SSH log successful login by publickey too #196
chrisandchris
started this conversation in
Ideas
Replies: 3 comments 2 replies
-
Can you post the actual log file line? You can mask out the user and ip. I'll add this to the regex. |
Beta Was this translation helpful? Give feedback.
0 replies
-
Sure, I'll take an example from https://www.elastic.co/de/blog/grokking-the-linux-authorization-logs which looks like mine (with different usernames / IPs obvsiouly):
|
Beta Was this translation helpful? Give feedback.
2 replies
-
Ok, I believe this if fixed in 1.7.2 which I refreshed today with commit 69a1415 Let me know if you see the same |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi there,
I have a question/input about the defaults for SSH log file parsing. The default only matches "Accepted password [...]", however this does not match any authentication with publickey (or other authentication method). See: https://github.com/DigitalRuby/IPBan/blob/master/IPBanCore/ipban.config#L58
E.g. the message when authentication with a publickey looks like this:
I suggest either extending the regex in ipban.config to also match publickey auth or using a wildcard (\w) to match any authentication method. Or is there any disadvantage I'm not seeing? Maybe the same applies to failed logins (using an invalid/wrong key pair).
Best regards,
Christian
Beta Was this translation helpful? Give feedback.
All reactions