I am trying to alert on 4 or more failed ssh root attempts into systems.
I have found 2 filters
message:“sshd” AND “authentication failure”
This one only alerts after I have tried my root password 3 times and then sends 1 alert rather than 3 but this one does show me a field for user “root” which i can filter on.
message:“ssh2” AND “Failed password for root from”
This one logs everytime I do a failed password which is good because then i can set a aggregation for >=4. But no specific field for user because the user root is in the message.
I would like the use of the best of both filters. So that I get a user and it logs everytime a failed password has happened so that I can set an alert to notify aggregate for >=4 then send an email.
- CentOS 7.9
- Graylog 4.2.0