search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
12.11k stars 4.91k forks source link

Filebeat System module - add Auth fileset patterns #35044

Open leweafan opened 1 year ago

leweafan commented 1 year ago

Describe the enhancement:

Please add patterns for System module (Auth fileset) to parse SSHD messages. Now user.name and ip address not parsed.

Debian:

Apr  5 21:11:03 test01 sshd[5031]: Bad protocol version identification '0' from 10.10.10.10 port 37288
Apr  5 21:11:03 test01 sshd[5031]: Connection closed by 10.10.10.10 port 33126 [preauth]
Apr  5 21:11:03 test01 sshd[5031]: Connection closed by invalid user sherlock 10.10.10.10 port 35694 [preauth]
Apr  5 21:11:03 test01 sshd[5031]: Did not receive identification string from 10.10.10.10
Apr  5 21:11:03 test01 sshd[5031]: Disconnected from 10.10.10.10 port 38580
Apr  5 21:11:03 test01 sshd[5031]: Disconnected from invalid user sherlock 10.10.10.10 port 53892 [preauth]
Apr  5 21:11:03 test01 sshd[5031]: Disconnecting invalid user sherlock 10.10.10.10 port 57956: Too many authentication failures [preauth]
Apr  5 21:11:03 test01 sshd[5031]: Received disconnect from 10.10.10.10 port 38580:11: disconnected by user
Apr  5 21:11:03 test01 sshd[5031]: Starting session: command on pts/0 for sherlock from 10.10.10.10 port 60140 id 0
Apr  5 21:11:03 test01 sshd[5031]: User sherlock from 10.10.10.10 not allowed because none of user's groups are listed in AllowGroups
Apr  5 21:11:03 test01 sshd[5031]: User sherlock from 10.10.10.10 not allowed because not listed in AllowUsers
Apr  5 21:11:03 test01 sshd[5031]: fatal: Access denied for user sherlock by PAM account configuration [preauth]
Apr  5 21:11:03 test01 sshd[5031]: fatal: Timeout before authentication for 10.10.10.10
Apr  5 21:11:03 test01 sshd[5031]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.10

CentOS:

Apr  5 21:11:03 test01 sshd[5031]: input_userauth_request: invalid user sherlock [preauth]

Describe a specific use case for the enhancement or feature:

This parsing is important for security reasons and SIEM rules.

botelastic[bot] commented 1 year ago

This issue doesn't have a Team:<team> label.

botelastic[bot] commented 4 months ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!