1onsuccess: next_stage
2filter: "evt.Parsed.program == 'sshesame'"
3name: thespad/sshesame-logs
4description: "Parse sshesame logs"
5pattern_syntax:
6  SSHESAME_TIMESTAMP: '%{DATE_X} %{TIME}'
7  SSHESAME_LOGIN_PASSWD: '%{SSHESAME_TIMESTAMP:timestamp} \[%{IP:source_ip}:\d+\] authentication for user "%{USERNAME:sshesame_user}" with password "%{GREEDYDATA:sshesame_password}" accepted'
8  SSHESAME_LOGIN_PUBKEY: '%{SSHESAME_TIMESTAMP:timestamp} \[%{IP:source_ip}:\d+\] authentication for user "%{USERNAME:sshesame_user}" with public key "%{GREEDYDATA:sshesame_pubkey}" accepted'
9  SSHESAME_CMD: '%{SSHESAME_TIMESTAMP:timestamp} \[%{IP:source_ip}:\d+\] \[channel \d+\] command "%{GREEDYDATA:sshesame_cmd}" requested'
10  SSHESAME_INPUT: '%{SSHESAME_TIMESTAMP:timestamp} \[%{IP:source_ip}:\d+\] \[channel \d+\] input: "%{GREEDYDATA:sshesame_input}"'
11nodes:
12  - grok:
13      name: "SSHESAME_LOGIN_PASSWD"
14      apply_on: message
15      statics:
16        - meta: log_type
17          value: sshesame_login
18        - meta: target_user
19          expression: "evt.Parsed.sshesame_user"
20  - grok:
21      name: "SSHESAME_LOGIN_PUBKEY"
22      apply_on: message
23      statics:
24        - meta: log_type
25          value: sshesame_login
26        - meta: target_user
27          expression: "evt.Parsed.sshesame_user"
28  - grok:
29      name: "SSHESAME_CMD"
30      apply_on: message
31      statics:
32        - meta: log_type
33          value: sshesame_cmd
34  - grok:
35      name: "SSHESAME_INPUT"
36      apply_on: message
37      statics:
38        - meta: log_type
39          value: sshesame_input
40statics:
41    - target: evt.StrTime
42      expression: "evt.Parsed.timestamp"
43    - meta: service
44      value: sshesame
45    - meta: source_ip
46      expression: "evt.Parsed.source_ip"
47    - meta: username
48      expression: "evt.Parsed.sshesame_user"
49    - meta: command
50      expression: "evt.Parsed.sshesame_cmd"
51    - meta: input
52      expression: "evt.Parsed.sshesame_input"
53