Cannot search for ssh login in syslog

1. Describe your incident:

Well, I am new to graylog, so I am still trying to understand how it works. My simple setup is with a Linux machine and its rsyslog that transmit all auth.* and authpriv.* facility marked messages to graylog. I setup a TCP syslog input on Graylog and it works.

Now, I would like to search for ssh access. So I type a query for access granted and one for access denided. I write them between double quotes:

“Accepted password for”
“Failed password for”

and I try them, one at a time, on the search page. The first one does not give any result, while the second one gives a lot of results. The problem is that the first one should some records too.

Of course I tried accessing the system via ssh, both using a correct password and with a wrong one. I also saw that both lines are in the original server /var/log/auth.log file (it is a Debian machine). I checked that both records were received by graylog looking at the /var/lib/graylog-server/journal/messagejournal-0/00000000000000040883.log file.

Still, I cannot find any records about accepted connections.

2. Describe your environment:

  • OS Information:
    Ubuntu 23.04, Graylog host
    Debian 12, SSH server + rsyslog

  • Package Version:
    graylog-server package version 5.1.6-1
    opensearch version 2.10.0
    mongodb-org version 7.0.2
    openjdk-17-jre-headless version

  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?
I did try with previous graylog versions and, since it failed, I upgraded to the 5.1.6 version just released yesterday.
I also tried to setup a stream with rules, but I’ve got the same empty result.

4. How can the community help?
Hopefully someone could just point me to the right direction.

Thank you,

If you try a successful login, and then immediately refresh the search page a few times you should see the messages come in. Your best bet will be to find the actually message in this way and then be able to see exactly how it looks to find it later. Also ideally you will want to parse these messages into fields which will make searching the data much easier.

Hello @Joel_Duffield,
that is the strange part: in fact I do not see these messages at all, not even when browsing the list without any filter.
I see them in the source syslog, I see them in the journal of graylog, I do not see them in graylog.

I’ll try to better investigate.

Thank you,

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.