jkumar2001 / graylog-generic-syslog Goto Github PK

Hi there,

let me say that I am totally new to graylog and this content pack has got me started looking at a few things. I am using graylog2 beta2.

ssh_login_username
(should this not extract all user names and aggregate them showing which user logged in how often?)

**current: _"Accepted password for (.+) from (.+) port"
_rather: Accepted keyboard-interactive/pam for USER from IP port 61470 ssh2
or maybe: pam_unix(sshd:session): session opened for user root by (uid=0)

SSH Connection Dropped
(not sure about this one, are we only looking for dropped/blocked sessions by iptables?)

**current: _IPTables Packet Dropped" AND iptables_dport:22
_rather: pam_unix(sshd:session): session closed for user root
or: Received disconnect from 87.156.164.7: 11: disconnected by user

Fail2ban Ban

current: application_name:fail2ban.actions AND message:"NOTICE [sshd] Ban"
rather: application_name:fail2ban.actions AND (message:"WARNING [ssh] Ban" OR message:"WARNING [ssh-ddos] Ban")

Fail2ban Unban

current: application_name:fail2ban.actions AND message:"NOTICE [sshd] Unban"
rather: application_name:fail2ban.actions AND (message:"WARNING [ssh] Unban" OR message:"WARNING [ssh-ddos] Unban")

Root Login

current: message:" Accepted publickey for root " OR message:" Accepted password for root "
rather: message:"Accepted keyboard-interactive/pam for root"

SSH Login

current: message:" Accepted publickey for " OR message:" Accepted password for "
rather: see above but needs exception for root user

*Some dashboards don't add up: *

**SSH login failed server _reports a count of 38 and this is correct.
_using: message:" Failed publickey for " OR message:" Failed password for " OR (message:"Invalid user" AND message:from)

Failed SSHD Metrics reports: 56 and this is wrong as the 38 above are correct.
using: application_name:sshd AND (message:"Failed" OR message:"Invalid user")

Also, SSH Login Failed Source IP shows a total of 27, while SSH Failure count, SSH Login failures and SSH login failed server all show a total of 38.

Would you have a look if you can replicate this?
I'd like to get this working properly but maybe I am misunderstanding something?

When tying to import in graylog 3, there is the following error:

Error importing content pack, please ensure it is a valid JSON file. Check your Graylog logs for more information.
Null id at [Source: org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnCloseableInputStream@33bc6cf6; line: 474, column: 1] (through reference chain: org.graylog2.contentpacks.model.AutoValue_LegacyContentPack$Builder[“id”])

See also https://community.graylog.org/t/unable-to-import-content-packs-downloaded-from-marketplace/8732

Can you update this cool content_pack?

When tying to import in graylog 4, there is the following error:

Error importing content pack, please ensure it is a valid JSON file. Check your Graylog logs for more information.
Null id at [Source: org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnCloseableInputStream@33bc6cf6; line: 474, column: 1] (through reference chain: org.graylog2.contentpacks.model.AutoValue_LegacyContentPack$Builder[“id”])

Could you update this cool content_pack?

I go to SYSTEM => Content Packs => Import select this content pack click upload and nothing happens.