Grok for auth.log

colttt · September 13, 2021, 11:39am

Hello,
does someone someone have a complete GROK to parse the auth.log?

shoothub · September 13, 2021, 1:35pm

Which auth.log do you mean, please be more specific.

colttt · September 13, 2021, 1:44pm

on debian-(based)-systems /var/log/auth.log

shoothub · September 13, 2021, 1:55pm

Maybe you can use filebeat as a example:

github.com

elastic/beats/blob/master/filebeat/module/system/auth/ingest/pipeline.yml

description: Pipeline for parsing system authorisation/secure logs
processors:
- set:
    field: event.ingested
    value: '{{_ingest.timestamp}}'
- grok:
    field: message
    ignore_missing: true
    pattern_definitions:
      GREEDYMULTILINE: |-
        (.|
        )*
      TIMESTAMP: (?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP})
    patterns:
    - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?:
      %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user
      )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long}
      ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?'
    - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?:
      %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}'

This file has been truncated. show original

colttt · September 14, 2021, 7:27am

ok thanks… I’ll try that…
but its sad that graylog doesn’t have standard build-in things… (like auth.log, apache-access/error.log, etc… )

system · September 28, 2021, 7:27am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok Extractor with pipes and Spaces Graylog Central (peer support)	6	2165	April 20, 2018
Log Extractor Help Graylog Central (peer support) grok-patternspl	2	427	April 24, 2023
Greedydata not validating Graylog Central (peer support)	7	399	March 11, 2021
GROK Formatting Graylog Central (peer support)	5	747	March 1, 2019
Pipeline grok syntax Graylog Central (peer support)	4	5653	December 19, 2017

Grok for auth.log

Related Topics