This monitoring artifact watches the auth.log file for new successful SSH login events and relays them back to the server.
name: Linux.Events.SSHLogin
description: |
This monitoring artifact watches the auth.log file for new
successful SSH login events and relays them back to the server.
reference:
- https://www.elastic.co/blog/grokking-the-linux-authorization-logs
type: CLIENT_EVENT
parameters:
- name: syslogAuthLogPath
default: /var/log/auth.log
- name: SSHGrok
description: A Grok expression for parsing SSH auth lines.
default: >-
%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}: %{DATA:event} %{DATA:method} for (invalid user )?%{DATA:user} from %{IPORHOST:ip} port %{NUMBER:port} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?
sources:
- query: |
-- Basic syslog parsing via GROK expressions.
LET success_login = SELECT grok(grok=SSHGrok, data=Line) AS Event, Line
FROM watch_syslog(filename=syslogAuthLogPath)
WHERE Event.program = "sshd" AND Event.event = "Accepted"
SELECT timestamp(string=Event.timestamp) AS Time,
Event.user AS User,
Event.method AS Method,
Event.IP AS SourceIP,
Event.pid AS Pid
FROM success_login