Failed login Attempts


(Greg Smith) #1

Hello All,
Using Graylog 2.2.3 installed on CentOS 7.
Created a stream called “Linux: Failed Authentication”, with the following rules;
Field message must contain check pass; user unknown (Unknown user/s)
Field message must contain Failed password for invalid user (Password failed for invalid user)
Field message must contain Failed password for root (Password failed for root user)
Field message must contain PAM 3 more authentication failures (3 failed login attempts)
These work great, tested and confirmed they work, but when I was executing a failed login attempt through Graylog’s Web Interface messages were not sent. I looked in /var/log/graylog-server/server.log file and did find the following;

2017-05-12T22:04:41.523-05:00 INFO [SessionsResource] Invalid username or password for user "joe.joe"
2017-05-12T22:04:48.940-05:00 INFO [SessionsResource] Invalid username or password for user "joe.may"
2017-05-12T22:04:56.813-05:00 INFO [SessionsResource] Invalid username or password for user “joe.maymay”

These notification were not displayed on Graylog Web GUI. Any thoughts why I would not get these messages?
I tried configuring Rsyslog.conf file,no joy. Any help would be appreciated.


(Jochen) #2

How are you ingesting the logs of Graylog itself? They aren’t logged via syslog by default.


(Greg Smith) #3

Hello jochen,
Thank you for the reply.
Yeah I’m using Syslog UDP, So maybe its combo of my configuration on Graylog server and rsyslog file?.
Should I use GELF instead of Syslog UDP? Then Configure rsyslog.conf to send log file/s from server.conf?


(Jochen) #4

What are you trying to accomplish? Please elaborate on your use case.


(Greg Smith) #5

I made some failed login attempts on the Graylog GUI, In the /var/log/graylog-server/server.log file it showed the following;
2017-05-12T22:04:41.523-05:00 INFO [SessionsResource] Invalid username or password for user "joe.joe"
2017-05-12T22:04:48.940-05:00 INFO [SessionsResource] Invalid username or password for user "joe.may"
2017-05-12T22:04:56.813-05:00 INFO [SessionsResource] Invalid username or password for user “joe.maymay”

I wanted these logs to show in Graylog Web interface so I can create a stream and then add a alert.
Unfortunately these logs do not show up, how would I go about doing this?


(Jochen) #6

You have to ingest the logs, e. g. using Filebeat, NXLog, or Logstash. Also take a look at the Graylog Collector Sidecar for configuring these.

Alternatively you can take a look at the Internal Logs Input plugin on the Graylog Marketplace.


(Greg Smith) #7

jochen,
Thank you for your help that is what I needed https://marketplace.graylog.org/addons/f6860ca4-532f-4e94-ae8e-c3655c508c52


(system) #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.