bjo
March 4, 2023, 10:36am
1
Hi,
crowdsec.log tells me:
time="04-03-2023 00:00:09" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 _SYSTEMD_UNIT=dovecot.service]" src="journalctl-_SYSTEMD_UNIT=dovecot.service" type=journalctl
time="04-03-2023 00:00:09" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 _SYSTEMD_UNIT=sshd.service]" src="journalctl-_SYSTEMD_UNIT=sshd.service" type=journalctl
time="04-03-2023 00:00:09" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 _SYSTEMD_UNIT=postfix.service]" src="journalctl-_SYSTEMD_UNIT=postfix.service" type=journalctl
but lines like
Mar 04 10:06:08 mail.domain.tld sshd[1029968]: pam_unix(sshd:auth): check pass; user unknown
Mar 04 10:06:08 mail.domain.tld sshd[1029968]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.59.139.27
Mar 04 10:06:08 mail.domain.tld sshd[1029968]: pam_faillock(sshd:auth): User unknown
Mar 04 10:06:10 mail.domain.tld sshd[1029968]: Failed password for invalid user clare from 182.59.139.27 port 34293 ssh2
Mar 04 10:06:11 mail.domain.tld sshd[1029968]: Received disconnect from 182.59.139.27 port 34293:11: Bye Bye [preauth]
Mar 04 10:06:11 mail.domain.tld sshd[1029968]: Disconnected from invalid user clare 182.59.139.27 port 34293 [preauth]
Mar 04 10:09:45 mail.domain.tld sshd[1030304]: Invalid user account from 182.59.139.27 port 60228
get ignored.
Explaining also fails - regardless if type is syslog or journalctl
line: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.59.139.27
β s01-parse
| β π΄ crowdsecurity/dovecot-logs
| β π΄ crowdsecurity/nextcloud-logs
| β π΄ crowdsecurity/nginx-logs
| β π΄ crowdsecurity/postfix-logs
| β π΄ crowdsecurity/postscreen-logs
| β π΄ crowdsecurity/sshd-logs
β-------- parser failure π΄
Type syslog needs the βwhole syslog lineβ not just the message part as it needs to parse sshd from the line example:
β°βΞ» sudo cscli explain --log "Mar 04 10:06:08 mail.domain.tld sshd[1029968]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.59.139.27" --type syslog -v --only-successful-parsers
line: Mar 04 10:06:08 mail.domain.tld sshd[1029968]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.59.139.27
β s00-raw
| β π’ crowdsecurity/syslog-logs (+12 ~9)
| β update evt.ExpectMode : %!s(int=0) -> 1
| β update evt.Stage : -> s01-parse
| β update evt.Line.Raw : -> Mar 04 10:06:08 mail.domain.tld sshd[1029968]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.59.139.27
| β update evt.Line.Src : -> /tmp/cscli_test_tmp.log
| β update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-03-05 20:14:27.808427683 +0000 UTC
| β create evt.Line.Labels.type : syslog
| β update evt.Line.Process : %!s(bool=false) -> true
| β update evt.Line.Module : -> file
| β create evt.Parsed.facility :
| β create evt.Parsed.logsource : syslog
| β create evt.Parsed.message : pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.59.139.27
| β create evt.Parsed.pid : 1029968
| β create evt.Parsed.priority :
| β create evt.Parsed.program : sshd
| β create evt.Parsed.timestamp : Mar 04 10:06:08
| β create evt.Parsed.timestamp8601 :
| β update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-03-05 20:14:27.808733522 +0000 UTC
| β update evt.StrTime : -> Mar 04 10:06:08
| β create evt.Meta.datasource_path : /tmp/cscli_test_tmp.log
| β create evt.Meta.datasource_type : file
| β create evt.Meta.machine : mail.domain.tld
β s01-parse
| β π’ crowdsecurity/sshd-logs (+8 ~1)
| β update evt.Stage : s01-parse -> s02-enrich
| β create evt.Parsed.pam_type : unix
| β create evt.Parsed.sshd_invalid_user :
| β create evt.Parsed.euid : 0
| β create evt.Parsed.sshd_client_ip : 182.59.139.27
| β create evt.Parsed.uid : 0
| β create evt.Meta.service : ssh
| β create evt.Meta.source_ip : 182.59.139.27
| β create evt.Meta.log_type : ssh_failed-auth
β s02-enrich
| β π’ crowdsecurity/dateparse-enrich (+2 ~1)
| β create evt.Enriched.MarshaledTime : 2023-03-04T10:06:08Z
| β update evt.MarshaledTime : -> 2023-03-04T10:06:08Z
| β create evt.Meta.timestamp : 2023-03-04T10:06:08Z
| β π’ crowdsecurity/geoip-enrich (+13)
| β create evt.Enriched.SourceRange : 182.56.0.0/14
| β create evt.Enriched.ASNOrg : Mahanagar Telephone Nigam Limited
| β create evt.Enriched.IsoCode : IN
| β create evt.Enriched.Latitude : 19.074800
| β create evt.Enriched.ASNNumber : 17813
| β create evt.Enriched.ASNumber : 17813
| β create evt.Enriched.IsInEU : false
| β create evt.Enriched.Longitude : 72.885600
| β create evt.Meta.ASNNumber : 17813
| β create evt.Meta.ASNOrg : Mahanagar Telephone Nigam Limited
| β create evt.Meta.SourceRange : 182.56.0.0/14
| β create evt.Meta.IsInEU : false
| β create evt.Meta.IsoCode : IN
| β π’ crowdsecurity/whitelists (unchanged)
β-------- parser success π’β Scenarios
β π’ crowdsecurity/ssh-bf
β π’ crowdsecurity/ssh-bf_user-enum
β π’ crowdsecurity/ssh-slow-bf
β π’ crowdsecurity/ssh-slow-bf_user-enum
Using cscli metrics can provide information on how much is parsed
bjo
March 5, 2023, 8:42pm
3
The whole line unfortunately also fails:
cscli explain --log "Mar 04 10:06:08 mail.domain.tld sshd[1029968]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.59.139.27" --type syslog -v
line: Mar 04 10:06:08 mail.domain.tld sshd[1029968]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.59.139.27
β s01-parse
| β π΄ crowdsecurity/dovecot-logs
| β π΄ crowdsecurity/nextcloud-logs
| β π΄ crowdsecurity/nginx-logs
| β π΄ crowdsecurity/postfix-logs
| β π΄ crowdsecurity/postscreen-logs
| β π΄ crowdsecurity/sshd-logs
β-------- parser failure π΄
Seems you dont have s00 parser? can you run cscli collections install crowdsecurity/linux
2 Likes
bjo
March 5, 2023, 8:45pm
5
Yes, seems this was the issue. Thanks, it works now!
1 Like