Jump to content
Azkabahn

ELK and PasswordState

Recommended Posts

Hi,

 

i would like to start this thread to get some insights if any of the other customers are using external syslog server to ship the logs from PasswordState. I am using ELK stack.  Currently i am trying to create custom filters in Kibana to filter out the logs from PasswordState. I have the question, does the PasswordState always include "Passwordstate" value in the logs that are being sent to syslog server?

host:X.X.X.X @timestamp:September 12th 2017, 17:17:29.728 @version:1 message:<110>2017-09-12 16:15:52 X.X.X.X Passwordstate: Failed 'Forms Based' login attempt for UserID 'n.lastname' from the IP Address 'X.X.X.X'. Client IP Address = X.X.X.X _id:AV_aAXYurEipAt82YaPZ _type:logs _index:%{type}-2017.11.20 _score: -

 

Feature Request - it would be great to have support for TCP ports

Share this post


Link to post
Share on other sites

I'm currently fighting the syslog feed myself, putting it into Graylog (like @Sarge).

 

In our case, I'm running into the issue that the default syslog parser reads the timestamp as the source name, leading to a large amount of different sources (instead of the single Passwordstate), with thousands of messages all appearing at 01:14:34 (for example).

Share this post


Link to post
Share on other sites

Hi Guys,

In the latest build, we' provided the option where you can specify your own date/time format for Syslog messages - go to the screen Administration -> System Settings -> Proxy & Syslog Servers, and you will see it.

Regards

Click Studios

Share this post


Link to post
Share on other sites
12 hours ago, Buckit said:

I'm currently fighting the syslog feed myself, putting it into Graylog (like @Sarge).

 

 

I got your PM last night, I'll check our Graylog and see if I'm seeing the same thing.

We stopped looking into the implementation of Graylog at the moment due to other ongoing projects; so it hasn't been visited this year.

Share this post


Link to post
Share on other sites

@Sarge: Oof, that's a shame. Sorry to hear that! I'm currently running a PoC to try out a few logging platforms, and am definitely looking to push one through in the next two months.

7 hours ago, support said:

In the latest build, we' provided the option where you can specify your own date/time format for Syslog messages - go to the screen Administration -> System Settings -> Proxy & Syslog Servers, and you will see it.

 

Ahh that's cool! For now I'm on a release from two months ago though, but I'm looking forward to the new features!

Edited by Buckit

Share this post


Link to post
Share on other sites

Hi Guys,

 

We had the following overnight from another customer who is now successfully using Greylog:

 

"However, there was no question. I find in Internet specyfication of toString  function and parameter format .
Timezone is zzz. I set Date Formatting to yyyy-MM-ddTHH:mm:sszzz and output is correct.
Thank you for solving the problem.
"

 

Regards

Click Studios

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...