[System Auth]: leading white space in user.name for invalid user errors. #12174
Labels
Integration:system
System
needs:triage
Team:Obs-InfraObs
Label for the Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations]
Comments
andrewkroh
added
Integration:system
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Integration Name
System [system]
Dataset Name
system.auth
Integration Version
1.62.1
Agent Version
8.17.1
Agent Output Type
elasticsearch
Elasticsearch Version
8.17.1
OS Version and Architecture
Debian 12
Software/API Version
No response
Error Message
Event Original
2024-12-21T21:54:20.893629+00:00 bigkimbar sshd[726637]: Failed password for invalid user qvt from 45.172.152.74 port 51250 ssh2
What did you do?
Basic system integration for NIX auth logging. No customization.
What did you see?
I see the username is " qvt" or " ftp" for my invalid logins. Its never the correct username, always leading white space.
What did you expect to see?
The same user. Regular auth logs seem to work, just not invalid user. This will fail at correlating events together in ES|QL and other things.
Anything else?
My guess is this line: ^%{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user)?%{DATA:user.name} from %{IPORHOST:source.address} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?
I think this part: for (invalid user)?%{DATA:user.name} doesn't include the space after invalid user, therefore the DATA grok pattern is taking in the space between invalid user "username".
The text was updated successfully, but these errors were encountered: