/usr/share/logsparser/normalizers/sshd.xml is in python-logsparser 0.4-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 | <?xml version="1.0" encoding="UTF-8"?>
<!--++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-->
<!-- -->
<!-- pylogparser - Logs parsers python library -->
<!-- Copyright (C) 2011 Wallix Inc. -->
<!-- -->
<!--++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-->
<!-- -->
<!-- This package is free software; you can redistribute -->
<!-- it and/or modify it under the terms of the GNU Lesser -->
<!-- General Public License as published by the Free Software -->
<!-- Foundation; either version 2.1 of the License, or (at -->
<!-- your option) any later version. -->
<!-- -->
<!-- This package is distributed in the hope that it will be -->
<!-- useful, but WITHOUT ANY WARRANTY; without even the implied -->
<!-- warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -->
<!-- PURPOSE. See the GNU Lesser General Public License for -->
<!-- more details. -->
<!-- -->
<!-- You should have received a copy of the GNU Lesser General -->
<!-- Public License along with this package; if not, write -->
<!-- to the Free Software Foundation, Inc., 59 Temple Place, -->
<!-- Suite 330, Boston, MA 02111-1307 USA -->
<!-- -->
<!--++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-->
<!DOCTYPE normalizer SYSTEM "normalizer.dtd">
<normalizer name="sshd"
version="0.99"
unicode="yes"
ignorecase="yes"
matchtype="match"
appliedTo="body"
taxonomy="access control">
<description><localized_desc language="en">This normalizer can parse connection messages logged by a SSH server.</localized_desc>
<localized_desc language="fr">Ce normaliseur analyse les événements de connexion à un serveur SSH.</localized_desc></description>
<authors>
<author>mhu@wallix.com</author>
</authors>
<tagTypes>
<tagType name="ActionTag" type="basestring">
<description>
<localized_desc language="en">matches the action logged for a connection</localized_desc>
<localized_desc language="fr">correspond à l'action de connexion</localized_desc></description>
<regexp>Failed|Accepted</regexp>
</tagType>
</tagTypes>
<callbacks>
<callback name="decode_action">
if value == "Failed":
log['action'] = 'fail'
else:
log['action'] = 'accept'</callback>
</callbacks>
<patterns>
<pattern name="sshd-001">
<description>
<localized_desc language="en">A generic sshd log line.</localized_desc>
<localized_desc language="fr">Une notification standard de connexion à un serveur SSH.</localized_desc></description>
<text>ACTION METHOD for(?: invalid user)? USER from IP port [0-9]+ ssh[0-9]</text>
<tags>
<tag name="__action" tagType="ActionTag">
<description>
<localized_desc language="en">the outcome of the connection attempt</localized_desc>
<localized_desc language="fr">le résultat de la tentative de connexion</localized_desc></description>
<substitute>ACTION</substitute>
<callbacks>
<callback>decode_action</callback>
</callbacks>
</tag>
<tag name="method" tagType="Anything">
<description>
<localized_desc language="en">the connection method (password or key)</localized_desc>
<localized_desc language="fr">la méthode de connexion utilisée (mot de passe ou clé asymétrique)</localized_desc></description>
<substitute>METHOD</substitute>
</tag>
<tag name="user" tagType="Anything">
<description>
<localized_desc language="en">the user requesting the connection</localized_desc>
<localized_desc language="fr">l'utilisateur à l'origine de la connexion</localized_desc></description>
<substitute>USER</substitute>
</tag>
<tag name="source_ip" tagType="IP">
<description>
<localized_desc language="en">the inbound connection's IP address</localized_desc>
<localized_desc language="fr">l'IP entrante de la connexion</localized_desc></description>
<substitute>IP</substitute>
</tag>
</tags>
<examples>
<example>
<text>Failed password for admin from 218.49.183.17 port 49468 ssh2</text>
<expectedTags>
<expectedTag name="action">fail</expectedTag>
<expectedTag name="method">password</expectedTag>
<expectedTag name="user">admin</expectedTag>
<expectedTag name="source_ip">218.49.183.17</expectedTag>
<expectedTag name="taxonomy">access control</expectedTag>
</expectedTags>
</example>
</examples>
</pattern>
</patterns>
</normalizer>
|