Skip to content

Commit

Permalink
Set event.action=ssh_login (too broad ATM) and event.outcome for some…
Browse files Browse the repository at this point in the history 
… ssh activity

Note: when I say event.action is too broad, this is because it lumps in
session disconnects as 'ssh_login', when it should likely be ssh_session.
  • Loading branch information
Mathieu Martin committed Jan 14, 2019
1 parent 4266bc2 commit 564ea59
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 1 deletion.
23 changes: 22 additions & 1 deletion filebeat/module/system/auth/ingest/pipeline.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,12 +52,33 @@
"if": "ctx.containsKey('process') && ctx.process.containsKey('name') && ctx.process.name == 'sshd'"
}
},
{
"set": {
"field": "event.action",
"value": "ssh_login",
"if": "ctx.event.containsKey('category') && ctx.event.category == 'authentication'"
}
},
{
"set": {
"field": "event.outcome",
"value": "success",
"if": "ctx.event.containsKey('action') && ctx.event.action == 'ssh_login' && ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('action') && ctx.system.auth.ssh.action == 'Accepted'"
}
},
{
"set": {
"field": "event.outcome",
"value": "failure",
"if": "ctx.event.containsKey('action') && ctx.event.action == 'ssh_login' && ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('action') && ctx.system.auth.ssh.action == 'Failed'"
}
},

{
"set": {
"field": "source.ip",
"value": "{{system.auth.ssh.dropped_ip}}",
"if": "ctx.containsKey('system') && ctx.system.containsKey('auth') && ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('dropped_ip')"
"if": "ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('dropped_ip')"
}
},
{
Expand Down
19 changes: 19 additions & 0 deletions filebeat/module/system/auth/test/test.log-expected.json
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
[
{
"ecs.version": "1.0.0-beta2",
"event.action": "ssh_login",
"event.category": "authentication",
"event.dataset": "system.auth",
"event.kind": "event",
"event.module": "system",
"event.outcome": "success",
"fileset.name": "auth",
"host.hostname": "localhost",
"input.type": "log",
Expand All @@ -21,10 +23,12 @@
},
{
"ecs.version": "1.0.0-beta2",
"event.action": "ssh_login",
"event.category": "authentication",
"event.dataset": "system.auth",
"event.kind": "event",
"event.module": "system",
"event.outcome": "success",
"fileset.name": "auth",
"host.hostname": "localhost",
"input.type": "log",
Expand All @@ -40,10 +44,12 @@
},
{
"ecs.version": "1.0.0-beta2",
"event.action": "ssh_login",
"event.category": "authentication",
"event.dataset": "system.auth",
"event.kind": "event",
"event.module": "system",
"event.outcome": "failure",
"fileset.name": "auth",
"host.hostname": "slave22",
"input.type": "log",
Expand Down Expand Up @@ -106,6 +112,7 @@
},
{
"ecs.version": "1.0.0-beta2",
"event.action": "ssh_login",
"event.category": "authentication",
"event.dataset": "system.auth",
"event.kind": "event",
Expand Down Expand Up @@ -194,10 +201,12 @@
},
{
"ecs.version": "1.0.0-beta2",
"event.action": "ssh_login",
"event.category": "authentication",
"event.dataset": "system.auth",
"event.kind": "event",
"event.module": "system",
"event.outcome": "success",
"fileset.name": "auth",
"host.hostname": "ubuntu-xenial",
"input.type": "log",
Expand All @@ -214,6 +223,7 @@
},
{
"ecs.version": "1.0.0-beta2",
"event.action": "ssh_login",
"event.category": "authentication",
"event.dataset": "system.auth",
"event.kind": "event",
Expand Down Expand Up @@ -253,6 +263,7 @@
},
{
"ecs.version": "1.0.0-beta2",
"event.action": "ssh_login",
"event.category": "authentication",
"event.dataset": "system.auth",
"event.kind": "event",
Expand All @@ -267,6 +278,7 @@
},
{
"ecs.version": "1.0.0-beta2",
"event.action": "ssh_login",
"event.category": "authentication",
"event.dataset": "system.auth",
"event.kind": "event",
Expand All @@ -281,6 +293,7 @@
},
{
"ecs.version": "1.0.0-beta2",
"event.action": "ssh_login",
"event.category": "authentication",
"event.dataset": "system.auth",
"event.kind": "event",
Expand Down Expand Up @@ -372,6 +385,7 @@
},
{
"ecs.version": "1.0.0-beta2",
"event.action": "ssh_login",
"event.category": "authentication",
"event.dataset": "system.auth",
"event.kind": "event",
Expand All @@ -386,6 +400,7 @@
},
{
"ecs.version": "1.0.0-beta2",
"event.action": "ssh_login",
"event.category": "authentication",
"event.dataset": "system.auth",
"event.kind": "event",
Expand All @@ -400,6 +415,7 @@
},
{
"ecs.version": "1.0.0-beta2",
"event.action": "ssh_login",
"event.category": "authentication",
"event.dataset": "system.auth",
"event.kind": "event",
Expand All @@ -426,6 +442,7 @@
},
{
"ecs.version": "1.0.0-beta2",
"event.action": "ssh_login",
"event.category": "authentication",
"event.dataset": "system.auth",
"event.kind": "event",
Expand All @@ -443,6 +460,7 @@
},
{
"ecs.version": "1.0.0-beta2",
"event.action": "ssh_login",
"event.category": "authentication",
"event.dataset": "system.auth",
"event.kind": "event",
Expand All @@ -457,6 +475,7 @@
},
{
"ecs.version": "1.0.0-beta2",
"event.action": "ssh_login",
"event.category": "authentication",
"event.dataset": "system.auth",
"event.kind": "event",
Expand Down

0 comments on commit 564ea59

Please sign in to comment.