Search code examples
linuxsshlogstashlogstash-grok

Records for ssh

Please refer the file here

The file contains ssh logs for Amazon Linux , Centos and Ubuntu.

I want to write a grok pattern in logstash , which will parse the file and give me the expected results.

My question is : How to get all the possible entries in the log file for the specific OS , is there any document on this ? So that it will help me while writing my grok pattern.

I want the following cases to be covered for all the available OS in my logstash grok.

  • How the login was did whether it was did using key or username and password
  • Login is successful or failed
  • Sudo login is successful or failed
  • bruteforce attack : Failed password for invalid user or possible break in attemps . Is there any other entries which represent the same.

I hope I am clear with my question.

Solution

  • I don't think you will find a detailled explanation of the log format, maybe I'm wrong.

    Here you have some example of logs and a little Grok example. If you want more Grok pre-written filters you can also use this site.

    Then, here are the logs I have for all your different cases. I changed my IPs to 0.0.0.0, erased my fingerprints and changed actual logins to username.

    Failed login :

    May 7 10:18:42 hostname sshd[6734]: pam_unix(sshd:auth): check pass; user unknown

    May 7 10:18:44 hostname sshd[6734]: Failed password for invalid user support from 76.123.128.215 port 54943 ssh2

    Brute-force attack :

    May 7 10:18:46 hostname sshd[6734]: Disconnecting: Too many authentication failures for invalid user support from 76.123.128.215 port 54943 ssh2 [preauth]

    May 7 10:18:46 hostname sshd[6734]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=c-76-123-128-215.hsd1.ms.comcast.net

    May 7 10:18:46 hostname sshd[6734]: PAM service(sshd) ignoring max retries; 6 > 3

    Public key login :

    May 11 17:21:21 hostname sshd[1972]: Accepted publickey for username from 0.0.0.0 port 43901 ssh2: ED25519 key_fingerprint

    May 11 17:21:21 hostname sshd[1972]: pam_unix(sshd:session): session opened for user username by (uid=0)

    Sudo session :

    May 11 17:21:24 hostname sudo: username : TTY=pts/1 ; PWD=/home/username ; USER=root ; COMMAND=/bin/bash

    May 11 17:21:24 hostname sudo: pam_unix(sudo:session): session opened for user root by username(uid=0)

    Password login :

    May 10 10:36:23 hostname sshd[30746]: Accepted password for username from 0.0.0.0 port 58985 ssh2

    May 10 10:36:23 hostname sshd[30746]: pam_unix(sshd:session): session opened for user username by (uid=0)

    With those logs you should be able to write your filters and extract comprehensive data.