doksu / ta-linux_secure Goto Github PK

Hi

Thanks for the TA.
I have 2 kinds of logs in which the vendor_action is not contained in linux_secure_vendor_actions.csv.

Here is a sample for the 2 values I get as vendor_actions:

vendor_action=-f
May 18 11:09:42 XXXX sshd[2780]: Starting session: forced-command (config) 'internal-sftp -l VERBOSE -f AUTHPRIV' for XXXX from XX.XXX.XX.XX port 36896 id 0 [postauth]

vendor_action=-session:
May 18 11:03:03 XXXX sshd[34568]: Starting session: command for grid from XXX.XXX.XX.XXX port 34791 id 0

version = 1.0.0

Cheers

Marta

Hi

Thanks for the TA. I am finding it is not extraction SRC_IP although specified in this stanza.

[sshd_auth]
REGEX = (\S+) (\S+) for (\S+) from (\S+) port (\d+) ([^\:]+)(?:: (\S+) (\S+))?
FORMAT = vendor_action::$1 auth_method::$2 user::$3 src_ip::$4 src_port::$5 ssh_protocol::$6 algorithm::$7 public_key_fingerprint::$8

Regex is valid but not working. Il seek to resolve but just for tracking.

Version 0.1.3.

Cheers,

Paul

App is currently not listed as compatible with splunk 8 on splunkbase : https://splunkbase.splunk.com/app/3476/