Scribd
Upload
207 views3 pages

Graylog Extractors Rsyslog

The document defines a set of regular expression extractors to extract fields from SSH login messages. The extractors target fields like username, source IP, and whether the login was successful or invalid user. The extractors are ordered and target specific fields in the message like username, source, or error type.

Uploaded by

Andrey T
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
207 views3 pages

Graylog Extractors Rsyslog

The document defines a set of regular expression extractors to extract fields from SSH login messages. The extractors target fields like username, source IP, and whether the login was successful or invalid user. The extractors are ordered and target specific fields in the message like username, source, or error type.

Uploaded by

Andrey T
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

{

"extractors": [
{
"title": "SSH_INVALID_USER_SOURCE",
"extractor_type": "regex",
"converters": [],
"order": 4,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_invalid_user_source",
"extractor_config": {
"regex_value": "^.+ * Failed password for invalid user .+ from (.+) port .+
ssh2$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "SSH_FAIL_USERNAME",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_fail_username",
"extractor_config": {
"regex_value": "^.+ * Failed password for (?!invalid user )(.+) from .+
port .+ ssh2$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "SSH_FAIL_SOURCE",
"extractor_type": "regex",
"converters": [],
"order": 1,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_fail_source",
"extractor_config": {
"regex_value": "^.+ * Failed password for .+ from (.+) port .+ ssh2$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "SSH_INVALID_USER",
"extractor_type": "regex",
"converters": [],
"order": 3,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_invalid_user",
"extractor_config": {
"regex_value": "^.+ * Failed password for (?:i|I)nvalid user (.+) from .+
port .+ ssh2$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "SSH_LOGIN_USERNAME",
"extractor_type": "regex",
"converters": [],
"order": 2,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_login_username",
"extractor_config": {
"regex_value": "^.+ * Accepted password for (.+) from .+ port .+ ssh2$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "SSH_LOGIN_USERNAME2",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_login_username",
"extractor_config": {
"regex_value": "session opened for user (.+) by .+$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "USER_WITH_WRONG_PASSWORD2",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_fail_username",
"extractor_config": {
"regex_value": "Authentication failure for (.+) from .+$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "USER_WITH_WRONG_PASSWORD",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "user_with_wrong_password",
"extractor_config": {
"regex_value": "authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=.+ user=(.+)$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "SSH_FAIL_SOURCE2",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_fail_source",
"extractor_config": {
"regex_value": "Authentication failure for .+ from (.+)$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "SSH_INVALID_USER2",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_invalid_user",
"extractor_config": {
"regex_value": "^Invalid user (.+) from .+ port .+$"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "SSH_INVALID_USER_SOURCE2",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_invalid_user_source",
"extractor_config": {
"regex_value": "^Invalid user .+ from (.+) port .+$"
},
"condition_type": "none",
"condition_value": ""
}
],
"version": "3.2.0"
}

You might also like