Exploring other kinds of auth issues about ssh-log-to-influx HOT 5 CLOSED

You are right.

I'm currently working on detecting PubkeyAuthentication errors.

Invalid user bob from 72.xx.xx.87 port 38124 is one of these indeed.

If you find any other valid error to catch, that will be nice. Thanks!

from ssh-log-to-influx.

Awesome, good to hear. Do you know of a way to confirm that the rsyslog configuration works?

from ssh-log-to-influx.

Do you mean this kind of configuration ?

template(name="OnlyMsg" type="string" string="%msg:::drop-last-lf%\n")
if $programname == 'sshd' then {
   if $msg startswith ' Failed' then {
      action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp" template="OnlyMsg")
   }
}

I don't know any other way to test it apart from using it directly and trying to dispatch message by logging into the system.

The configuration will have to change to catch more errors, we already restric the scope to the sshd logs so maybe accepting all logs is something to consider. And do the heavy work inside server.

from ssh-log-to-influx.

Cool. One last suggestion, make your dashboard available on grafana.com or export it by clicking "Share" and "For External". As is it, it's really hard to re-use.

from ssh-log-to-influx.

Good suggestion, just did it. Hower I'm using Grafana 7.1... So only compatible with grafana:master.

The reason why is because I need new features to join on the time range to have valid values of the last time the attack happend + the sum of the attack from the ip.

from ssh-log-to-influx.