Get Filebeats System module to parse key exchange failures for SSH

[swedishmike]

Currently the System Module 'only' parses failed and successful authentications and populates the system.auth.ssh.event.field with "Accepted", "Failed" or "Invalid". It would be useful if another entry/parsing could be added. This is for when the negotiation of Key Exchange protocol fails as in the exanples below. This could for example be named NegotiatonError. Parsing the connecting IP with GeoIP would also be very useful.

Mar 13 15:13:30 hostname sshd[10440]: Unable to negotiate with XXX.XXX.XXX.XXX port 10718: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
Mar 13 15:14:07 hostname sshd[10444]: Unable to negotiate with XXX.XXX.XXX.XXX port 41311: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
Mar 13 15:14:25 hostname sshd[10447]: Unable to negotiate with XXX.XXX.XXX.XXX port 27413: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
Mar 13 15:14:43 hostname sshd[10451]: Unable to negotiate with XXX.XXX.XXX.XXX port 56318: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
Mar 13 15:15:25 hostname sshd[10455]: Unable to negotiate with XXX.XXX.XXX.XXX port 60650: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]

This could be useful on quite a lot of levels. From a security point of view you'd get deeper information about people trying to connect and possibly attempt bruteforce SSH accounts, even though this time your hardening makes it troublesome for them. If you look at it from a sysadmin view you will get information about mis-matching configurations in your infrastructure.

[jsoriano]

For context, this is a follow up of https://discuss.elastic.co/t/another-value-for-system-auth-ssh-event-in-the-system-module/172118

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.