Sshd field username


(theresa) #1

Hi,

I had a look at this contentpack https://github.com/jkumar2001/graylog-generic-syslog and it seems that some fields from the full_message are not extracted yet.
I’m looking for a way on how to fix this, and will then submit a pull-request to the person who initially created this contentpack.

For example I want to extract the username from a log message (sshd) like below:

Failed publickey for $user from IPv4-address port 1234 ssh2

it seems the IPv4 address is extracted just fine but the username would be really helpful as well.

Any idea on how I could get started?

thanks a lot in advance,
cheers,
theresa


(Jochen) #2

You could use Grok for creating readable patterns: http://docs.graylog.org/en/2.2/pages/extractors.html#using-grok-patterns-to-extract-data


(Jan Doberstein) #3

Cheers Theresa,

you might find this extractors useful as a starting point:

{
  "extractors": [
    {
      "title": "generic key/value",
      "extractor_type": "copy_input",
      "converters": [
        {
          "type": "tokenizer",
          "config": {}
        }
      ],
      "order": 5,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "message",
      "extractor_config": {},
      "condition_type": "none",
      "condition_value": ""
    },
    {
      "title": "SSH_fail_username",
      "extractor_type": "regex",
      "converters": [],
      "order": 3,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "ssh_fail_username",
      "extractor_config": {
        "regex_value": "Failed password for (?!invalid user )(.+) from"
      },
      "condition_type": "regex",
      "condition_value": "Failed"
    },
    {
      "title": "SSH_login_username",
      "extractor_type": "regex",
      "converters": [],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "ssh_login_username",
      "extractor_config": {
        "regex_value": "Accepted (?:password|publickey) for (.+) from (.+) port"
      },
      "condition_type": "regex",
      "condition_value": "[a-zA-Z.]+."
    },
    {
      "title": "ssh_fail_invalid_username",
      "extractor_type": "regex",
      "converters": [],
      "order": 2,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "ssh_fail_invalid_username",
      "extractor_config": {
        "regex_value": "(?:i|I)nvalid user (.+) from .+"
      },
      "condition_type": "regex",
      "condition_value": "(?:i|I)nvalid"
    },
    {
      "title": "SSH_fail_source",
      "extractor_type": "regex",
      "converters": [],
      "order": 4,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "ssh_fail_source",
      "extractor_config": {
        "regex_value": " .* for .+ from (.+) port"
      },
      "condition_type": "regex",
      "condition_value": "((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"
    },
    {
      "title": "SSH_invalid_source",
      "extractor_type": "regex",
      "converters": [],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "ssh_fail_source",
      "extractor_config": {
        "regex_value": "Invalid user (?:.+) from (.+)"
      },
      "condition_type": "regex",
      "condition_value": "Invalid .+"
    }
  ],
  "version": "2.2.0-SNAPSHOT"
}

(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.