Failed login Attempts

gsmith · May 13, 2017, 5:09am

Hello All,
Using Graylog 2.2.3 installed on CentOS 7.
Created a stream called “Linux: Failed Authentication”, with the following rules;
Field message must contain check pass; user unknown (Unknown user/s)
Field message must contain Failed password for invalid user (Password failed for invalid user)
Field message must contain Failed password for root (Password failed for root user)
Field message must contain PAM 3 more authentication failures (3 failed login attempts)
These work great, tested and confirmed they work, but when I was executing a failed login attempt through Graylog’s Web Interface messages were not sent. I looked in /var/log/graylog-server/server.log file and did find the following;

2017-05-12T22:04:41.523-05:00 INFO [SessionsResource] Invalid username or password for user "joe.joe"
2017-05-12T22:04:48.940-05:00 INFO [SessionsResource] Invalid username or password for user "joe.may"
2017-05-12T22:04:56.813-05:00 INFO [SessionsResource] Invalid username or password for user “joe.maymay”

These notification were not displayed on Graylog Web GUI. Any thoughts why I would not get these messages?
I tried configuring Rsyslog.conf file,no joy. Any help would be appreciated.

jochen · May 14, 2017, 9:28pm

How are you ingesting the logs of Graylog itself? They aren’t logged via syslog by default.

gsmith · May 15, 2017, 9:20pm

Hello jochen,
Thank you for the reply.
Yeah I’m using Syslog UDP, So maybe its combo of my configuration on Graylog server and rsyslog file?.
Should I use GELF instead of Syslog UDP? Then Configure rsyslog.conf to send log file/s from server.conf?

jochen · May 16, 2017, 7:23am

What are you trying to accomplish? Please elaborate on your use case.

gsmith · May 17, 2017, 4:40am

I made some failed login attempts on the Graylog GUI, In the /var/log/graylog-server/server.log file it showed the following;
2017-05-12T22:04:41.523-05:00 INFO [SessionsResource] Invalid username or password for user "joe.joe"
2017-05-12T22:04:48.940-05:00 INFO [SessionsResource] Invalid username or password for user "joe.may"
2017-05-12T22:04:56.813-05:00 INFO [SessionsResource] Invalid username or password for user “joe.maymay”

I wanted these logs to show in Graylog Web interface so I can create a stream and then add a alert.
Unfortunately these logs do not show up, how would I go about doing this?

jochen · May 17, 2017, 7:21am

You have to ingest the logs, e. g. using Filebeat, NXLog, or Logstash. Also take a look at the Graylog Collector Sidecar for configuring these.

Alternatively you can take a look at the Internal Logs Input plugin on the Graylog Marketplace.

gsmith · May 18, 2017, 1:28am

jochen,
Thank you for your help that is what I needed https://marketplace.graylog.org/addons/f6860ca4-532f-4e94-ae8e-c3655c508c52

system · June 1, 2017, 1:28am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Inputs Syslog UDP/TCP - FAILED Graylog Central (peer support)	2	4159	August 16, 2017
No message sources found Graylog Central (peer support)	6	1654	April 5, 2017
Send data with rsyslog Graylog Central (peer support)	7	3929	September 3, 2019
Fail2ban logs not showing up Graylog Add-ons	1	741	January 6, 2021
Trouble getting data into Graylog Graylog Central (peer support)	6	4090	January 18, 2019

Failed login Attempts

Related Topics