Include messages with a dropped_ip as outcome auth failure

elastic · Jan 14, 2019 · 5677481 · 5677481
1 parent 9d37590
commit 5677481
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 6 deletions.
diff --git a/filebeat/module/system/auth/ingest/pipeline.json b/filebeat/module/system/auth/ingest/pipeline.json
@@ -22,22 +22,20 @@
  "field": "message",
  "ignore_missing": true,
  "ignore_failure": true,
- "tag": "ssh-login",
  "patterns": [
- "^%{DATA:system.auth.ssh.action} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?"
+ "^%{DATA:system.auth.ssh.action} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?",
+ "^%{DATA:system.auth.ssh.action} user %{DATA:user.name} from %{IPORHOST:source.ip}",
+ "^Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}"
  ]
  }
  },
 
-
  {
  "grok": {
  "field": "message",
  "ignore_missing": true,
  "ignore_failure": true,
  "patterns": [
- "^%{DATA:system.auth.ssh.action} user %{DATA:user.name} from %{IPORHOST:source.ip}",
- "^Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}",
  "^%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}",
  "^new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id:long}",
  "^new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id:long}, GID=%{NUMBER:group.id:long}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$"
@@ -70,7 +68,7 @@
  "set": {
  "field": "event.outcome",
  "value": "failure",
- "if": "ctx.event.containsKey('action') && ctx.event.action == 'ssh_login' && ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('action') && ctx.system.auth.ssh.action == 'Failed'"
+ "if": "ctx.event.containsKey('action') && ctx.event.action == 'ssh_login' && ctx.system.auth.containsKey('ssh') && ((ctx.system.auth.ssh.containsKey('action') && ctx.system.auth.ssh.action == 'Failed') || (ctx.system.auth.ssh.containsKey('dropped_ip')))"
  }
  },
 

diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json
@@ -117,6 +117,7 @@
  "event.dataset": "system.auth",
  "event.kind": "event",
  "event.module": "system",
+ "event.outcome": "failure",
  "fileset.name": "auth",
  "host.hostname": "slave22",
  "input.type": "log",