logstash filters for ssh attempts

Description

Logstash filters for ssh brute for, sudo auth failures, or failed login attempts

Filters

grok {
  type => "syslog"
  patterns_dir => ["/opt/logstash/patterns"]
  pattern => [
     "%{SYSLOGLINE}"
  ]
}

grep {
type => "syslog"
drop => false
match => [ "@message", "([fF]ailed|[fF]ailure).*password|authentication.*failure|incorrect.password" ]
add_tag => [ "auth_failure" ]
}

grep {
type => "syslog"
drop => false
match => [ "@message", "Invalid user" ]
add_tag => [ "ssh_brute_force" ]
}

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.