Alert on multiple ssh root sessions

Description of your problem

I am trying to alert on 4 or more failed ssh root attempts into systems.

Description of steps you’ve taken to attempt to solve the issue

I have found 2 filters

  1. message:“sshd” AND “authentication failure”
    This one only alerts after I have tried my root password 3 times and then sends 1 alert rather than 3 but this one does show me a field for user “root” which i can filter on.

  2. message:“ssh2” AND “Failed password for root from”
    This one logs everytime I do a failed password which is good because then i can set a aggregation for >=4. But no specific field for user because the user root is in the message.

I would like the use of the best of both filters. So that I get a user and it logs everytime a failed password has happened so that I can set an alert to notify aggregate for >=4 then send an email.

Operating system information

  • CentOS 7.9

Package versions

  • Graylog 4.2.0


I did a mockup of something I have in my environment but I combine two streams for my Alert definition.

You can add fields if you like to enhance your alerts, also I have macro’s in my notification template that show who and what failed.
Hope that helps

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.