# # keep track of used pubkeys and algos # [INPUT] name tail path /var/log/{{ auth_log_file }} tag auth # provides msg [FILTER] name parser match auth key_name log parser syslog_msg # provides user src_ip ssh_proto algo pubkey [FILTER] name parser match auth key_name msg parser ssh_pubkey preserve_key true reserve_data true # provides proc_name proc_pid proc_msg when proc_name[proc_pid]: [FILTER] name parser match auth key_name msg parser name_pid_msg preserve_key false reserve_data true # provides proc_name proc_msg when proc_name: [FILTER] name parser match auth key_name msg parser name_msg preserve_key false reserve_data true # check/sanitize parsed ip before geoip evaluation and use common source_ip field across various vpn engines # https://docs.fluentbit.io/manual/pipeline/filters/modify [FILTER] name modify match auth condition key_value_matches src_ip [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ rename src_ip source_ip # casual/enriched geoip data for peer's public ip [FILTER] name geoip2 match auth database /etc/fluent-bit/GeoLite2-City.mmdb lookup_key source_ip record source.geo.city_name source_ip %{city.names.ru} record source.geo.country_name source_ip %{country.names.ru} record nest_lat source_ip %{location.latitude} record nest_lon source_ip %{location.longitude} log_level error # catch lat lon (lat comes first) [FILTER] name nest match auth operation nest wildcard nest_* remove_prefix nest_ nest_under source_location [FILTER] name modify match auth add sensor flb@{{ansible_hostname}} #[OUTPUT] # name file # match auth # path /var/log # file fluent-bit.log [OUTPUT] name opensearch match auth host {{log_host}} port {{log_port}} tls on tls.verify on index audithack-auth http_user {{log_http_user}} http_passwd {{log_http_passwd}} suppress_type_name on #replace_dots on trace_error on