From 12e1eaa923b806908f93ca945a197c1077dd34c5 Mon Sep 17 00:00:00 2001 From: "sven.ketelsen" Date: Fri, 28 Oct 2022 22:55:10 +0200 Subject: [PATCH] adjusted query_authlog_root_login - filter ssh signature: awx - filter ssh signature: gitlabci --- kustomize/base/files/exporter.cfg | 72 ++++++++++++++++++++----------- 1 file changed, 47 insertions(+), 25 deletions(-) diff --git a/kustomize/base/files/exporter.cfg b/kustomize/base/files/exporter.cfg index a75121b..fb7285c 100644 --- a/kustomize/base/files/exporter.cfg +++ b/kustomize/base/files/exporter.cfg @@ -9,31 +9,53 @@ QueryIndices = <*-authlog-*> QueryOnError = drop QueryOnMissing = drop QueryJson = { - "size": 0, - "query": { - "bool": { - "must": [], - "filter": [ - { - "range": { - "@timestamp": { - "format": "strict_date_optional_time", - "gte": "now-5m/m", - "lte": "now" - } - } - }, - { - "exists": { - "field": "system.auth.user" - } - }, - { - "match_phrase": { - "system.auth.user": "root" - } + "size": 0, + "query": { + "bool": { + "must": [], + "filter": [ + { + "range": { + "@timestamp": { + "format": "strict_date_optional_time", + "gte": "now-5m/m", + "lte": "now" } - ] + } + }, + { + "exists": { + "field": "system.auth.user" + } + }, + { + "match_phrase": { + "system.auth.user": "root" + } + }, + { + "match_phrase": { + "system.auth.ssh.event": "Accepted" + } } - } + ], + "must_not": [ + { + "exists": { + "field": "system.auth.sudo.user" + } + }, + { + "match_phrase": { + "system.auth.ssh.signature": "ED25519 SHA256:mbqaHromGo9o0xRQW7yQG5X4Y72t9k2eJdvsOAOYNvc" + } + }, + { + "match_phrase": { + "system.auth.ssh.signature": "ED25519 SHA256:FdAFdv9hoxEWiViXl9k8WRwq5OoWDvGQL+uzg6vjV3Q" + } + } + ] + } } + }