Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update sshd-logs.yaml with a new pattern #1105

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update sshd-logs.yaml with a new pattern #1105

wants to merge 1 commit into from

Conversation

r-tokarski
Copy link

@r-tokarski r-tokarski commented Aug 31, 2024
edited
Loading

Hi, I'm using CentOS Stream 9 (not sure if this is related), and my sshd service logs look like this (my server name and ip was edited):
Aug 31 12:17:49 myserver sshd[319482]: Connection closed by xx.xx.xx.xx port 42056 [preauth]

When using cscli explain (my server name and ip edited):

[root@myserver log]# cscli explain --log "Aug 31 12:17:49 myserver sshd[319482]: Connection closed by xx.xx.xx.xx port 42056 [preauth]" --type syslog
line: Aug 31 12:17:49 myserver sshd[319482]: Connection closed by xx.xx.xx.xx port 42056 [preauth]
	├ s00-raw
	|	└ 🟢 crowdsecurity/syslog-logs (+12 ~9)
	├ s01-parse
	|	├ 🔴 crowdsecurity/nginx-logs
	|	├ 🔴 crowdsecurity/sshd-logs
	|	└ 🔴 crowdsecurity/sshd-success-logs
	└-------- parser failure 🔴

Because this type of logs is unknown by CrowdSec my server is spammed with these kinds of messages. IP edited is the same.

[root@myserver crowdsecurity]# journalctl | grep 'Connection closed by' | tail -n 5
Aug 31 12:24:11 myserver sshd[319636]: Connection closed by xx.xx.xx.xx port 56250 [preauth]
Aug 31 12:35:35 myserver sshd[319750]: Connection closed by xx.xx.xx.xx port 52014 [preauth]
Aug 31 12:35:36 myserver sshd[319752]: Connection closed by xx.xx.xx.xx port 52026 [preauth]
Aug 31 12:43:46 myserver sshd[319796]: Connection closed by xx.xx.xx.xx port 36044 [preauth]
Aug 31 12:43:46 myserver sshd[319798]: Connection closed by xx.xx.xx.xx port 36060 [preauth]

My proposed new simple pattern should deal with these kinds of logs. After manually applied to to /etc/crowdsec/hub/parsers/s01-parse/crowdsecurity/sshd-logs.yaml, this is the result:

[root@myserver crowdsecurity]# cscli explain --log "Aug 31 12:17:49 myserver sshd[319482]: Connection closed by xx.xx.xx.xx port 42056 [preauth]" --type syslog
line: Aug 31 12:17:49 myserver sshd[319482]: Connection closed by xx.xx.xx.xx port 42056 [preauth]
	├ s00-raw
	|	└ 🟢 crowdsecurity/syslog-logs (+12 ~9)
	├ s01-parse
	|	├ 🔴 crowdsecurity/nginx-logs
	|	└ 🟢 crowdsecurity/sshd-logs (+4 ~1)
	├ s02-enrich
	|	├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2)
	|	├ 🟢 crowdsecurity/geoip-enrich (+13)
	|	├ 🔴 crowdsecurity/http-logs
	|	└ 🟢 crowdsecurity/whitelists (unchanged)
	├-------- parser success 🟢
	├ Scenarios
		├ 🟢 crowdsecurity/ssh-bf
		├ 🟢 crowdsecurity/ssh-bf_user-enum
		├ 🟢 crowdsecurity/ssh-slow-bf
		└ 🟢 crowdsecurity/ssh-slow-bf_user-enum

I hope this proposed change will be considered helpful, I'm not very experienced with CrowdSec yet. Thanks for creating it! :)

@r-tokarski
Update sshd-logs.yaml
b35cb81 
Added new pattern syntax for sshd-logs
@r-tokarski r-tokarski changed the title Update sshd-logs.yaml with new pattern Update sshd-logs.yaml with a new pattern Aug 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@r-tokarski