SSH event tagging sometimes destroys original message

[conorsch]

I've seen a few messages like this in our alerting system:

Description:   Failed login for user bin from IP %{src_ip}

Obviously, the src_ip failed to parse. When I look up the original event in Kibana, the message field has the same text—which means we can't trivially recover the original log line, so this is definitely a bug.

At a glance I believe the fix may be as simple as converting the if statement on L51 to if else in files/logstash-configs/21-ssh-logins.conf:

44     if "ssh_failure" in [tags] {
45       mutate {
46         add_tag => "slack_alert"
47         add_field => { "original_message" => "%{message}" }
48         replace => { "message" => "Failed login for user %{username} from IP %{src_ip}" }
49       }
50     }
51     if "ssh_success" in [tags] {
52       mutate {
53         add_tag => "slack_alert"
54         add_field => { "original_message" => "%{message}" }
55         replace => { "message" => "Interactive SSH login for user %{username} from IP %{src_ip}" }
56       }
57     }
58   }

Those conditions should be mutually exclusive, and both mutate blocks overwrite message, so that's where I'd start. Further testing needed to be sure.

[conorsch]

Potentially fixed by #28—keeping open to observe behavior.

[conorsch]

Additional cleanup in #43 resolves the issue; original log message contents are now preserved.