You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
62 lines
1.4 KiB
INI
62 lines
1.4 KiB
INI
[DEFAULT]
|
|
QueryIndices = ""
|
|
|
|
[query_authlog_root_login]
|
|
# The DEFAULT settings can be overridden.
|
|
QueryIntervalSecs = 60
|
|
QueryTimeoutSecs = 15
|
|
QueryIndices = <*-authlog-*>
|
|
QueryOnError = drop
|
|
QueryOnMissing = drop
|
|
QueryJson = {
|
|
"size": 0,
|
|
"query": {
|
|
"bool": {
|
|
"must": [],
|
|
"filter": [
|
|
{
|
|
"range": {
|
|
"@timestamp": {
|
|
"format": "strict_date_optional_time",
|
|
"gte": "now-5m/m",
|
|
"lte": "now"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"exists": {
|
|
"field": "system.auth.user"
|
|
}
|
|
},
|
|
{
|
|
"match_phrase": {
|
|
"system.auth.user": "root"
|
|
}
|
|
},
|
|
{
|
|
"match_phrase": {
|
|
"system.auth.ssh.event": "Accepted"
|
|
}
|
|
}
|
|
],
|
|
"must_not": [
|
|
{
|
|
"exists": {
|
|
"field": "system.auth.sudo.user"
|
|
}
|
|
},
|
|
{
|
|
"match_phrase": {
|
|
"system.auth.ssh.signature": "ED25519 SHA256:mbqaHromGo9o0xRQW7yQG5X4Y72t9k2eJdvsOAOYNvc"
|
|
}
|
|
},
|
|
{
|
|
"match_phrase": {
|
|
"system.auth.ssh.signature": "ED25519 SHA256:FdAFdv9hoxEWiViXl9k8WRwq5OoWDvGQL+uzg6vjV3Q"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
}
|