Alert on multiple ssh root sessions

Graylog Central (peer support)
1

Description of your problem

I am trying to alert on 4 or more failed ssh root attempts into systems.

Description of steps you’ve taken to attempt to solve the issue

I have found 2 filters

  1. message:“sshd” AND “authentication failure”
    This one only alerts after I have tried my root password 3 times and then sends 1 alert rather than 3 but this one does show me a field for user “root” which i can filter on.

  2. message:“ssh2” AND “Failed password for root from”
    This one logs everytime I do a failed password which is good because then i can set a aggregation for >=4. But no specific field for user because the user root is in the message.

I would like the use of the best of both filters. So that I get a user and it logs everytime a failed password has happened so that I can set an alert to notify aggregate for >=4 then send an email.

Operating system information

  • CentOS 7.9

Package versions

  • Graylog 4.2.0
2

@tor

I did a mockup of something I have in my environment but I combine two streams for my Alert definition.

image
image1891×782 52.9 KB

You can add fields if you like to enhance your alerts, also I have macro’s in my notification template that show who and what failed.
Hope that helps