1. Describe your incident:
Well, I am new to graylog, so I am still trying to understand how it works. My simple setup is with a Linux machine and its rsyslog that transmit all auth.* and authpriv.* facility marked messages to graylog. I setup a TCP syslog input on Graylog and it works.
Now, I would like to search for ssh access. So I type a query for access granted and one for access denided. I write them between double quotes:
“Accepted password for”
“Failed password for”
and I try them, one at a time, on the search page. The first one does not give any result, while the second one gives a lot of results. The problem is that the first one should some records too.
Of course I tried accessing the system via ssh, both using a correct password and with a wrong one. I also saw that both lines are in the original server /var/log/auth.log file (it is a Debian machine). I checked that both records were received by graylog looking at the /var/lib/graylog-server/journal/messagejournal-0/00000000000000040883.log file.
Still, I cannot find any records about accepted connections.
2. Describe your environment:
Ubuntu 23.04, Graylog host
Debian 12, SSH server + rsyslog
graylog-server package version 5.1.6-1
opensearch version 2.10.0
mongodb-org version 7.0.2
openjdk-17-jre-headless version 22.214.171.124+1
Service logs, configurations, and environment variables:
3. What steps have you already taken to try and solve the problem?
I did try with previous graylog versions and, since it failed, I upgraded to the 5.1.6 version just released yesterday.
I also tried to setup a stream with rules, but I’ve got the same empty result.
4. How can the community help?
Hopefully someone could just point me to the right direction.