Parser Example
Linux Auth Log
Linux Auth Log
Overview
Parser xử lý các loại log từ Linux Auth Log (/var/log/auth.log):
- SSH Authentication: Login success/failure từ sshd
- PAM Events: Pluggable Authentication Module events
- su/sudo: Privilege escalation events
- User Management: useradd, userdel, passwd, groupadd events
- systemd-logind: Session management events
Sample Logs
1. SSH Login Success
{"@timestamp":"2026-03-17T10:30:15.123Z","message":"Mar 17 10:30:15 webserver01 sshd[12345]: Accepted publickey for admin from 192.168.1.100 port 52341 ssh2: RSA SHA256:abc123xyz","timestamp":"2026-03-17T10:30:15.123Z","host":"webserver01"}
2. SSH Login Failed
{"@timestamp":"2026-03-17T10:30:20.456Z","message":"Mar 17 10:30:20 webserver01 sshd[12346]: Failed password for invalid user test from 10.0.0.5 port 54321 ssh2","timestamp":"2026-03-17T10:30:20.456Z","host":"webserver01"}
3. PAM Authentication
{"@timestamp":"2026-03-17T10:35:30.789Z","message":"Mar 17 10:35:30 appserver01 sshd[5678]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.50 user=admin","timestamp":"2026-03-17T10:35:30.789Z","host":"appserver01"}
4. sudo Command
{"@timestamp":"2026-03-17T10:40:45.012Z","message":"Mar 17 10:40:45 dbserver01 sudo[9999]: hungp : TTY=pts/0 ; PWD=/home/hungp ; USER=root ; COMMAND=/usr/bin/systemctl restart nginx","timestamp":"2026-03-17T10:40:45.012Z","host":"dbserver01"}
5. su Command
{"@timestamp":"2026-03-17T10:45:00.345Z","message":"Mar 17 10:45:00 proxyserver01 su[1111]: Successful su for root by admin","timestamp":"2026-03-17T10:45:00.345Z","host":"proxyserver01"}
6. User Created
{"@timestamp":"2026-03-17T10:50:15.678Z","message":"Mar 17 10:50:15 webserver01 useradd[2222]: new user: name=newuser, UID=1001, GID=1001, home=/home/newuser, shell=/bin/bash","timestamp":"2026-03-17T10:50:15.678Z","host":"webserver01"}
7. Password Changed
{"@timestamp":"2026-03-17T10:55:30.901Z","message":"Mar 17 10:55:30 appserver01 passwd[3333]: pam_unix(passwd:chauthtok): password changed for admin","timestamp":"2026-03-17T10:55:30.901Z","host":"appserver01"}
8. Session Opened
{"@timestamp":"2026-03-17T11:00:45.234Z","message":"Mar 17 11:00:45 dbserver01 systemd-logind[444]: New session 15 of user admin.","timestamp":"2026-03-17T11:00:45.234Z","host":"dbserver01"}
Parser Configuration
#regex
#conditional
event_timestamp = .timestamp
host_hostname = ""
process_name = ""
process_pid = ""
event_message = ""
event_action = ""
event_category = ""
event_outcome = ""
event_module = "auth"
source_ip = ""
source_port = ""
user_name = ""
user_id = ""
user_effective_id = ""
target_user = ""
group_id = ""
group_name = ""
process_command = ""
process_working_directory = ""
process_tty = ""
log_level = "info"
auth_method = ""
session_id = ""
host_str = ""
if (h, err = to_string(.host); err == null) { host_str = h }
msg_str = ""
if (m, err = to_string(.message); err == null) { msg_str = m }
if (header_m, err = parse_regex(msg_str, r'^[A-Za-z]+[ ]+\d+[ ]+[\d:]+[ ]+(?P<hostname>\S+)[ ]+(?P<process>[^\[]+)\[(?P<pid>\d+)\]:[ ]+(?P<content>.+)$'); err == null) {
host_hostname = to_string(header_m.hostname)
process_name = to_string(header_m.process)
process_pid = to_string(header_m.pid)
event_message = to_string(header_m.content)
}
if host_hostname == "" { host_hostname = host_str }
if event_message == "" { event_message = msg_str }
if contains(process_name, "sshd") {
event_category = "authentication"
if contains(event_message, "Accepted") {
event_action = "logon_success"
event_outcome = "success"
if contains(event_message, "publickey") {
auth_method = "publickey"
}
if contains(event_message, "password") {
auth_method = "password"
}
if (user_m, err = parse_regex(event_message, r'for[ ]+(?P<user>\S+)[ ]+from'); err == null) {
user_name = user_m.user
}
if (ip_m, err = parse_regex(event_message, r'from[ ]+(?P<ip>[0-9.]+)'); err == null) {
source_ip = ip_m.ip
}
if (port_m, err = parse_regex(event_message, r'port[ ]+(?P<port>\d+)'); err == null) {
source_port = port_m.port
}
}
if contains(event_message, "Failed password") {
event_action = "logon_failed"
event_outcome = "failure"
auth_method = "password"
if (user_m, err = parse_regex(event_message, r'for[ ]+(?:invalid user )?(?P<user>\S+)[ ]+from'); err == null) {
user_name = user_m.user
}
if (ip_m, err = parse_regex(event_message, r'from[ ]+(?P<ip>[0-9.]+)'); err == null) {
source_ip = ip_m.ip
}
if (port_m, err = parse_regex(event_message, r'port[ ]+(?P<port>\d+)'); err == null) {
source_port = port_m.port
}
}
if contains(event_message, "pam_unix") {
if contains(event_message, "authentication failure") {
event_action = "logon_failed"
event_outcome = "failure"
if (user_m, err = parse_regex(event_message, r'user=(?P<user>\S+)'); err == null) {
user_name = user_m.user
}
if (rhost_m, err = parse_regex(event_message, r'rhost=(?P<ip>[0-9.]+)'); err == null) {
source_ip = rhost_m.ip
}
if (uid_m, err = parse_regex(event_message, r'uid=(?P<uid>\d+)'); err == null) {
user_id = uid_m.uid
}
if (euid_m, err = parse_regex(event_message, r'euid=(?P<euid>\d+)'); err == null) {
user_effective_id = euid_m.euid
}
}
if contains(event_message, "session opened") {
event_action = "session_start"
event_outcome = "success"
if (user_m, err = parse_regex(event_message, r'for user[ ]+(?P<user>\S+)'); err == null) {
user_name = user_m.user
}
}
if contains(event_message, "session closed") {
event_action = "session_end"
event_outcome = "success"
if (user_m, err = parse_regex(event_message, r'for user[ ]+(?P<user>\S+)'); err == null) {
user_name = user_m.user
}
}
}
if contains(event_message, "Disconnected") {
event_action = "session_end"
event_outcome = "success"
if (user_m, err = parse_regex(event_message, r'user[ ]+(?P<user>\S+)'); err == null) {
user_name = user_m.user
}
if (ip_m, err = parse_regex(event_message, r'from[ ]+(?P<ip>[0-9.]+)'); err == null) {
source_ip = ip_m.ip
}
}
if contains(event_message, "Invalid user") {
event_action = "logon_failed"
event_outcome = "failure"
log_level = "warning"
if (user_m, err = parse_regex(event_message, r'Invalid user[ ]+(?P<user>\S+)[ ]+from'); err == null) {
user_name = user_m.user
}
if (ip_m, err = parse_regex(event_message, r'from[ ]+(?P<ip>[0-9.]+)'); err == null) {
source_ip = ip_m.ip
}
}
}
if process_name == "sudo" {
event_category = "iam"
event_action = "privilege_escalation"
event_outcome = "success"
if (sudo_user_m, err = parse_regex(event_message, r'^(?P<user>\S+)[ ]+:'); err == null) {
user_name = sudo_user_m.user
}
if (tty_m, err = parse_regex(event_message, r'TTY=(?P<tty>\S+)'); err == null) {
process_tty = tty_m.tty
}
if (pwd_m, err = parse_regex(event_message, r'PWD=(?P<pwd>[^ ;]+)'); err == null) {
process_working_directory = pwd_m.pwd
}
if (target_m, err = parse_regex(event_message, r'USER=(?P<target>\S+)'); err == null) {
target_user = target_m.target
}
if (cmd_m, err = parse_regex(event_message, r'COMMAND=(?P<cmd>.+)$'); err == null) {
process_command = cmd_m.cmd
}
if contains(event_message, "authentication failure") {
event_outcome = "failure"
log_level = "warning"
}
if contains(event_message, "NOT in sudoers") {
event_outcome = "failure"
log_level = "error"
}
if contains(event_message, "incorrect password") {
event_outcome = "failure"
log_level = "warning"
}
}
if process_name == "su" {
event_category = "iam"
event_action = "privilege_escalation"
if contains(event_message, "Successful su") {
event_outcome = "success"
if (su_m, err = parse_regex(event_message, r'Successful su for[ ]+(?P<target>\S+)[ ]+by[ ]+(?P<user>\S+)'); err == null) {
target_user = su_m.target
user_name = su_m.user
}
}
if contains(event_message, "FAILED su") {
event_outcome = "failure"
log_level = "warning"
if (su_m, err = parse_regex(event_message, r'FAILED su for[ ]+(?P<target>\S+)[ ]+by[ ]+(?P<user>\S+)'); err == null) {
target_user = su_m.target
user_name = su_m.user
}
}
if contains(event_message, "pam_unix") {
if contains(event_message, "session opened") {
event_action = "session_start"
event_outcome = "success"
if (user_m, err = parse_regex(event_message, r'for user[ ]+(?P<user>\S+)'); err == null) {
target_user = user_m.user
}
}
if contains(event_message, "session closed") {
event_action = "session_end"
event_outcome = "success"
}
}
}
if process_name == "useradd" {
event_category = "iam"
event_action = "user_created"
event_outcome = "success"
if (user_m, err = parse_regex(event_message, r'new user:[ ]+name=(?P<user>[^,]+)'); err == null) {
user_name = user_m.user
}
if (uid_m, err = parse_regex(event_message, r'UID=(?P<uid>\d+)'); err == null) {
user_id = uid_m.uid
}
if (gid_m, err = parse_regex(event_message, r'GID=(?P<gid>\d+)'); err == null) {
group_id = gid_m.gid
}
}
if process_name == "userdel" {
event_category = "iam"
event_action = "user_deleted"
event_outcome = "success"
if (user_m, err = parse_regex(event_message, r'delete user[ ]+(?P<user>[^\s,]+)'); err == null) {
user_name = user_m.user
}
if (user_m2, err = parse_regex(event_message, r'delete[ ]+(?P<user>\S+)'); err == null) {
if user_name == "" { user_name = user_m2.user }
}
}
if process_name == "passwd" {
event_category = "iam"
event_action = "password_changed"
event_outcome = "success"
if (user_m, err = parse_regex(event_message, r'password changed for[ ]+(?P<user>\S+)'); err == null) {
user_name = user_m.user
}
if contains(event_message, "password change failed") {
event_outcome = "failure"
log_level = "warning"
}
}
if process_name == "groupadd" {
event_category = "iam"
event_action = "group_created"
event_outcome = "success"
if (grp_m, err = parse_regex(event_message, r'new group:[ ]+name=(?P<group>[^,]+)'); err == null) {
group_name = grp_m.group
}
if (gid_m, err = parse_regex(event_message, r'GID=(?P<gid>\d+)'); err == null) {
group_id = gid_m.gid
}
}
if process_name == "groupdel" {
event_category = "iam"
event_action = "group_deleted"
event_outcome = "success"
if (grp_m, err = parse_regex(event_message, r'group[ ]+(?P<group>[^\s,]+)'); err == null) {
group_name = grp_m.group
}
}
if contains(process_name, "systemd-logind") {
event_category = "session"
if contains(event_message, "New session") {
event_action = "session_start"
event_outcome = "success"
if (sess_m, err = parse_regex(event_message, r'New session[ ]+(?P<sid>\d+)[ ]+of user[ ]+(?P<user>\w+)'); err == null) {
session_id = sess_m.sid
user_name = sess_m.user
}
}
if contains(event_message, "Removed session") {
event_action = "session_end"
event_outcome = "success"
if (sess_m, err = parse_regex(event_message, r'Removed session[ ]+(?P<sid>\d+)'); err == null) {
session_id = sess_m.sid
}
}
}
if event_category == "" { event_category = "authentication" }
if event_action == "" { event_action = "info" }
if event_outcome == "" { event_outcome = "unknown" }
#normalize
timestamp: format_timestamp!(parse_timestamp!(event_timestamp, "%Y-%m-%dT%H:%M:%S.%3fZ"), "%Y-%m-%d %H:%M:%S")
event.module: event_module
event.category: event_category
event.action: event_action
event.outcome: event_outcome
log.level: log_level
message: event_message
host.hostname: host_hostname
process.name: process_name
process.pid: process_pid
process.tty: process_tty
process.command_line: process_command
process.working_directory: process_working_directory
source.ip: source_ip
source.port: source_port
user.name: user_name
user.id: user_id
user.effective.id: user_effective_id
group.id: group_id
group.name: group_name
labels: {"target_user": target_user, "auth_method": auth_method, "session_id": session_id}
Output (ECS Format)
1. SSH Login Success Output
{
"timestamp": "2026-03-17 10:30:15",
"event.module": "auth",
"event.category": "authentication",
"event.action": "logon_success",
"event.outcome": "success",
"log.level": "info",
"message": "Accepted publickey for admin from 192.168.1.100 port 52341 ssh2: RSA SHA256:abc123xyz",
"host.hostname": "webserver01",
"process.name": "sshd",
"process.pid": "12345",
"source.ip": "192.168.1.100",
"source.port": "52341",
"user.name": "admin",
"labels": {
"auth_method": "publickey"
}
}
2. SSH Login Failed Output
{
"timestamp": "2026-03-17 10:30:20",
"event.module": "auth",
"event.category": "authentication",
"event.action": "logon_failed",
"event.outcome": "failure",
"log.level": "info",
"message": "Failed password for invalid user test from 10.0.0.5 port 54321 ssh2",
"host.hostname": "webserver01",
"process.name": "sshd",
"process.pid": "12346",
"source.ip": "10.0.0.5",
"source.port": "54321",
"user.name": "test",
"labels": {
"auth_method": "password"
}
}
3. sudo Command Output
{
"timestamp": "2026-03-17 10:40:45",
"event.module": "auth",
"event.category": "iam",
"event.action": "privilege_escalation",
"event.outcome": "success",
"log.level": "info",
"message": "hungp : TTY=pts/0 ; PWD=/home/hungp ; USER=root ; COMMAND=/usr/bin/systemctl restart nginx",
"host.hostname": "dbserver01",
"process.name": "sudo",
"process.pid": "9999",
"process.tty": "pts/0",
"process.command_line": "/usr/bin/systemctl restart nginx",
"process.working_directory": "/home/hungp",
"user.name": "hungp",
"labels": {
"target_user": "root"
}
}
4. User Created Output
{
"timestamp": "2026-03-17 10:50:15",
"event.module": "auth",
"event.category": "iam",
"event.action": "user_created",
"event.outcome": "success",
"log.level": "info",
"message": "new user: name=newuser, UID=1001, GID=1001, home=/home/newuser, shell=/bin/bash",
"host.hostname": "webserver01",
"process.name": "useradd",
"process.pid": "2222",
"user.name": "newuser",
"user.id": "1001",
"group.id": "1001"
}
5. Session Start Output
{
"timestamp": "2026-03-17 11:00:45",
"event.module": "auth",
"event.category": "session",
"event.action": "session_start",
"event.outcome": "success",
"log.level": "info",
"message": "New session 15 of user admin.",
"host.hostname": "dbserver01",
"process.name": "systemd-logind",
"process.pid": "444",
"user.name": "admin",
"labels": {
"session_id": "15"
}
}