-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSH Analysis Example #110
SSH Analysis Example #110
Conversation
@gingerwizard how do we get the data for SSH? I am wondering if, with the upcoming filebeat modules, we can have an SSH module that would parse SSH logs, and automatically install the relevant ingest plugin and Kibana dashboards for it. Later on, we can add support to automatically install watches and potentially built in ml (prelert). /cc @tsg @monicasarbu |
Looks like it's using a Logstash codec (cef), so we'd have to check if grok is enough for parsing that format, or we'd need a CEF processor in Ingest Node. Or do you mean to parse the SSH logs in their non-CEF format? |
yes, I meant tailing SSH logs, out of the box (automatic detection of location based on OS and so on), in their original format (which as far as I can tell, it is non CEF) |
In this case we took the auth logs from a honeypot that @nellicus has been running and converted them to CEF format. The pattern of these logs varies depending on system configuration, but in this case each entry was already JSON - @nellicus can provide further details but sample:
The conversion to CEF was more to illustrate how data collected by Arcsight could in theory be easily ingested and alerted on. |
Small follow up here, we have a filebeat module (PR open) and a staged blog post for doing something similar to this. Let me know if you see any issues with it. |
No description provided.