50 lines
1.3 KiB
Nix
50 lines
1.3 KiB
Nix
# filters sshguard messages
|
|
{
|
|
resource."graylog_pipeline_rule" = {
|
|
|
|
routeToSshGuardMessage = {
|
|
|
|
description = "route sshguard messages to sshguard stream (TF)";
|
|
source = ''
|
|
rule "route sshguard message"
|
|
when
|
|
to_string($message.facility) == "sshguard"
|
|
then
|
|
route_to_stream(id:"''${ graylog_stream.sshguard.id }", remove_from_default: true);
|
|
end
|
|
'';
|
|
};
|
|
|
|
extractAttack ={
|
|
description = "extract sshguard attack information (TF)";
|
|
source = ''
|
|
rule "extract sshguard attack"
|
|
when
|
|
starts_with(to_string($message.message), "Attack from")
|
|
then
|
|
set_fields(grok(pattern:"Attack from \"%{IPV4:source_ip}\"", value: to_string($message.message), only_named_captures: true));
|
|
set_field("is_thread", true);
|
|
route_to_stream(id:"''${ graylog_stream.thread.id }");
|
|
end
|
|
'';
|
|
};
|
|
|
|
};
|
|
|
|
graylog.all_messages.rules = ["route sshguard message"];
|
|
|
|
graylog.stream.sshguard = {
|
|
index_set_id = "\${data.graylog_index_set.default.id}";
|
|
pipelines = [ "\${graylog_pipeline.processSshGuardMessage.id}" ];
|
|
};
|
|
|
|
graylog.pipeline.processSshGuardMessage = {
|
|
source = ''
|
|
stage 0 match all
|
|
rule "extract sshguard attack";
|
|
'';
|
|
description = "process messages of the sshguard stream(TF)";
|
|
};
|
|
|
|
|
|
}
|