# CONFIGURED BY ANSIBLE # # keep track of used pubkeys and algos # # provides host ident pid message [INPUT] name tail path /var/log/{{auth_log_file}} parser syslog_no_time tag auth # sshguard logs go to audithack-brutes instead [FILTER] name grep match auth exclude ident ^sshguard$ # https://docs.fluentbit.io/manual/pipeline/filters/parser # preserve_key ==> keep the original field (default false) # reserve_data ==> keep all the other fields (default false) # provides user src_ip ssh_proto algo pubkey # warning works great with openssh logs not dropbear [FILTER] name parser match auth key_name message parser ssh_pubkey preserve_key true reserve_data true # check/sanitize parsed ip before geoip evaluation and use common source_ip field across various vpn engines # https://docs.fluentbit.io/manual/pipeline/filters/modify [FILTER] name modify match auth condition key_value_matches src_ip [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ rename src_ip source_ip # casual/enriched geoip data for peer's public ip [FILTER] name geoip2 match auth database /etc/fluent-bit/GeoLite2-City.mmdb lookup_key source_ip record source_city_name source_ip %{city.names.ru} record source_country_name source_ip %{country.names.ru} record nest_lat source_ip %{location.latitude} record nest_lon source_ip %{location.longitude} log_level error # catch lat lon (lat comes first) [FILTER] name nest match auth operation nest wildcard nest_* remove_prefix nest_ nest_under source_location [FILTER] name modify match auth # @timestamp is enough for logs remove time add sensor auth@{{inventory_hostname}} #[OUTPUT] # name file # match auth # path /var/log # file fluent-bit.log [OUTPUT] name opensearch match auth host {{log_host}} port {{log_port}} tls on tls.verify on index audithack-auth http_user {{log_http_user}} http_passwd {{log_http_passwd}} suppress_type_name on #replace_dots on trace_error on