Using Graylog 2.2.3 installed on CentOS 7.
Created a stream called “Linux: Failed Authentication”, with the following rules;
Field message must contain check pass; user unknown (Unknown user/s)
Field message must contain Failed password for invalid user (Password failed for invalid user)
Field message must contain Failed password for root (Password failed for root user)
Field message must contain PAM 3 more authentication failures (3 failed login attempts)
These work great, tested and confirmed they work, but when I was executing a failed login attempt through Graylog’s Web Interface messages were not sent. I looked in /var/log/graylog-server/server.log file and did find the following;
2017-05-12T22:04:41.523-05:00 INFO [SessionsResource] Invalid username or password for user "joe.joe"
2017-05-12T22:04:48.940-05:00 INFO [SessionsResource] Invalid username or password for user "joe.may"
2017-05-12T22:04:56.813-05:00 INFO [SessionsResource] Invalid username or password for user “joe.maymay”
These notification were not displayed on Graylog Web GUI. Any thoughts why I would not get these messages?
I tried configuring Rsyslog.conf file,no joy. Any help would be appreciated.