Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Filebeat System module - add Auth fileset patterns #35044

Closed
leweafan opened this issue Apr 9, 2023 · 2 comments
Closed

Filebeat System module - add Auth fileset patterns #35044

leweafan opened this issue Apr 9, 2023 · 2 comments
Labels
needs_team Indicates that the issue/PR needs a Team:* label Stalled

Comments

@leweafan
Copy link
Contributor

leweafan commented Apr 9, 2023

Describe the enhancement:

Please add patterns for System module (Auth fileset) to parse SSHD messages. Now user.name and ip address not parsed.

Debian:

Apr  5 21:11:03 test01 sshd[5031]: Bad protocol version identification '0' from 10.10.10.10 port 37288
Apr  5 21:11:03 test01 sshd[5031]: Connection closed by 10.10.10.10 port 33126 [preauth]
Apr  5 21:11:03 test01 sshd[5031]: Connection closed by invalid user sherlock 10.10.10.10 port 35694 [preauth]
Apr  5 21:11:03 test01 sshd[5031]: Did not receive identification string from 10.10.10.10
Apr  5 21:11:03 test01 sshd[5031]: Disconnected from 10.10.10.10 port 38580
Apr  5 21:11:03 test01 sshd[5031]: Disconnected from invalid user sherlock 10.10.10.10 port 53892 [preauth]
Apr  5 21:11:03 test01 sshd[5031]: Disconnecting invalid user sherlock 10.10.10.10 port 57956: Too many authentication failures [preauth]
Apr  5 21:11:03 test01 sshd[5031]: Received disconnect from 10.10.10.10 port 38580:11: disconnected by user
Apr  5 21:11:03 test01 sshd[5031]: Starting session: command on pts/0 for sherlock from 10.10.10.10 port 60140 id 0
Apr  5 21:11:03 test01 sshd[5031]: User sherlock from 10.10.10.10 not allowed because none of user's groups are listed in AllowGroups
Apr  5 21:11:03 test01 sshd[5031]: User sherlock from 10.10.10.10 not allowed because not listed in AllowUsers
Apr  5 21:11:03 test01 sshd[5031]: fatal: Access denied for user sherlock by PAM account configuration [preauth]
Apr  5 21:11:03 test01 sshd[5031]: fatal: Timeout before authentication for 10.10.10.10
Apr  5 21:11:03 test01 sshd[5031]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.10

CentOS:

Apr  5 21:11:03 test01 sshd[5031]: input_userauth_request: invalid user sherlock [preauth]

Describe a specific use case for the enhancement or feature:

This parsing is important for security reasons and SIEM rules.

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Apr 9, 2023
@botelastic
Copy link

botelastic bot commented Apr 9, 2023

This issue doesn't have a Team:<team> label.

@botelastic
Copy link

botelastic bot commented Apr 8, 2024

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Apr 8, 2024
@botelastic botelastic bot closed this as completed Oct 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs_team Indicates that the issue/PR needs a Team:* label Stalled
Projects
None yet
Development

No branches or pull requests

1 participant