[DEFAULT]
QueryIndices = ""

[query_authlog_root_login]
# The DEFAULT settings can be overridden.
QueryIntervalSecs = 60
QueryTimeoutSecs = 15
QueryIndices = <*-authlog-*>
QueryOnError = drop
QueryOnMissing = drop
QueryJson = {
  "size": 0,
    "query": {
      "bool": {
        "must": [],
        "filter": [
          {
            "range": {
              "@timestamp": {
                "format": "strict_date_optional_time",
                "gte": "now-5m/m",
                "lte": "now"
              }
            }
          },
          {
            "exists": {
              "field": "system.auth.user"
            }
          },
          {
            "match_phrase": {
              "system.auth.user": "root"
            }
          },
          {
            "match_phrase": {
              "system.auth.ssh.event": "Accepted"
            }
          }
        ],
        "must_not": [
          {
            "exists": {
              "field": "system.auth.sudo.user"
            }
          },
          {
            "match_phrase": {
              "system.auth.ssh.signature": "ED25519 SHA256:mbqaHromGo9o0xRQW7yQG5X4Y72t9k2eJdvsOAOYNvc"
            }
          },
          {
            "match_phrase": {
              "system.auth.ssh.signature": "ED25519 SHA256:FdAFdv9hoxEWiViXl9k8WRwq5OoWDvGQL+uzg6vjV3Q"
            }
          }
        ]
      }
    }
  }

[query_authlog_user_login]
QueryIntervalSecs = 60
QueryTimeoutSecs = 15
QueryIndices = <*-authlog-*>
QueryOnError = drop
QueryOnMissing = drop
QueryJson = {
  "size": 0,
    "query": {
      "range": {
        "@timestamp": {
          "gte": "now-5m/m",
          "lt": "now"
        }
      }
    },
    "aggs": {
      "system_auth_user": {
        "terms": {
          "field": "system.auth.user.keyword"
        }
      }
    }
  }