I’m trying to create a pipeline that would extract data from ssh logs and set the username, ip, login_result and similar fields. I can do it in this fashion and it works - for single rule at a time:
rule “SSH Cert OK”
to_string($message.application_name) == “sshd” &&
starts_with(to_string($message.message), “Accepted publickey for “, true)
let grep = regex(”^Accepted publickey for (.[^\s]) from (.[^\s]) port (.*)”, to_string($message.message));
set_field ("ssh_result", "Login success"); set_field ("ssh_login_type", "Pubkey"); set_field ("username", grep["0"]); set_field ("src_ip", grep["1"]);
The problem is, I’d like to have multiple rules for different messages (login fail, bad cert, etc.).
Can I do it in single “rule” (like multiple when … then, but that would be rather inefficient); should I cascade rules, or is there a more efficient way?
I don’t think there is if…elseif or case thing here right?