cscli parsers install crowdsecurity/sshd-success-logsA parser for ssh success logs. It will parse password and public key authentication. It will also parse the username and the source IP address.
1onsuccess: next_stage2#debug: true3filter: "evt.Parsed.program == 'sshd'"4name: crowdsecurity/sshd-success-logs5description: "Parse successful ssh logins"6pattern_syntax:7 IPv4_WORKAROUND: (?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)8 IP_WORKAROUND: (?:%{IPV6}|%{IPv4_WORKAROUND})9nodes:10 - grok:11 pattern: "Accepted (publickey|password) for %{USERNAME:sshd_auth_user} from %{IP_WORKAROUND:sshd_client_ip} port %{NUMBER:sshd_client_port} ssh2%{GREEDYDATA:sshd_trail}"12 apply_on: message13statics:14 - meta: service15 value: ssh16 - meta: source_ip17 expression: "evt.Parsed.sshd_client_ip"18 - meta: user19 expression: "evt.Parsed.sshd_auth_user"20 - meta: log_type21 value: auth_success22