Please refer the file here
The file contains ssh logs for Amazon Linux , Centos and Ubuntu.
I want to write a grok pattern in logstash , which will parse the file and give me the expected results.
My question is : How to get all the possible entries in the log file for the specific OS , is there any document on this ? So that it will help me while writing my grok pattern.
I want the following cases to be covered for all the available OS in my logstash grok.
I hope I am clear with my question.
I don't think you will find a detailled explanation of the log format, maybe I'm wrong.
Here you have some example of logs and a little Grok example. If you want more Grok pre-written filters you can also use this site.
Then, here are the logs I have for all your different cases. I changed my IPs to 0.0.0.0, erased my fingerprints and changed actual logins to username
.
Failed login :
May 7 10:18:42 hostname sshd[6734]: pam_unix(sshd:auth): check pass; user unknown
May 7 10:18:44 hostname sshd[6734]: Failed password for invalid user support from 76.123.128.215 port 54943 ssh2
Brute-force attack :
May 7 10:18:46 hostname sshd[6734]: Disconnecting: Too many authentication failures for invalid user support from 76.123.128.215 port 54943 ssh2 [preauth]
May 7 10:18:46 hostname sshd[6734]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=c-76-123-128-215.hsd1.ms.comcast.net
May 7 10:18:46 hostname sshd[6734]: PAM service(sshd) ignoring max retries; 6 > 3
Public key login :
May 11 17:21:21 hostname sshd[1972]: Accepted publickey for username from 0.0.0.0 port 43901 ssh2: ED25519 key_fingerprint
May 11 17:21:21 hostname sshd[1972]: pam_unix(sshd:session): session opened for user username by (uid=0)
Sudo session :
May 11 17:21:24 hostname sudo: username : TTY=pts/1 ; PWD=/home/username ; USER=root ; COMMAND=/bin/bash
May 11 17:21:24 hostname sudo: pam_unix(sudo:session): session opened for user root by username(uid=0)
Password login :
May 10 10:36:23 hostname sshd[30746]: Accepted password for username from 0.0.0.0 port 58985 ssh2
May 10 10:36:23 hostname sshd[30746]: pam_unix(sshd:session): session opened for user username by (uid=0)
With those logs you should be able to write your filters and extract comprehensive data.