Introduction
Using DataSet, an organization can monitor Linux SSH login failure events on a Linux host.
This can be accomplished by using the Linux agent to monitor Linux log file /var/log/auth.log
Procedure
1. Download the Scalyr Agent for Linux and install it on each Linux host that you wish to monitor
2. Open the installed /etc/scalyr-agent-2/agent.json file and find the logs section. Modifying the following stanza to point to the /var/log/auth.log and the associated parser
logs: [
{ path: "/var/log/auth.log", attributes: {parser: "authentication"} }
]
3. Create the below parser with the name "authentication" in your account
// Parser for standard system logs.
{
timezone: "PST",
attributes: {
// Tag all events parsed with this parser so we can easily select them in queries.
dataset: "systemlog"
},
patterns: {
timestamp: "([a-z]+\\s+[0-9]+\\s+[0-9:]+)|" // e.g. Feb 3 03:47:01
+ "(\\d{4}-\\d{2}-\\d+T\\d{2}:\\d{2}:\\d{2}.\\d+\\+\\d+:\\d{2})" // e.g. 2013-03-20T00:53:26.942569+00:00
},
formats: [
// Process name plus ID. Examples:
// 2013-03-19T12:25:16.267245+00:00 ip-10-11-222-111 auditd[14957]: Audit daemon rotating log files
// Feb 3 13:17:00 host-1 dhclient[1576]: DHCPREQUEST on eth0 to 169.108.1.0 port 67 (xid=0x323f0123)
{
format: "$timestamp=timestamp$ $host$ $process$\\[$procid$\\]: $text$",
halt: true
},
// Process name with no ID. Examples:
// Feb 3 03:47:01 host-1 rsyslogd: [origin software="rsyslogd" swVersion="5.8.03" x-pid="1631" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
// Mar 17 04:34:12 li58-102 dhclient: DHCPREQUEST on eth0 to 206.192.11.29 port 67
{
format: "$timestamp=timestamp$ $host$ $process$: $text$",
halt: true
}
]
}
View the logs in DataSet
4. Creating the below alert for SSH login failure:
Trigger: count:2 minutes(text contains 'Failed password' logfile='/var/log/auth.log' serverHost='donnguye-ubuntu') > 0
Comments
0 comments
Please sign in to leave a comment.