spot internal brutes
vi /etc/fluent-bit/custom_parsers.conf
# sshguard - Attack from [PARSER] Name sshguard_pass1 Format regex Regex ^(?<msg>[^ ]+) "(?<src_cidr>[^ ]+)" for [0-9]+ secs .*$ # sshguard - Blocking [PARSER] Name sshguard_pass2 Format regex Regex ^(?<msg>[^ ]+ from) "(?<src_ip>[^ ]+)" on service .*$ # sshguard - x.x.x.x: unblocking after xxx secs # do not tag unblocked ip as additional attackers -- do not use src_ip [PARSER] Name sshguard_pass3 Format regex Regex ^(?<src_cidr>[^:]+): (?<msg>[^ ]+).*$
vi /etc/fluent-bit/fluent-bit.conf
[SERVICE] ... parsers_file custom_parsers.conf # # spot internal brutes # [INPUT] name systemd systemd_filter _SYSTEMD_UNIT=sshguard.service read_from_tail on tag sshguard # https://docs.fluentbit.io/manual/pipeline/filters/parser [FILTER] name parser match sshguard key_name MESSAGE parser sshguard_pass1 [FILTER] name parser match sshguard key_name MESSAGE parser sshguard_pass2 [FILTER] name parser match sshguard key_name MESSAGE parser sshguard_pass3 [FILTER] name modify match sshguard add sensor sshguard@HOSTNAME-HERE [OUTPUT] name file match sshguard path /var/log file fluent-bit.OUTPUT.log