2、
filter {
grok {
#type => "syslog"
match => ["message", "%{SYSLOGBASE} Failed password for (invalid user |)%{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"]
add_tag => "ssh_brute_force_attack"
}
grok {
#type => "syslog"
match => ["message", "%{SYSLOGBASE} Accepted password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"]
add_tag => "ssh_sucessful_login"
}
geoip {
source => "src_ip"
target => "geoip"
add_tag => [ "ssh-geoip" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
add_field => [ "geoipflag", "true" ]
}
}