Hello All,
Using Graylog 2.2.3 installed on CentOS 7.
Created a stream called “Linux: Failed Authentication”, with the following rules;
Field message must contain check pass; user unknown (Unknown user/s)
Field message must contain Failed password for invalid user (Password failed for invalid user)
Field message must contain Failed password for root (Password failed for root user)
Field message must contain PAM 3 more authentication failures (3 failed login attempts)
These work great, tested and confirmed they work, but when I was executing a failed login attempt through Graylog’s Web Interface messages were not sent. I looked in /var/log/graylog-server/server.log file and did find the following;
2017-05-12T22:04:41.523-05:00 INFO [SessionsResource] Invalid username or password for user "joe.joe"
2017-05-12T22:04:48.940-05:00 INFO [SessionsResource] Invalid username or password for user "joe.may"
2017-05-12T22:04:56.813-05:00 INFO [SessionsResource] Invalid username or password for user “joe.maymay”
These notification were not displayed on Graylog Web GUI. Any thoughts why I would not get these messages?
I tried configuring Rsyslog.conf file,no joy. Any help would be appreciated.
Hello jochen,
Thank you for the reply.
Yeah I’m using Syslog UDP, So maybe its combo of my configuration on Graylog server and rsyslog file?.
Should I use GELF instead of Syslog UDP? Then Configure rsyslog.conf to send log file/s from server.conf?
I made some failed login attempts on the Graylog GUI, In the /var/log/graylog-server/server.log file it showed the following;
2017-05-12T22:04:41.523-05:00 INFO [SessionsResource] Invalid username or password for user "joe.joe"
2017-05-12T22:04:48.940-05:00 INFO [SessionsResource] Invalid username or password for user "joe.may"
2017-05-12T22:04:56.813-05:00 INFO [SessionsResource] Invalid username or password for user “joe.maymay”
I wanted these logs to show in Graylog Web interface so I can create a stream and then add a alert.
Unfortunately these logs do not show up, how would I go about doing this?