Streams Graylog

Graylog Central (peer support)
1

Hi,

I added a Stream called “SSHD” when I use; Field application_name must match exactly sshd (sshd)

If I do manually a search with sshd I get results but in stream SSHD I can’t see any entry. Why? What should I add?

thanks.

2

Hey @berekese,

your information is a bit lacking since the reason could be one of many. Could you please elaborate a little more what you did? For example, name your exact configuration of the stream etc.

But here are some ideas:

  • Selected timespan does not include messages (Select larger one)
  • Mistype inside the rule
  • Stream is not started

Thank you :slight_smile:

Greetings - Phil

3

Thanks for reply. I am going to expand info :slight_smile:

I created a stream and add a rule with this details:
Field: application_name
Type: match exactly
Value: sshd

Stream is running and I have only one “Default Index set”.

I have in main dashboard all syslogs and if I do a search “Search in all messages” sshd I get a lot of results, why can’t I get it from stream?

Thanks.

4

Streams will online contain messages that are received when they are “running” and will contain only messages that are ingest after the creation.

No already ingested messages will show up in that stream.

5

Thanks Jan, in that case my stream isn’t working correctly because if I go inside Stream and search “sshd” last 30 minutes, for example, I get info but I must do the search when I’m inside of the stream.
My idea is go Stream (SSH) -> and see alerts what contains SSHD and after send me an email with possible attacks.

Thanks again.

6

and if you search in all messages

application_name:sshd

it shows results?

7

Yes, in Streams -> SSH I always see 0 messages, if I search in last 5 minutes I don’t get results but if I search in all messages I get a lot, and that messages are from less 5 minutes.
Example: Hour now 6:49,
Message:
2017-06-12 06:46:43.515

Well, I don’t get that message if I search in last 5 minutes.

Stream has only 1 rule: Field application_name must match exactly sshd (sshd)

Any ideas?
Thanks.

8

If you look at the example message you mention, what are the contents of the time related fields and the application_name field in that message, after Graylog has run all extractors and pipeline functions you have defined?

9

Thanks for reply.

I paste you a full trace. Hour 7:04

2017-06-13 07:00:21.392	mail
PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.X.X  user=root
 70eba514-4ff6-11e7-b3fe-000000000000

Received by
    Syslog on  76899de3 / mydomain.com
Stored in index
    graylog_0
Routed into streams

        All messages
        SSH

application_name

    sshd
facility
    security/authorization
level
    5
message
    PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.X.X  user=root
process_id
    5643
source
    mail
timestamp
2017-06-13T05:00:21.392Z

Well, if I search last 5 minutes I don’t get it but alert was 7.00 (and now its 7.04) but if I search last 1 hour I get it. Its rare, don’t?

Thanks again.

10

hi,

look at the timestamp value and compare with the message content. Seems you have defined timezones so that there is a two timezone difference. You could recheck your timezone settings and if necessary, add a date converter for the message.

11

Hi,

I am logging in Graylog with timezone -> "Madrid"
In server I re-did dpkg-reconfigure tzdata and again setup “Europe/Madrid” (it was right)

Hour server is # date
Tue Jun 13 12:56:26 CEST 2017

I think that in both sites I have same timezone. However, more weird, I setup a “Alert” to send me an email when Stream SSH receives any entry. If I search in Stream SSH (all messages) I get results, why haven’t I email? Alert is setup and working because I can do a “test email” and I receive it.

Thanks.

12

I use timezone=UTC for graylog internally, but for Graylog users the local timezone. All logs are converted to UTC when received, so the user will see the correct time.

You can check from System/Overview, what Graylog thinks the time zones are.

13

So, time server UTC? With dpkg-reconfigure tzdata which choose?

In System/Overview (my user) I use “Madrid”.

And what do u think about alerts?

Thanks again.

14

Don’t worry about tzdata. The point is that if you look at the timestamp field, it shows Z as time zone, i.e. UTC. If that time is wrong, after converting back to your local timezone, you need to add a date converter for that input.

It is better to make the timestamp work OK before worrying about the stream, I think. One problem at a time.

15

Well, really time in server in same than graylog. Mi own laptop if have 10 minutes less but don’t worry.
However if I try to login to my server and I fail, Graylog take that log, its ok (with some minutes less but don’t worry).

I can go Stream, search “sshd” and I will see my fail login, but if there are entries in Stream SSH and I have an alert configured to sent an email when its ocurrs, why don’t I receive emails?

Therefore, how could I solve timestamp? Any plugin? Changing timezone in any site?
I’m sorry for large post but I am stuck.

Thanks.

16

Over here: http://docs.graylog.org/en/2.2/pages/extractors.html

That page covers date converters that can be used to fix timezone issues.

17

… and for the email issue: you can try to send test alert emails from Alerts/Manage notification

That way you can first check that your email configuration is OK, so that the problem is not there. If the test email work, then the problem could be in stream settings.

18

Hi,

I attach two pictures, I created a extractor to change timestamp, I think that I create it good but after I try to login (with bad password) and I see log in Graylog but its keeping bad timestamp. I’m really stuck :sweat:

Regarding email, tests is working fine and If I search in Stream SSH I see logs and in Alert is configured correctly. I attach pictures too to be more easy help me.

Thanks.

19

date converters are picky. I recommend you first extract the time/date to a field with a different name (such as timestamp_test to see if the extraction works OK (if the converter does not work, you will not get the new field).

20

Seems extractor is working fine, dont?

Metrics
150 total invocations since boot, averages: 1.6, 0.45, 0.16.
0 hits, 150 misses
Total time

95th percentile:
    6μs
98th percentile:
    6μs
99th percentile:
    14μs
Standard deviation:
    2μs
Mean:
    3μs
Minimum:
    1μs
Maximum:
    18μs

Condition time

95th percentile:
    1μs
98th percentile:
    1μs
99th percentile:
    1μs
Standard deviation:
    0μs
Mean:
    0μs
Minimum:
    0μs
Maximum:
    1μs

Execution time

95th percentile:
    0μs
98th percentile:
    0μs
99th percentile:
    0μs
Standard deviation:
    0μs
Mean:
    0μs
Minimum:
    0μs
Maximum:
    0μs

Converter time

95th percentile:
    0μs
98th percentile:
    0μs
99th percentile:
    0μs
Standard deviation:
    0μs
Mean:
    0μs
Minimum:
    0μs
Maximum:
    0μs

Now, what next step?

I saved it in new stored field -> store as field: timestamp_test.

Thanks.