I've seen a few messages like this in our alerting system:
Description: Failed login for user bin from IP %{src_ip}
Obviously, the src_ip failed to parse. When I look up the original event in Kibana, the message field has the same text—which means we can't trivially recover the original log line, so this is definitely a bug.
At a glance I believe the fix may be as simple as converting the if statement on L51 to if else in files/logstash-configs/21-ssh-logins.conf:
44 if "ssh_failure" in [tags] {
45 mutate {
46 add_tag => "slack_alert"
47 add_field => { "original_message" => "%{message}" }
48 replace => { "message" => "Failed login for user %{username} from IP %{src_ip}" }
49 }
50 }
51 if "ssh_success" in [tags] {
52 mutate {
53 add_tag => "slack_alert"
54 add_field => { "original_message" => "%{message}" }
55 replace => { "message" => "Interactive SSH login for user %{username} from IP %{src_ip}" }
56 }
57 }
58 }
Those conditions should be mutually exclusive, and both mutate blocks overwrite message, so that's where I'd start. Further testing needed to be sure.
I've seen a few messages like this in our alerting system:
Obviously, the
src_ip
failed to parse. When I look up the original event in Kibana, themessage
field has the same text—which means we can't trivially recover the original log line, so this is definitely a bug.At a glance I believe the fix may be as simple as converting the
if
statement on L51 toif else
infiles/logstash-configs/21-ssh-logins.conf
:Those conditions should be mutually exclusive, and both
mutate
blocks overwritemessage
, so that's where I'd start. Further testing needed to be sure.