Scribd Logo
Upload

Welcome to Scribd!

  • Graylog Extractors Rsyslog

    Uploaded by

    Andrey T
    93 views3 pages

    Original Title

    graylog extractors rsyslog

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    93 views3 pages

    Graylog Extractors Rsyslog

    Uploaded by

    Andrey T

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    {

    "extractors": [
    {
    "title": "SSH_INVALID_USER_SOURCE",
    "extractor_type": "regex",
    "converters": [],
    "order": 4,
    "cursor_strategy": "copy",
    "source_field": "message",
    "target_field": "ssh_invalid_user_source",
    "extractor_config": {
    "regex_value": "^.+ * Failed password for invalid user .+ from (.+) port .+
    ssh2$"
    },
    "condition_type": "none",
    "condition_value": ""
    },
    {
    "title": "SSH_FAIL_USERNAME",
    "extractor_type": "regex",
    "converters": [],
    "order": 0,
    "cursor_strategy": "copy",
    "source_field": "message",
    "target_field": "ssh_fail_username",
    "extractor_config": {
    "regex_value": "^.+ * Failed password for (?!invalid user )(.+) from .+
    port .+ ssh2$"
    },
    "condition_type": "none",
    "condition_value": ""
    },
    {
    "title": "SSH_FAIL_SOURCE",
    "extractor_type": "regex",
    "converters": [],
    "order": 1,
    "cursor_strategy": "copy",
    "source_field": "message",
    "target_field": "ssh_fail_source",
    "extractor_config": {
    "regex_value": "^.+ * Failed password for .+ from (.+) port .+ ssh2$"
    },
    "condition_type": "none",
    "condition_value": ""
    },
    {
    "title": "SSH_INVALID_USER",
    "extractor_type": "regex",
    "converters": [],
    "order": 3,
    "cursor_strategy": "copy",
    "source_field": "message",
    "target_field": "ssh_invalid_user",
    "extractor_config": {
    "regex_value": "^.+ * Failed password for (?:i|I)nvalid user (.+) from .+
    port .+ ssh2$"
    },
    "condition_type": "none",
    "condition_value": ""
    },
    {
    "title": "SSH_LOGIN_USERNAME",
    "extractor_type": "regex",
    "converters": [],
    "order": 2,
    "cursor_strategy": "copy",
    "source_field": "message",
    "target_field": "ssh_login_username",
    "extractor_config": {
    "regex_value": "^.+ * Accepted password for (.+) from .+ port .+ ssh2$"
    },
    "condition_type": "none",
    "condition_value": ""
    },
    {
    "title": "SSH_LOGIN_USERNAME2",
    "extractor_type": "regex",
    "converters": [],
    "order": 0,
    "cursor_strategy": "copy",
    "source_field": "message",
    "target_field": "ssh_login_username",
    "extractor_config": {
    "regex_value": "session opened for user (.+) by .+$"
    },
    "condition_type": "none",
    "condition_value": ""
    },
    {
    "title": "USER_WITH_WRONG_PASSWORD2",
    "extractor_type": "regex",
    "converters": [],
    "order": 0,
    "cursor_strategy": "copy",
    "source_field": "message",
    "target_field": "ssh_fail_username",
    "extractor_config": {
    "regex_value": "Authentication failure for (.+) from .+$"
    },
    "condition_type": "none",
    "condition_value": ""
    },
    {
    "title": "USER_WITH_WRONG_PASSWORD",
    "extractor_type": "regex",
    "converters": [],
    "order": 0,
    "cursor_strategy": "copy",
    "source_field": "message",
    "target_field": "user_with_wrong_password",
    "extractor_config": {
    "regex_value": "authentication failure; logname= uid=0 euid=0 tty=ssh
    ruser= rhost=.+ user=(.+)$"
    },
    "condition_type": "none",
    "condition_value": ""
    },
    {
    "title": "SSH_FAIL_SOURCE2",
    "extractor_type": "regex",
    "converters": [],
    "order": 0,
    "cursor_strategy": "copy",
    "source_field": "message",
    "target_field": "ssh_fail_source",
    "extractor_config": {
    "regex_value": "Authentication failure for .+ from (.+)$"
    },
    "condition_type": "none",
    "condition_value": ""
    },
    {
    "title": "SSH_INVALID_USER2",
    "extractor_type": "regex",
    "converters": [],
    "order": 0,
    "cursor_strategy": "copy",
    "source_field": "message",
    "target_field": "ssh_invalid_user",
    "extractor_config": {
    "regex_value": "^Invalid user (.+) from .+ port .+$"
    },
    "condition_type": "none",
    "condition_value": ""
    },
    {
    "title": "SSH_INVALID_USER_SOURCE2",
    "extractor_type": "regex",
    "converters": [],
    "order": 0,
    "cursor_strategy": "copy",
    "source_field": "message",
    "target_field": "ssh_invalid_user_source",
    "extractor_config": {
    "regex_value": "^Invalid user .+ from (.+) port .+$"
    },
    "condition_type": "none",
    "condition_value": ""
    }
    ],
    "version": "3.2.0"
    }

    You might also like