Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- input {
- file {
- type => "syslog"
- path => "/var/log/secure"
- }
- }
- filter {
- if [type] == "syslog" {
- multiline {
- pattern => "^\t"
- what => "previous"
- }
- }
- if [message] =~ /sudo:.*COMMAND=/ {
- mutate { add_tag => [ "grepped" ] }
- }
- if [message] =~ /sshd:.*session opened for user/ {
- mutate { add_tag => [ "grepped" ] }
- }
- if [type] == "syslog" {
- if "grepped" in [tags] {
- grok {
- add_tag => [ "ssh" ]
- tag_on_failure => false
- # Example : Feb 25 23:14:09 el6a sshd[8766]: pam_unix(sshd:session): session opened for user lofic by (uid=0)
- match => [ "message",
- "%{MONTH}%{SPACE}%{MONTHDAY}%{SPACE}%{TIME}%{SPACE}%{WORD:srchost}%{SPACE}sshd.*session opened for user %{WORD:user} by .*" ]
- }
- grok {
- add_tag => [ "sudo" ]
- tag_on_failure => false
- # Example : Feb 25 22:56:25 el6a sudo: lofic : TTY=pts/1 ; PWD=/home/lofic ; USER=root ; COMMAND=/bin/su
- match => [ "message",
- "%{MONTH}%{SPACE}%{MONTHDAY}%{SPACE}%{TIME}%{SPACE}%{WORD:srchost}%{SPACE}sudo:%{SPACE}%{WORD:user}%{SPACE}.*;%{SPACE}COMMAND=%{GREEDYDATA:sudocmd}" ]
- }
- }
- grok {
- tag_on_failure => false
- add_tag => [ "noise" ]
- match => [ "message", ".*sshd.*Connection closed by 127.0.0.1" ]
- }
- grok {
- tag_on_failure => false
- add_tag => [ "noise" ]
- match => [ "message", ".*su: .*session .* for user rabbitmq" ]
- }
- }
- }
- output {
- if "_grokparsefailure" not in [tags] and "noise" not in [tags] {
- elasticsearch_river {
- rabbitmq_host => "192.168.0.16"
- es_host => "el6e.labolinux.fr"
- vhost => "/elasticsearch"
- user => "river"
- password =>"plokiploki"
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
