sshd_listen_ip} port %{INT:sshd_listen_port}.$"
}
add_tag => ["sshd", "sshd_listening"]
tag_on_failure => []
}
grok {
match => {
"message" => "^Received signal %{INT:sshd_signal}; %{GREEDYDATA:sshd_signal_action}.$"
}
add_tag => ["sshd", "sshd_received_signal"]
tag_on_failure => []
}
}
}