spot internal brutes
vi /etc/fluent-bit/custom_parsers.conf
# sshguard - Attack from
[PARSER]
Name sshguard_pass1
Format regex
Regex ^(?<msg>[^ ]+) "(?<src_cidr>[^ ]+)" for [0-9]+ secs .*$
# sshguard - Blocking
[PARSER]
Name sshguard_pass2
Format regex
Regex ^(?<msg>[^ ]+ from) "(?<src_ip>[^ ]+)" on service .*$
# sshguard - x.x.x.x: unblocking after xxx secs
# do not tag unblocked ip as additional attackers -- do not use src_ip
[PARSER]
Name sshguard_pass3
Format regex
Regex ^(?<src_cidr>[^:]+): (?<msg>[^ ]+).*$
vi /etc/fluent-bit/fluent-bit.conf
[SERVICE]
...
parsers_file custom_parsers.conf
#
# spot internal brutes
#
[INPUT]
name systemd
systemd_filter _SYSTEMD_UNIT=sshguard.service
read_from_tail on
tag sshguard
# https://docs.fluentbit.io/manual/pipeline/filters/parser
[FILTER]
name parser
match sshguard
key_name MESSAGE
parser sshguard_pass1
[FILTER]
name parser
match sshguard
key_name MESSAGE
parser sshguard_pass2
[FILTER]
name parser
match sshguard
key_name MESSAGE
parser sshguard_pass3
[FILTER]
name modify
match sshguard
add sensor sshguard@HOSTNAME-HERE
[OUTPUT]
name file
match sshguard
path /var/log
file fluent-bit.OUTPUT.log