File tree 7 files changed +50
-11
lines changed
7 files changed +50
-11
lines changed Original file line number Diff line number Diff line change 1- SHOREWALL_TCP .*?%{WORD:fwrule}\:%{WORD:fwtarget}\:IN\=%{WORD:fwin} OUT\=\s*MAC\=%{DATA:fwmac} SRC\=%{IPORHOST:fwsrc} DST\=%{IPORHOST:fwdst} .*? PROTO\=%{WORD:fwproto} SPT\=%{INT:fwspt:int} DPT\=%{INT:fwdpt:int} .*?
2- SHOREWALL_UDP .*?%{WORD:fwrule}\:%{WORD:fwtarget}\:IN\=%{WORD:fwin} OUT\=%{WORD:fwout}.*?SRC\=%{IPORHOST:fwsrc} DST\=%{IPORHOST:fwdst} .*? PROTO\=%{WORD:fwproto} SPT\=%{INT:fwspt:int} DPT\=%{INT:fwdpt:int} .*?
3- SHOREWALL_ICMP .*?%{WORD:fwrule}\:%{WORD:fwtarget}\:IN\=%{WORD:fwin} OUT\=%{WORD:fwout} SRC\=%{IPORHOST:fwsrc} DST\=%{IPORHOST:fwdst} .*? PROTO\=%{WORD:fwproto} .*?
1+ SHOREWALL_COMMON %{DATA:fwrule}\:%{DATA:fwtarget}\:IN\=%{DATA:fwin} OUT\=%{DATA:fwout} (?:MAC\=%{DATA:fwmac} )?SRC\=%{IPORHOST:fwsrc} DST\=%{IPORHOST:fwdst}
42
5- SHOREWALL_MSG (?:%{SHOREWALL_TCP}|%{SHOREWALL_UDP}|%{SHOREWALL_ICMP})
3+ SHOREWALL_TCP_UDP .*?PROTO\=%{DATA:fwproto} SPT\=%{INT:fwspt:int} DPT\=%{INT:fwdpt:int} .*?
4+ SHOREWALL_ICMP .*?PROTO\=%{DATA:fwproto} TYPE=%{INT:icmp_type:int} CODE=%{INT:icmp_code:int} .*?
5+
6+ SHOREWALL_MSG Shorewall:%{SHOREWALL_COMMON} (?:%{SHOREWALL_TCP_UDP}|%{SHOREWALL_ICMP})
Original file line number Diff line number Diff line change @@ -10,7 +10,7 @@ SSH_SUBSYSTEM .*?subsystem request for (?<subsystem>.*)
1010SSH_DISCONNECT_USER .*?Received disconnect from %{IPORHOST:ip}: %{NONNEGINT}: (?<reason>disconnected by user)$
1111SSH_DISCONNECT_OTHER Disconnected from %{IPORHOST:ip} port %{NONNEGINT}
1212SSH_DISCONNECT %{SSH_DISCONNECT_USER}|%{SSH_DISCONNECT_OTHER}
13- SSH_VALID_INVALID .*?(?<status>Accepted|Failed|Invalid user)(?: %{WORD:method} for)? %{USERNAME_PAT} from %{IPORHOST:ip}(?: port %{NONNEGINT:port})?
13+ SSH_VALID_INVALID .*?(?<status>Accepted|Failed|Invalid user)(?: %{WORD:method} for)? %{USERNAME_PAT} from %{IPORHOST:ip}(?: port %{NONNEGINT:port:int})?(?: ssh2: %{NOTSPACE:ssh_key_type} %{GREEDYDATA:ssh_key_fingerprint })?
1414SSH_INPUT_USERAUTH .*?input_userauth_request: (?<inputuserauth>invalid user %{USERNAME_PAT})
1515SSH_AUTH_REFUSED .*?Authentication refused: bad ownership or modes for file %{PATH:ownerpath}
1616
Original file line number Diff line number Diff line change 11SU_FAIL (?:(?<su_message>FAILED) SU )?\(to %{NOTSPACE:su_to}\) %{NOTSPACE:su_user} on %{NOTSPACE:su_tty}
22
3- SU_SESSIONS pam_unix\(su(?:-l)?:session\): (?<su_message>session (?:opened|closed)) for user %{NOTSPACE:su_user}(?: by %{USERNAME_PAT}\(uid=%{NUMBER}\))?
3+ SU_SESSIONS pam_unix\(su(?:-l)?:session\): (?<su_message>session (?:opened|closed)) for user %{NOTSPACE:su_user}(?: by (?: %{USERNAME_PAT})? \(uid=%{NUMBER}\))?
44
55SU_MSG %{SU_FAIL}|%{SU_SESSIONS}
Original file line number Diff line number Diff line change 3232import glob
3333
3434setup (name = "logstash-patterns" ,
35- version = "1.2.6 " ,
35+ version = "1.2.8 " ,
3636 description = "Grok patterns for logstash" ,
3737 long_description = """Grok patterns for parsing log messages with logstash.
3838
Original file line number Diff line number Diff line change @@ -21,8 +21,8 @@ data = [
2121 "fwsrc" : "10.0.0.2",
2222 "fwdst" : "10.0.0.1",
2323 "fwproto" : "UDP",
24- u"fwspt" : u" 57002" ,
25- u"fwdpt" : u"53" ,
24+ u"fwspt" : 57002,
25+ u"fwdpt" : 53 ,
2626 }
2727},
2828{
@@ -39,4 +39,18 @@ data = [
3939 "fwdpt" : 22,
4040 }
4141},
42+ {
43+ "raw" : "<6>1 2021-02-11T10:06:22.340438+01:00 cerberus kernel: Shorewall:all-all:REJECT:IN=em3 OUT=p2p1 MAC=24:6e:96:78:50:02:94:57:a5:60:53:fb:08:00 SRC=10.148.12.200 DST=134.184.15.95 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=27802 SEQ=0",
44+ "expected" : {
45+ "fwrule" : "all-all",
46+ "fwtarget" : "REJECT",
47+ "fwin" : "em3",
48+ "fwproto" : "ICMP",
49+ "icmp_code": 0,
50+ "icmp_type": 8,
51+ "fwsrc": "10.148.12.200",
52+ "fwdst": "134.184.15.95",
53+ "fwmac": "24:6e:96:78:50:02:94:57:a5:60:53:fb:08:00",
54+ }
55+ },
4256]
Original file line number Diff line number Diff line change @@ -25,7 +25,7 @@ data = [
2525 "expected" : {
2626 'method': 'publickey',
2727 'pid': '44668',
28- 'port': ' 43493' ,
28+ 'port': 43493,
2929 'program': 'sshd',
3030 'status': 'Accepted',
3131 'syslog_abspri': '86',
@@ -107,7 +107,7 @@ data = [
107107 "expected" : {
108108 'method': 'publickey',
109109 'pid': '8245',
110- 'port': ' 55141' ,
110+ 'port': 55141,
111111 'program': 'sshd',
112112 'status': 'Accepted',
113113 'syslog_abspri': '86',
@@ -132,4 +132,19 @@ data = [
132132 'username': 'oneadmin',
133133 }
134134},
135+ {
136+ "raw": "<86>1 2021-02-08T21:04:11.450531+01:00 login2 sshd[35227]: Accepted publickey for vsc10001 from 109.136.238.10 port 57465 ssh2: RSA SHA256:cz3lwY9mjGfznACfU23BOSY0iYjFFgnp1exj1ijBfQA",
137+ "expected": {
138+ 'program': 'sshd',
139+ 'syslog_abspri': '86',
140+ 'username': 'vsc10001',
141+ '@source_host': 'login2',
142+ 'method': 'publickey',
143+ 'port': 57465,
144+ 'status': 'Accepted',
145+ 'ssh_key_type': 'RSA',
146+ 'ssh_key_fingerprint': 'SHA256:cz3lwY9mjGfznACfU23BOSY0iYjFFgnp1exj1ijBfQA',
147+ 'ip': '109.136.238.10',
148+ }
149+ },
135150]
Original file line number Diff line number Diff line change @@ -59,4 +59,13 @@ data = [
5959 'su_user': 'vsc43020',
6060 }
6161},
62+ {
63+ "raw": "<86>1 2021-02-11T09:58:36.638152+01:00 node056 su: pam_unix(su:session): session opened for user vsc43020 by (uid=0)",
64+ "expected": {
65+ 'program': 'su',
66+ '@source_host': 'node056',
67+ 'su_message': 'session opened',
68+ 'su_user': 'vsc43020',
69+ }
70+ },
6271]
You can’t perform that action at this time.
0 commit comments