Scribd
Upload
206 views3 pages

Graylog Extractors Rsyslog

The document defines a set of regular expression extractors to extract fields from SSH login messages. The extractors target fields like username, source IP, and whether the login was successful or invalid user. The extractors are ordered and target specific fields in the message like username, source, or error type.

Uploaded by

Andrey T
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
206 views3 pages

Graylog Extractors Rsyslog

The document defines a set of regular expression extractors to extract fields from SSH login messages. The extractors target fields like username, source IP, and whether the login was successful or invalid user. The extractors are ordered and target specific fields in the message like username, source, or error type.

Uploaded by

Andrey T
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

{

"extractors": [
{
"title": "SSH_INVALID_USER_SOURCE",
"extractor_type": "regex",
"converters": [],
"order": 4,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_invalid_user_source",
"extractor_config": {
"regex_value": "^.+ * Failed password for invalid user .+ from (.+) port .+
ssh2$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "SSH_FAIL_USERNAME",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_fail_username",
"extractor_config": {
"regex_value": "^.+ * Failed password for (?!invalid user )(.+) from .+
port .+ ssh2$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "SSH_FAIL_SOURCE",
"extractor_type": "regex",
"converters": [],
"order": 1,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_fail_source",
"extractor_config": {
"regex_value": "^.+ * Failed password for .+ from (.+) port .+ ssh2$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "SSH_INVALID_USER",
"extractor_type": "regex",
"converters": [],
"order": 3,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_invalid_user",
"extractor_config": {
"regex_value": "^.+ * Failed password for (?:i|I)nvalid user (.+) from .+
port .+ ssh2$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "SSH_LOGIN_USERNAME",
"extractor_type": "regex",
"converters": [],
"order": 2,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_login_username",
"extractor_config": {
"regex_value": "^.+ * Accepted password for (.+) from .+ port .+ ssh2$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "SSH_LOGIN_USERNAME2",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_login_username",
"extractor_config": {
"regex_value": "session opened for user (.+) by .+$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "USER_WITH_WRONG_PASSWORD2",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_fail_username",
"extractor_config": {
"regex_value": "Authentication failure for (.+) from .+$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "USER_WITH_WRONG_PASSWORD",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "user_with_wrong_password",
"extractor_config": {
"regex_value": "authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=.+ user=(.+)$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "SSH_FAIL_SOURCE2",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_fail_source",
"extractor_config": {
"regex_value": "Authentication failure for .+ from (.+)$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "SSH_INVALID_USER2",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_invalid_user",
"extractor_config": {
"regex_value": "^Invalid user (.+) from .+ port .+$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "SSH_INVALID_USER_SOURCE2",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_invalid_user_source",
"extractor_config": {
"regex_value": "^Invalid user .+ from (.+) port .+$"
},
"condition_type": "none",
"condition_value": ""
}
],
"version": "3.2.0"
}

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy