зеркало из https://github.com/mozilla/MozDef.git
update demo event pool
This commit is contained in:
Jeff Bryner
Родитель
51d9832a77
Коммит
5f1fa17d50
|
|
@ -0,0 +1,322 @@
|
|||
[
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:54+00:00",
|
||||
"timestamp": "2014-04-17T06:06:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:54.618178+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.1\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "4846",
|
||||
"program": "sshd",
|
||||
"hostname": "proxy",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:53"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:53+00:00",
|
||||
"timestamp": "2014-04-17T06:06:53+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:53.827106+00:00",
|
||||
"summary": "Connection from 10.0.0.214 port 35783\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "2520",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:52"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:52+00:00",
|
||||
"timestamp": "2014-04-17T06:06:52+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:52.825668+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.210\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "1939",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:54+00:00",
|
||||
"timestamp": "2014-04-17T06:10:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:54.929854+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_auditd.sh\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "input",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:54"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:51+00:00",
|
||||
"timestamp": "2014-04-17T06:10:51+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:51.866868+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_puppet -t 7200\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "redis",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:28+00:00",
|
||||
"timestamp": "2014-04-17T06:10:28+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:28.687338+00:00",
|
||||
"summary": "named-update : TTY=unknown ; PWD=/var/named ; USER=named-update ; COMMAND=/usr/bin/svn status /var/named/chroot/var/named\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "admin",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:27"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:15:07+00:00",
|
||||
"timestamp": "2014-04-17T06:15:07+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:15:07.862013+00:00",
|
||||
"summary": "%-UI_JUNOSCRIPT_CMD: User 'root' used JUNOScript client to run command 'get-flow-statistics-all'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "35029",
|
||||
"program": "mgd",
|
||||
"hostname": "fw.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:15:06"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:19:41+00:00",
|
||||
"timestamp": "2014-04-17T06:19:41+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:19:41.957329+00:00",
|
||||
"summary": "%-UI_LOGIN_EVENT: User 'root' login, class 'super-user' [744], ssh-connection '', client-mode 'junoscript'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "744",
|
||||
"program": "mgd",
|
||||
"hostname": "switch1.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:19:40"
|
||||
}
|
||||
},
|
||||
{
|
||||
"utctimestamp": "2014-04-17T07:05:02+00:00",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"timestamp": "2014-04-17T00:05:02",
|
||||
"receivedtimestamp": "2014-04-17T00:05:03.941186+00:00",
|
||||
"summary": "LDAP_SUCCESS john@example.com,o=com,dc=example srcIP=10.0.0.209",
|
||||
"details": {
|
||||
"dn": "john@example.com,o=com,dc=example",
|
||||
"source": "Apr 17 00:05:02 ldap slapd[15932]: conn=25123333 fd=93 ACCEPT from IP=10.0.0.209:8325 (IP=0.0.0.0:389)\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=bind-openvpn,ou=logins,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=vpn,ou=logins,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 RESULT tag=97 err=0 text=\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND anonymous mech=implicit ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 RESULT tag=97 err=0 text=\n",
|
||||
"srcip": "10.0.0.209",
|
||||
"result": "LDAP_SUCCESS",
|
||||
"success": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:09+00:00",
|
||||
"timestamp": "2014-04-17T07:17:09+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:10.634904+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.38",
|
||||
"uid": "CXOBsx4vMrhPXR4qM4",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805429.043383",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "46823",
|
||||
"destinationport": "7071",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.154",
|
||||
"payload": "",
|
||||
"sub": "emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:07+00:00",
|
||||
"timestamp": "2014-04-17T07:17:07+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:08.674456+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=ssl-selfsigned-unknownissuer.example.com",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "8.8.8.8",
|
||||
"destinationiplocation": "United States/San Francisco, CA",
|
||||
"uid": "C5L6pJ2db92s2ajfnb",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805427.078946",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "34262",
|
||||
"destinationport": "443",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.42",
|
||||
"payload": "",
|
||||
"sub": "CN=ssl-selfsigned-unknownissuer.example.com"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:37+00:00",
|
||||
"timestamp": "2014-04-17T07:16:37+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:38.513274+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections). Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.838051",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:36+00:00",
|
||||
"timestamp": "2014-04-17T07:16:36+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:37.437511+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections). Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.486722",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:06:34+00:00",
|
||||
"timestamp": "2014-04-17T07:06:34+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:06:35.451657+00:00",
|
||||
"summary": "SSL::Certificate_Expired Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000 -",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.170",
|
||||
"uid": "CAz8qn41YD9T8eNuh1",
|
||||
"proto": "tcp",
|
||||
"ts": "1397804793.952344",
|
||||
"note": "SSL::Certificate_Expired",
|
||||
"sourceport": "39764",
|
||||
"destinationport": "311",
|
||||
"msg": "Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000",
|
||||
"sourceipaddress": "10.0.0.128",
|
||||
"payload": "",
|
||||
"sub": "-"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -0,0 +1,322 @@
|
|||
[
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:54+00:00",
|
||||
"timestamp": "2014-04-17T06:06:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:54.618178+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.1\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "4846",
|
||||
"program": "sshd",
|
||||
"hostname": "proxy",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:53"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:53+00:00",
|
||||
"timestamp": "2014-04-17T06:06:53+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:53.827106+00:00",
|
||||
"summary": "Connection from 10.0.0.214 port 35783\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "2520",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:52"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:52+00:00",
|
||||
"timestamp": "2014-04-17T06:06:52+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:52.825668+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.210\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "1939",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:54+00:00",
|
||||
"timestamp": "2014-04-17T06:10:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:54.929854+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_auditd.sh\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "input",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:54"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:51+00:00",
|
||||
"timestamp": "2014-04-17T06:10:51+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:51.866868+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_puppet -t 7200\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "redis",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:28+00:00",
|
||||
"timestamp": "2014-04-17T06:10:28+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:28.687338+00:00",
|
||||
"summary": "named-update : TTY=unknown ; PWD=/var/named ; USER=named-update ; COMMAND=/usr/bin/svn status /var/named/chroot/var/named\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "admin",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:27"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:15:07+00:00",
|
||||
"timestamp": "2014-04-17T06:15:07+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:15:07.862013+00:00",
|
||||
"summary": "%-UI_JUNOSCRIPT_CMD: User 'root' used JUNOScript client to run command 'get-flow-statistics-all'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "35029",
|
||||
"program": "mgd",
|
||||
"hostname": "fw.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:15:06"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:19:41+00:00",
|
||||
"timestamp": "2014-04-17T06:19:41+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:19:41.957329+00:00",
|
||||
"summary": "%-UI_LOGIN_EVENT: User 'root' login, class 'super-user' [744], ssh-connection '', client-mode 'junoscript'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "744",
|
||||
"program": "mgd",
|
||||
"hostname": "switch1.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:19:40"
|
||||
}
|
||||
},
|
||||
{
|
||||
"utctimestamp": "2014-04-17T07:05:02+00:00",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"timestamp": "2014-04-17T00:05:02",
|
||||
"receivedtimestamp": "2014-04-17T00:05:03.941186+00:00",
|
||||
"summary": "LDAP_SUCCESS john@example.com,o=com,dc=example srcIP=10.0.0.209",
|
||||
"details": {
|
||||
"dn": "john@example.com,o=com,dc=example",
|
||||
"source": "Apr 17 00:05:02 ldap slapd[15932]: conn=25123333 fd=93 ACCEPT from IP=10.0.0.209:8325 (IP=0.0.0.0:389)\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=bind-openvpn,ou=logins,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=vpn,ou=logins,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 RESULT tag=97 err=0 text=\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND anonymous mech=implicit ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 RESULT tag=97 err=0 text=\n",
|
||||
"srcip": "10.0.0.209",
|
||||
"result": "LDAP_SUCCESS",
|
||||
"success": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:09+00:00",
|
||||
"timestamp": "2014-04-17T07:17:09+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:10.634904+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.38",
|
||||
"uid": "CXOBsx4vMrhPXR4qM4",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805429.043383",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "46823",
|
||||
"destinationport": "7071",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.154",
|
||||
"payload": "",
|
||||
"sub": "emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:07+00:00",
|
||||
"timestamp": "2014-04-17T07:17:07+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:08.674456+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=ssl-selfsigned-unknownissuer.example.com",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "8.8.8.8",
|
||||
"destinationiplocation": "United States/San Francisco, CA",
|
||||
"uid": "C5L6pJ2db92s2ajfnb",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805427.078946",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "34262",
|
||||
"destinationport": "443",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.42",
|
||||
"payload": "",
|
||||
"sub": "CN=ssl-selfsigned-unknownissuer.example.com"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:37+00:00",
|
||||
"timestamp": "2014-04-17T07:16:37+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:38.513274+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections). Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.838051",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:36+00:00",
|
||||
"timestamp": "2014-04-17T07:16:36+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:37.437511+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections). Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.486722",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:06:34+00:00",
|
||||
"timestamp": "2014-04-17T07:06:34+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:06:35.451657+00:00",
|
||||
"summary": "SSL::Certificate_Expired Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000 -",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.170",
|
||||
"uid": "CAz8qn41YD9T8eNuh1",
|
||||
"proto": "tcp",
|
||||
"ts": "1397804793.952344",
|
||||
"note": "SSL::Certificate_Expired",
|
||||
"sourceport": "39764",
|
||||
"destinationport": "311",
|
||||
"msg": "Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000",
|
||||
"sourceipaddress": "10.0.0.128",
|
||||
"payload": "",
|
||||
"sub": "-"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -0,0 +1,322 @@
|
|||
[
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:54+00:00",
|
||||
"timestamp": "2014-04-17T06:06:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:54.618178+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.1\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "4846",
|
||||
"program": "sshd",
|
||||
"hostname": "proxy",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:53"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:53+00:00",
|
||||
"timestamp": "2014-04-17T06:06:53+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:53.827106+00:00",
|
||||
"summary": "Connection from 10.0.0.214 port 35783\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "2520",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:52"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:52+00:00",
|
||||
"timestamp": "2014-04-17T06:06:52+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:52.825668+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.210\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "1939",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:54+00:00",
|
||||
"timestamp": "2014-04-17T06:10:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:54.929854+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_auditd.sh\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "input",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:54"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:51+00:00",
|
||||
"timestamp": "2014-04-17T06:10:51+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:51.866868+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_puppet -t 7200\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "redis",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:28+00:00",
|
||||
"timestamp": "2014-04-17T06:10:28+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:28.687338+00:00",
|
||||
"summary": "named-update : TTY=unknown ; PWD=/var/named ; USER=named-update ; COMMAND=/usr/bin/svn status /var/named/chroot/var/named\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "admin",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:27"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:15:07+00:00",
|
||||
"timestamp": "2014-04-17T06:15:07+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:15:07.862013+00:00",
|
||||
"summary": "%-UI_JUNOSCRIPT_CMD: User 'root' used JUNOScript client to run command 'get-flow-statistics-all'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "35029",
|
||||
"program": "mgd",
|
||||
"hostname": "fw.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:15:06"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:19:41+00:00",
|
||||
"timestamp": "2014-04-17T06:19:41+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:19:41.957329+00:00",
|
||||
"summary": "%-UI_LOGIN_EVENT: User 'root' login, class 'super-user' [744], ssh-connection '', client-mode 'junoscript'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "744",
|
||||
"program": "mgd",
|
||||
"hostname": "switch1.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:19:40"
|
||||
}
|
||||
},
|
||||
{
|
||||
"utctimestamp": "2014-04-17T07:05:02+00:00",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"timestamp": "2014-04-17T00:05:02",
|
||||
"receivedtimestamp": "2014-04-17T00:05:03.941186+00:00",
|
||||
"summary": "LDAP_SUCCESS john@example.com,o=com,dc=example srcIP=10.0.0.209",
|
||||
"details": {
|
||||
"dn": "john@example.com,o=com,dc=example",
|
||||
"source": "Apr 17 00:05:02 ldap slapd[15932]: conn=25123333 fd=93 ACCEPT from IP=10.0.0.209:8325 (IP=0.0.0.0:389)\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=bind-openvpn,ou=logins,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=vpn,ou=logins,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 RESULT tag=97 err=0 text=\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND anonymous mech=implicit ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 RESULT tag=97 err=0 text=\n",
|
||||
"srcip": "10.0.0.209",
|
||||
"result": "LDAP_SUCCESS",
|
||||
"success": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:09+00:00",
|
||||
"timestamp": "2014-04-17T07:17:09+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:10.634904+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.38",
|
||||
"uid": "CXOBsx4vMrhPXR4qM4",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805429.043383",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "46823",
|
||||
"destinationport": "7071",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.154",
|
||||
"payload": "",
|
||||
"sub": "emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:07+00:00",
|
||||
"timestamp": "2014-04-17T07:17:07+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:08.674456+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=ssl-selfsigned-unknownissuer.example.com",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "8.8.8.8",
|
||||
"destinationiplocation": "United States/San Francisco, CA",
|
||||
"uid": "C5L6pJ2db92s2ajfnb",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805427.078946",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "34262",
|
||||
"destinationport": "443",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.42",
|
||||
"payload": "",
|
||||
"sub": "CN=ssl-selfsigned-unknownissuer.example.com"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:37+00:00",
|
||||
"timestamp": "2014-04-17T07:16:37+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:38.513274+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections). Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.838051",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:36+00:00",
|
||||
"timestamp": "2014-04-17T07:16:36+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:37.437511+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections). Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.486722",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:06:34+00:00",
|
||||
"timestamp": "2014-04-17T07:06:34+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:06:35.451657+00:00",
|
||||
"summary": "SSL::Certificate_Expired Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000 -",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.170",
|
||||
"uid": "CAz8qn41YD9T8eNuh1",
|
||||
"proto": "tcp",
|
||||
"ts": "1397804793.952344",
|
||||
"note": "SSL::Certificate_Expired",
|
||||
"sourceport": "39764",
|
||||
"destinationport": "311",
|
||||
"msg": "Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000",
|
||||
"sourceipaddress": "10.0.0.128",
|
||||
"payload": "",
|
||||
"sub": "-"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -0,0 +1,322 @@
|
|||
[
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:54+00:00",
|
||||
"timestamp": "2014-04-17T06:06:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:54.618178+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.1\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "4846",
|
||||
"program": "sshd",
|
||||
"hostname": "proxy",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:53"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:53+00:00",
|
||||
"timestamp": "2014-04-17T06:06:53+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:53.827106+00:00",
|
||||
"summary": "Connection from 10.0.0.214 port 35783\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "2520",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:52"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:52+00:00",
|
||||
"timestamp": "2014-04-17T06:06:52+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:52.825668+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.210\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "1939",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:54+00:00",
|
||||
"timestamp": "2014-04-17T06:10:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:54.929854+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_auditd.sh\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "input",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:54"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:51+00:00",
|
||||
"timestamp": "2014-04-17T06:10:51+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:51.866868+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_puppet -t 7200\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "redis",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:28+00:00",
|
||||
"timestamp": "2014-04-17T06:10:28+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:28.687338+00:00",
|
||||
"summary": "named-update : TTY=unknown ; PWD=/var/named ; USER=named-update ; COMMAND=/usr/bin/svn status /var/named/chroot/var/named\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "admin",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:27"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:15:07+00:00",
|
||||
"timestamp": "2014-04-17T06:15:07+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:15:07.862013+00:00",
|
||||
"summary": "%-UI_JUNOSCRIPT_CMD: User 'root' used JUNOScript client to run command 'get-flow-statistics-all'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "35029",
|
||||
"program": "mgd",
|
||||
"hostname": "fw.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:15:06"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:19:41+00:00",
|
||||
"timestamp": "2014-04-17T06:19:41+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:19:41.957329+00:00",
|
||||
"summary": "%-UI_LOGIN_EVENT: User 'root' login, class 'super-user' [744], ssh-connection '', client-mode 'junoscript'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "744",
|
||||
"program": "mgd",
|
||||
"hostname": "switch1.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:19:40"
|
||||
}
|
||||
},
|
||||
{
|
||||
"utctimestamp": "2014-04-17T07:05:02+00:00",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"timestamp": "2014-04-17T00:05:02",
|
||||
"receivedtimestamp": "2014-04-17T00:05:03.941186+00:00",
|
||||
"summary": "LDAP_SUCCESS john@example.com,o=com,dc=example srcIP=10.0.0.209",
|
||||
"details": {
|
||||
"dn": "john@example.com,o=com,dc=example",
|
||||
"source": "Apr 17 00:05:02 ldap slapd[15932]: conn=25123333 fd=93 ACCEPT from IP=10.0.0.209:8325 (IP=0.0.0.0:389)\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=bind-openvpn,ou=logins,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=vpn,ou=logins,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 RESULT tag=97 err=0 text=\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND anonymous mech=implicit ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 RESULT tag=97 err=0 text=\n",
|
||||
"srcip": "10.0.0.209",
|
||||
"result": "LDAP_SUCCESS",
|
||||
"success": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:09+00:00",
|
||||
"timestamp": "2014-04-17T07:17:09+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:10.634904+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.38",
|
||||
"uid": "CXOBsx4vMrhPXR4qM4",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805429.043383",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "46823",
|
||||
"destinationport": "7071",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.154",
|
||||
"payload": "",
|
||||
"sub": "emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:07+00:00",
|
||||
"timestamp": "2014-04-17T07:17:07+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:08.674456+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=ssl-selfsigned-unknownissuer.example.com",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "8.8.8.8",
|
||||
"destinationiplocation": "United States/San Francisco, CA",
|
||||
"uid": "C5L6pJ2db92s2ajfnb",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805427.078946",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "34262",
|
||||
"destinationport": "443",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.42",
|
||||
"payload": "",
|
||||
"sub": "CN=ssl-selfsigned-unknownissuer.example.com"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:37+00:00",
|
||||
"timestamp": "2014-04-17T07:16:37+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:38.513274+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections). Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.838051",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:36+00:00",
|
||||
"timestamp": "2014-04-17T07:16:36+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:37.437511+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections). Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.486722",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:06:34+00:00",
|
||||
"timestamp": "2014-04-17T07:06:34+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:06:35.451657+00:00",
|
||||
"summary": "SSL::Certificate_Expired Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000 -",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.170",
|
||||
"uid": "CAz8qn41YD9T8eNuh1",
|
||||
"proto": "tcp",
|
||||
"ts": "1397804793.952344",
|
||||
"note": "SSL::Certificate_Expired",
|
||||
"sourceport": "39764",
|
||||
"destinationport": "311",
|
||||
"msg": "Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000",
|
||||
"sourceipaddress": "10.0.0.128",
|
||||
"payload": "",
|
||||
"sub": "-"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -0,0 +1,322 @@
|
|||
[
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:54+00:00",
|
||||
"timestamp": "2014-04-17T06:06:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:54.618178+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.1\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "4846",
|
||||
"program": "sshd",
|
||||
"hostname": "proxy",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:53"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:53+00:00",
|
||||
"timestamp": "2014-04-17T06:06:53+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:53.827106+00:00",
|
||||
"summary": "Connection from 10.0.0.214 port 35783\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "2520",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:52"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:52+00:00",
|
||||
"timestamp": "2014-04-17T06:06:52+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:52.825668+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.210\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "1939",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:54+00:00",
|
||||
"timestamp": "2014-04-17T06:10:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:54.929854+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_auditd.sh\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "input",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:54"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:51+00:00",
|
||||
"timestamp": "2014-04-17T06:10:51+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:51.866868+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_puppet -t 7200\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "redis",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:28+00:00",
|
||||
"timestamp": "2014-04-17T06:10:28+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:28.687338+00:00",
|
||||
"summary": "named-update : TTY=unknown ; PWD=/var/named ; USER=named-update ; COMMAND=/usr/bin/svn status /var/named/chroot/var/named\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "admin",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:27"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:15:07+00:00",
|
||||
"timestamp": "2014-04-17T06:15:07+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:15:07.862013+00:00",
|
||||
"summary": "%-UI_JUNOSCRIPT_CMD: User 'root' used JUNOScript client to run command 'get-flow-statistics-all'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "35029",
|
||||
"program": "mgd",
|
||||
"hostname": "fw.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:15:06"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:19:41+00:00",
|
||||
"timestamp": "2014-04-17T06:19:41+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:19:41.957329+00:00",
|
||||
"summary": "%-UI_LOGIN_EVENT: User 'root' login, class 'super-user' [744], ssh-connection '', client-mode 'junoscript'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "744",
|
||||
"program": "mgd",
|
||||
"hostname": "switch1.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:19:40"
|
||||
}
|
||||
},
|
||||
{
|
||||
"utctimestamp": "2014-04-17T07:05:02+00:00",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"timestamp": "2014-04-17T00:05:02",
|
||||
"receivedtimestamp": "2014-04-17T00:05:03.941186+00:00",
|
||||
"summary": "LDAP_SUCCESS john@example.com,o=com,dc=example srcIP=10.0.0.209",
|
||||
"details": {
|
||||
"dn": "john@example.com,o=com,dc=example",
|
||||
"source": "Apr 17 00:05:02 ldap slapd[15932]: conn=25123333 fd=93 ACCEPT from IP=10.0.0.209:8325 (IP=0.0.0.0:389)\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=bind-openvpn,ou=logins,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=vpn,ou=logins,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 RESULT tag=97 err=0 text=\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND anonymous mech=implicit ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 RESULT tag=97 err=0 text=\n",
|
||||
"srcip": "10.0.0.209",
|
||||
"result": "LDAP_SUCCESS",
|
||||
"success": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:09+00:00",
|
||||
"timestamp": "2014-04-17T07:17:09+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:10.634904+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.38",
|
||||
"uid": "CXOBsx4vMrhPXR4qM4",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805429.043383",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "46823",
|
||||
"destinationport": "7071",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.154",
|
||||
"payload": "",
|
||||
"sub": "emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:07+00:00",
|
||||
"timestamp": "2014-04-17T07:17:07+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:08.674456+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=ssl-selfsigned-unknownissuer.example.com",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "8.8.8.8",
|
||||
"destinationiplocation": "United States/San Francisco, CA",
|
||||
"uid": "C5L6pJ2db92s2ajfnb",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805427.078946",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "34262",
|
||||
"destinationport": "443",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.42",
|
||||
"payload": "",
|
||||
"sub": "CN=ssl-selfsigned-unknownissuer.example.com"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:37+00:00",
|
||||
"timestamp": "2014-04-17T07:16:37+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:38.513274+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections). Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.838051",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:36+00:00",
|
||||
"timestamp": "2014-04-17T07:16:36+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:37.437511+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections). Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.486722",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:06:34+00:00",
|
||||
"timestamp": "2014-04-17T07:06:34+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:06:35.451657+00:00",
|
||||
"summary": "SSL::Certificate_Expired Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000 -",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.170",
|
||||
"uid": "CAz8qn41YD9T8eNuh1",
|
||||
"proto": "tcp",
|
||||
"ts": "1397804793.952344",
|
||||
"note": "SSL::Certificate_Expired",
|
||||
"sourceport": "39764",
|
||||
"destinationport": "311",
|
||||
"msg": "Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000",
|
||||
"sourceipaddress": "10.0.0.128",
|
||||
"payload": "",
|
||||
"sub": "-"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -0,0 +1,322 @@
|
|||
[
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:54+00:00",
|
||||
"timestamp": "2014-04-17T06:06:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:54.618178+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.1\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "4846",
|
||||
"program": "sshd",
|
||||
"hostname": "proxy",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:53"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:53+00:00",
|
||||
"timestamp": "2014-04-17T06:06:53+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:53.827106+00:00",
|
||||
"summary": "Connection from 10.0.0.214 port 35783\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "2520",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:52"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:52+00:00",
|
||||
"timestamp": "2014-04-17T06:06:52+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:52.825668+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.210\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "1939",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:54+00:00",
|
||||
"timestamp": "2014-04-17T06:10:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:54.929854+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_auditd.sh\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "input",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:54"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:51+00:00",
|
||||
"timestamp": "2014-04-17T06:10:51+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:51.866868+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_puppet -t 7200\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "redis",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:28+00:00",
|
||||
"timestamp": "2014-04-17T06:10:28+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:28.687338+00:00",
|
||||
"summary": "named-update : TTY=unknown ; PWD=/var/named ; USER=named-update ; COMMAND=/usr/bin/svn status /var/named/chroot/var/named\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "admin",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:27"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:15:07+00:00",
|
||||
"timestamp": "2014-04-17T06:15:07+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:15:07.862013+00:00",
|
||||
"summary": "%-UI_JUNOSCRIPT_CMD: User 'root' used JUNOScript client to run command 'get-flow-statistics-all'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "35029",
|
||||
"program": "mgd",
|
||||
"hostname": "fw.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:15:06"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:19:41+00:00",
|
||||
"timestamp": "2014-04-17T06:19:41+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:19:41.957329+00:00",
|
||||
"summary": "%-UI_LOGIN_EVENT: User 'root' login, class 'super-user' [744], ssh-connection '', client-mode 'junoscript'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "744",
|
||||
"program": "mgd",
|
||||
"hostname": "switch1.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:19:40"
|
||||
}
|
||||
},
|
||||
{
|
||||
"utctimestamp": "2014-04-17T07:05:02+00:00",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"timestamp": "2014-04-17T00:05:02",
|
||||
"receivedtimestamp": "2014-04-17T00:05:03.941186+00:00",
|
||||
"summary": "LDAP_SUCCESS john@example.com,o=com,dc=example srcIP=10.0.0.209",
|
||||
"details": {
|
||||
"dn": "john@example.com,o=com,dc=example",
|
||||
"source": "Apr 17 00:05:02 ldap slapd[15932]: conn=25123333 fd=93 ACCEPT from IP=10.0.0.209:8325 (IP=0.0.0.0:389)\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=bind-openvpn,ou=logins,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=vpn,ou=logins,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 RESULT tag=97 err=0 text=\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND anonymous mech=implicit ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 RESULT tag=97 err=0 text=\n",
|
||||
"srcip": "10.0.0.209",
|
||||
"result": "LDAP_SUCCESS",
|
||||
"success": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:09+00:00",
|
||||
"timestamp": "2014-04-17T07:17:09+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:10.634904+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.38",
|
||||
"uid": "CXOBsx4vMrhPXR4qM4",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805429.043383",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "46823",
|
||||
"destinationport": "7071",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.154",
|
||||
"payload": "",
|
||||
"sub": "emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:07+00:00",
|
||||
"timestamp": "2014-04-17T07:17:07+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:08.674456+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=ssl-selfsigned-unknownissuer.example.com",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "8.8.8.8",
|
||||
"destinationiplocation": "United States/San Francisco, CA",
|
||||
"uid": "C5L6pJ2db92s2ajfnb",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805427.078946",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "34262",
|
||||
"destinationport": "443",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.42",
|
||||
"payload": "",
|
||||
"sub": "CN=ssl-selfsigned-unknownissuer.example.com"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:37+00:00",
|
||||
"timestamp": "2014-04-17T07:16:37+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:38.513274+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections). Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.838051",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:36+00:00",
|
||||
"timestamp": "2014-04-17T07:16:36+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:37.437511+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections). Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.486722",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:06:34+00:00",
|
||||
"timestamp": "2014-04-17T07:06:34+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:06:35.451657+00:00",
|
||||
"summary": "SSL::Certificate_Expired Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000 -",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.170",
|
||||
"uid": "CAz8qn41YD9T8eNuh1",
|
||||
"proto": "tcp",
|
||||
"ts": "1397804793.952344",
|
||||
"note": "SSL::Certificate_Expired",
|
||||
"sourceport": "39764",
|
||||
"destinationport": "311",
|
||||
"msg": "Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000",
|
||||
"sourceipaddress": "10.0.0.128",
|
||||
"payload": "",
|
||||
"sub": "-"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -0,0 +1,322 @@
|
|||
[
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:54+00:00",
|
||||
"timestamp": "2014-04-17T06:06:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:54.618178+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.1\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "4846",
|
||||
"program": "sshd",
|
||||
"hostname": "proxy",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:53"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:53+00:00",
|
||||
"timestamp": "2014-04-17T06:06:53+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:53.827106+00:00",
|
||||
"summary": "Connection from 10.0.0.214 port 35783\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "2520",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:52"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:52+00:00",
|
||||
"timestamp": "2014-04-17T06:06:52+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:52.825668+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.210\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "1939",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:54+00:00",
|
||||
"timestamp": "2014-04-17T06:10:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:54.929854+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_auditd.sh\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "input",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:54"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:51+00:00",
|
||||
"timestamp": "2014-04-17T06:10:51+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:51.866868+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_puppet -t 7200\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "redis",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:28+00:00",
|
||||
"timestamp": "2014-04-17T06:10:28+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:28.687338+00:00",
|
||||
"summary": "named-update : TTY=unknown ; PWD=/var/named ; USER=named-update ; COMMAND=/usr/bin/svn status /var/named/chroot/var/named\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "admin",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:27"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:15:07+00:00",
|
||||
"timestamp": "2014-04-17T06:15:07+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:15:07.862013+00:00",
|
||||
"summary": "%-UI_JUNOSCRIPT_CMD: User 'root' used JUNOScript client to run command 'get-flow-statistics-all'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "35029",
|
||||
"program": "mgd",
|
||||
"hostname": "fw.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:15:06"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:19:41+00:00",
|
||||
"timestamp": "2014-04-17T06:19:41+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:19:41.957329+00:00",
|
||||
"summary": "%-UI_LOGIN_EVENT: User 'root' login, class 'super-user' [744], ssh-connection '', client-mode 'junoscript'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "744",
|
||||
"program": "mgd",
|
||||
"hostname": "switch1.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:19:40"
|
||||
}
|
||||
},
|
||||
{
|
||||
"utctimestamp": "2014-04-17T07:05:02+00:00",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"timestamp": "2014-04-17T00:05:02",
|
||||
"receivedtimestamp": "2014-04-17T00:05:03.941186+00:00",
|
||||
"summary": "LDAP_SUCCESS john@example.com,o=com,dc=example srcIP=10.0.0.209",
|
||||
"details": {
|
||||
"dn": "john@example.com,o=com,dc=example",
|
||||
"source": "Apr 17 00:05:02 ldap slapd[15932]: conn=25123333 fd=93 ACCEPT from IP=10.0.0.209:8325 (IP=0.0.0.0:389)\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=bind-openvpn,ou=logins,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=vpn,ou=logins,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 RESULT tag=97 err=0 text=\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND anonymous mech=implicit ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 RESULT tag=97 err=0 text=\n",
|
||||
"srcip": "10.0.0.209",
|
||||
"result": "LDAP_SUCCESS",
|
||||
"success": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:09+00:00",
|
||||
"timestamp": "2014-04-17T07:17:09+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:10.634904+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.38",
|
||||
"uid": "CXOBsx4vMrhPXR4qM4",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805429.043383",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "46823",
|
||||
"destinationport": "7071",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.154",
|
||||
"payload": "",
|
||||
"sub": "emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:07+00:00",
|
||||
"timestamp": "2014-04-17T07:17:07+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:08.674456+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=ssl-selfsigned-unknownissuer.example.com",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "8.8.8.8",
|
||||
"destinationiplocation": "United States/San Francisco, CA",
|
||||
"uid": "C5L6pJ2db92s2ajfnb",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805427.078946",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "34262",
|
||||
"destinationport": "443",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.42",
|
||||
"payload": "",
|
||||
"sub": "CN=ssl-selfsigned-unknownissuer.example.com"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:37+00:00",
|
||||
"timestamp": "2014-04-17T07:16:37+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:38.513274+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections). Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.838051",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:36+00:00",
|
||||
"timestamp": "2014-04-17T07:16:36+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:37.437511+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections). Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.486722",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:06:34+00:00",
|
||||
"timestamp": "2014-04-17T07:06:34+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:06:35.451657+00:00",
|
||||
"summary": "SSL::Certificate_Expired Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000 -",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.170",
|
||||
"uid": "CAz8qn41YD9T8eNuh1",
|
||||
"proto": "tcp",
|
||||
"ts": "1397804793.952344",
|
||||
"note": "SSL::Certificate_Expired",
|
||||
"sourceport": "39764",
|
||||
"destinationport": "311",
|
||||
"msg": "Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000",
|
||||
"sourceipaddress": "10.0.0.128",
|
||||
"payload": "",
|
||||
"sub": "-"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -0,0 +1,322 @@
|
|||
[
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:54+00:00",
|
||||
"timestamp": "2014-04-17T06:06:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:54.618178+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.1\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "4846",
|
||||
"program": "sshd",
|
||||
"hostname": "proxy",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:53"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:53+00:00",
|
||||
"timestamp": "2014-04-17T06:06:53+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:53.827106+00:00",
|
||||
"summary": "Connection from 10.0.0.214 port 35783\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "2520",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:52"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:52+00:00",
|
||||
"timestamp": "2014-04-17T06:06:52+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:52.825668+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.210\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "1939",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:54+00:00",
|
||||
"timestamp": "2014-04-17T06:10:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:54.929854+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_auditd.sh\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "input",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:54"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:51+00:00",
|
||||
"timestamp": "2014-04-17T06:10:51+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:51.866868+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_puppet -t 7200\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "redis",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:28+00:00",
|
||||
"timestamp": "2014-04-17T06:10:28+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:28.687338+00:00",
|
||||
"summary": "named-update : TTY=unknown ; PWD=/var/named ; USER=named-update ; COMMAND=/usr/bin/svn status /var/named/chroot/var/named\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "admin",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:27"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:15:07+00:00",
|
||||
"timestamp": "2014-04-17T06:15:07+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:15:07.862013+00:00",
|
||||
"summary": "%-UI_JUNOSCRIPT_CMD: User 'root' used JUNOScript client to run command 'get-flow-statistics-all'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "35029",
|
||||
"program": "mgd",
|
||||
"hostname": "fw.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:15:06"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:19:41+00:00",
|
||||
"timestamp": "2014-04-17T06:19:41+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:19:41.957329+00:00",
|
||||
"summary": "%-UI_LOGIN_EVENT: User 'root' login, class 'super-user' [744], ssh-connection '', client-mode 'junoscript'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "744",
|
||||
"program": "mgd",
|
||||
"hostname": "switch1.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:19:40"
|
||||
}
|
||||
},
|
||||
{
|
||||
"utctimestamp": "2014-04-17T07:05:02+00:00",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"timestamp": "2014-04-17T00:05:02",
|
||||
"receivedtimestamp": "2014-04-17T00:05:03.941186+00:00",
|
||||
"summary": "LDAP_SUCCESS john@example.com,o=com,dc=example srcIP=10.0.0.209",
|
||||
"details": {
|
||||
"dn": "john@example.com,o=com,dc=example",
|
||||
"source": "Apr 17 00:05:02 ldap slapd[15932]: conn=25123333 fd=93 ACCEPT from IP=10.0.0.209:8325 (IP=0.0.0.0:389)\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=bind-openvpn,ou=logins,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=vpn,ou=logins,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 RESULT tag=97 err=0 text=\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND anonymous mech=implicit ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 RESULT tag=97 err=0 text=\n",
|
||||
"srcip": "10.0.0.209",
|
||||
"result": "LDAP_SUCCESS",
|
||||
"success": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:09+00:00",
|
||||
"timestamp": "2014-04-17T07:17:09+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:10.634904+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.38",
|
||||
"uid": "CXOBsx4vMrhPXR4qM4",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805429.043383",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "46823",
|
||||
"destinationport": "7071",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.154",
|
||||
"payload": "",
|
||||
"sub": "emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:07+00:00",
|
||||
"timestamp": "2014-04-17T07:17:07+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:08.674456+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=ssl-selfsigned-unknownissuer.example.com",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "8.8.8.8",
|
||||
"destinationiplocation": "United States/San Francisco, CA",
|
||||
"uid": "C5L6pJ2db92s2ajfnb",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805427.078946",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "34262",
|
||||
"destinationport": "443",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.42",
|
||||
"payload": "",
|
||||
"sub": "CN=ssl-selfsigned-unknownissuer.example.com"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:37+00:00",
|
||||
"timestamp": "2014-04-17T07:16:37+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:38.513274+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections). Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.838051",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:36+00:00",
|
||||
"timestamp": "2014-04-17T07:16:36+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:37.437511+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections). Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.486722",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:06:34+00:00",
|
||||
"timestamp": "2014-04-17T07:06:34+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:06:35.451657+00:00",
|
||||
"summary": "SSL::Certificate_Expired Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000 -",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.170",
|
||||
"uid": "CAz8qn41YD9T8eNuh1",
|
||||
"proto": "tcp",
|
||||
"ts": "1397804793.952344",
|
||||
"note": "SSL::Certificate_Expired",
|
||||
"sourceport": "39764",
|
||||
"destinationport": "311",
|
||||
"msg": "Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000",
|
||||
"sourceipaddress": "10.0.0.128",
|
||||
"payload": "",
|
||||
"sub": "-"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -0,0 +1,322 @@
|
|||
[
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:54+00:00",
|
||||
"timestamp": "2014-04-17T06:06:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:54.618178+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.1\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "4846",
|
||||
"program": "sshd",
|
||||
"hostname": "proxy",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:53"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:53+00:00",
|
||||
"timestamp": "2014-04-17T06:06:53+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:53.827106+00:00",
|
||||
"summary": "Connection from 10.0.0.214 port 35783\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "2520",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:52"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:52+00:00",
|
||||
"timestamp": "2014-04-17T06:06:52+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:52.825668+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.210\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "1939",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:54+00:00",
|
||||
"timestamp": "2014-04-17T06:10:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:54.929854+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_auditd.sh\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "input",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:54"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:51+00:00",
|
||||
"timestamp": "2014-04-17T06:10:51+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:51.866868+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_puppet -t 7200\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "redis",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:28+00:00",
|
||||
"timestamp": "2014-04-17T06:10:28+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:28.687338+00:00",
|
||||
"summary": "named-update : TTY=unknown ; PWD=/var/named ; USER=named-update ; COMMAND=/usr/bin/svn status /var/named/chroot/var/named\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "admin",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:27"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:15:07+00:00",
|
||||
"timestamp": "2014-04-17T06:15:07+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:15:07.862013+00:00",
|
||||
"summary": "%-UI_JUNOSCRIPT_CMD: User 'root' used JUNOScript client to run command 'get-flow-statistics-all'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "35029",
|
||||
"program": "mgd",
|
||||
"hostname": "fw.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:15:06"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:19:41+00:00",
|
||||
"timestamp": "2014-04-17T06:19:41+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:19:41.957329+00:00",
|
||||
"summary": "%-UI_LOGIN_EVENT: User 'root' login, class 'super-user' [744], ssh-connection '', client-mode 'junoscript'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "744",
|
||||
"program": "mgd",
|
||||
"hostname": "switch1.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:19:40"
|
||||
}
|
||||
},
|
||||
{
|
||||
"utctimestamp": "2014-04-17T07:05:02+00:00",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"timestamp": "2014-04-17T00:05:02",
|
||||
"receivedtimestamp": "2014-04-17T00:05:03.941186+00:00",
|
||||
"summary": "LDAP_SUCCESS john@example.com,o=com,dc=example srcIP=10.0.0.209",
|
||||
"details": {
|
||||
"dn": "john@example.com,o=com,dc=example",
|
||||
"source": "Apr 17 00:05:02 ldap slapd[15932]: conn=25123333 fd=93 ACCEPT from IP=10.0.0.209:8325 (IP=0.0.0.0:389)\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=bind-openvpn,ou=logins,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=vpn,ou=logins,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 RESULT tag=97 err=0 text=\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND anonymous mech=implicit ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 RESULT tag=97 err=0 text=\n",
|
||||
"srcip": "10.0.0.209",
|
||||
"result": "LDAP_SUCCESS",
|
||||
"success": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:09+00:00",
|
||||
"timestamp": "2014-04-17T07:17:09+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:10.634904+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.38",
|
||||
"uid": "CXOBsx4vMrhPXR4qM4",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805429.043383",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "46823",
|
||||
"destinationport": "7071",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.154",
|
||||
"payload": "",
|
||||
"sub": "emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:07+00:00",
|
||||
"timestamp": "2014-04-17T07:17:07+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:08.674456+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=ssl-selfsigned-unknownissuer.example.com",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "8.8.8.8",
|
||||
"destinationiplocation": "United States/San Francisco, CA",
|
||||
"uid": "C5L6pJ2db92s2ajfnb",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805427.078946",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "34262",
|
||||
"destinationport": "443",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.42",
|
||||
"payload": "",
|
||||
"sub": "CN=ssl-selfsigned-unknownissuer.example.com"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:37+00:00",
|
||||
"timestamp": "2014-04-17T07:16:37+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:38.513274+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections). Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.838051",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:36+00:00",
|
||||
"timestamp": "2014-04-17T07:16:36+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:37.437511+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections). Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.486722",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:06:34+00:00",
|
||||
"timestamp": "2014-04-17T07:06:34+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:06:35.451657+00:00",
|
||||
"summary": "SSL::Certificate_Expired Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000 -",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.170",
|
||||
"uid": "CAz8qn41YD9T8eNuh1",
|
||||
"proto": "tcp",
|
||||
"ts": "1397804793.952344",
|
||||
"note": "SSL::Certificate_Expired",
|
||||
"sourceport": "39764",
|
||||
"destinationport": "311",
|
||||
"msg": "Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000",
|
||||
"sourceipaddress": "10.0.0.128",
|
||||
"payload": "",
|
||||
"sub": "-"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -0,0 +1,322 @@
|
|||
[
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:54+00:00",
|
||||
"timestamp": "2014-04-17T06:06:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:54.618178+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.1\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "4846",
|
||||
"program": "sshd",
|
||||
"hostname": "proxy",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:53"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:53+00:00",
|
||||
"timestamp": "2014-04-17T06:06:53+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:53.827106+00:00",
|
||||
"summary": "Connection from 10.0.0.214 port 35783\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "2520",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:52"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:06:52+00:00",
|
||||
"timestamp": "2014-04-17T06:06:52+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:06:52.825668+00:00",
|
||||
"summary": "Did not receive identification string from 10.0.0.210\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "1939",
|
||||
"program": "sshd",
|
||||
"hostname": "git",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:06:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:54+00:00",
|
||||
"timestamp": "2014-04-17T06:10:54+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:54.929854+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_auditd.sh\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "input",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:54"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:51+00:00",
|
||||
"timestamp": "2014-04-17T06:10:51+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:51.866868+00:00",
|
||||
"summary": " nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/custom/check_puppet -t 7200\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "redis",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:51"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:10:28+00:00",
|
||||
"timestamp": "2014-04-17T06:10:28+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:10:28.687338+00:00",
|
||||
"summary": "named-update : TTY=unknown ; PWD=/var/named ; USER=named-update ; COMMAND=/usr/bin/svn status /var/named/chroot/var/named\n",
|
||||
"eventsource": "systemslogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "sudo",
|
||||
"hostname": "admin",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:10:27"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:15:07+00:00",
|
||||
"timestamp": "2014-04-17T06:15:07+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:15:07.862013+00:00",
|
||||
"summary": "%-UI_JUNOSCRIPT_CMD: User 'root' used JUNOScript client to run command 'get-flow-statistics-all'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "35029",
|
||||
"program": "mgd",
|
||||
"hostname": "fw.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:15:06"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"utctimestamp": "2014-04-17T06:19:41+00:00",
|
||||
"timestamp": "2014-04-17T06:19:41+00:00",
|
||||
"hostname": "syslog.example.com",
|
||||
"receivedtimestamp": "2014-04-17T06:19:41.957329+00:00",
|
||||
"summary": "%-UI_LOGIN_EVENT: User 'root' login, class 'super-user' [744], ssh-connection '', client-mode 'junoscript'\n",
|
||||
"eventsource": "networklogs",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"processid": "744",
|
||||
"program": "mgd",
|
||||
"hostname": "switch1.example.com",
|
||||
"payload": "",
|
||||
"timestamp": "Apr 17 06:19:40"
|
||||
}
|
||||
},
|
||||
{
|
||||
"utctimestamp": "2014-04-17T07:05:02+00:00",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"timestamp": "2014-04-17T00:05:02",
|
||||
"receivedtimestamp": "2014-04-17T00:05:03.941186+00:00",
|
||||
"summary": "LDAP_SUCCESS john@example.com,o=com,dc=example srcIP=10.0.0.209",
|
||||
"details": {
|
||||
"dn": "john@example.com,o=com,dc=example",
|
||||
"source": "Apr 17 00:05:02 ldap slapd[15932]: conn=25123333 fd=93 ACCEPT from IP=10.0.0.209:8325 (IP=0.0.0.0:389)\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=bind-openvpn,ou=logins,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 BIND dn=\"uid=vpn,ou=logins,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=0 RESULT tag=97 err=0 text=\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND anonymous mech=implicit ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" method=128\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 BIND dn=\"mail=john@example.com,o=com,dc=example\" mech=SIMPLE ssf=0\nApr 17 00:05:02 ldap slapd[15932]: conn=25123333 op=1 RESULT tag=97 err=0 text=\n",
|
||||
"srcip": "10.0.0.209",
|
||||
"result": "LDAP_SUCCESS",
|
||||
"success": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:09+00:00",
|
||||
"timestamp": "2014-04-17T07:17:09+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:10.634904+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.38",
|
||||
"uid": "CXOBsx4vMrhPXR4qM4",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805429.043383",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "46823",
|
||||
"destinationport": "7071",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.154",
|
||||
"payload": "",
|
||||
"sub": "emailAddress=john@example.com,CN=mail.example.com,OU=Secure Mail Server,O=Example Corporation,L=Mountain View,ST=California,C=US"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:17:07+00:00",
|
||||
"timestamp": "2014-04-17T07:17:07+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:17:08.674456+00:00",
|
||||
"summary": "SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=ssl-selfsigned-unknownissuer.example.com",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "8.8.8.8",
|
||||
"destinationiplocation": "United States/San Francisco, CA",
|
||||
"uid": "C5L6pJ2db92s2ajfnb",
|
||||
"proto": "tcp",
|
||||
"ts": "1397805427.078946",
|
||||
"note": "SSL::Invalid_Server_Cert",
|
||||
"sourceport": "34262",
|
||||
"destinationport": "443",
|
||||
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
|
||||
"sourceipaddress": "10.0.0.42",
|
||||
"payload": "",
|
||||
"sub": "CN=ssl-selfsigned-unknownissuer.example.com"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:37+00:00",
|
||||
"timestamp": "2014-04-17T07:16:37+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:38.513274+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections). Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.838051",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.78 appears to be guessing SSH passwords (seen in 30 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.30.252.148, 10.30.252.150, 10.30.252.148, 10.30.252.150, 10.30.252.150"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:16:36+00:00",
|
||||
"timestamp": "2014-04-17T07:16:36+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:16:37.437511+00:00",
|
||||
"summary": "SSH::Password_Guessing 10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections). Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "0.0.0.0",
|
||||
"uid": "-",
|
||||
"proto": "-",
|
||||
"ts": "1397805396.486722",
|
||||
"note": "SSH::Password_Guessing",
|
||||
"sourceport": "-",
|
||||
"destinationport": "-",
|
||||
"msg": "10.0.0.7 appears to be guessing SSH passwords (seen in 35 connections).",
|
||||
"sourceipaddress": "0.0.0.0",
|
||||
"payload": "",
|
||||
"sub": "Sampled servers: 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46, 10.245.217.46"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bronotice",
|
||||
"processid": "0",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-04-17T07:06:34+00:00",
|
||||
"timestamp": "2014-04-17T07:06:34+00:00",
|
||||
"hostname": "nsm5",
|
||||
"receivedtimestamp": "2014-04-17T07:06:35.451657+00:00",
|
||||
"summary": "SSL::Certificate_Expired Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000 -",
|
||||
"eventsource": "nsm",
|
||||
"tags": [
|
||||
"example"
|
||||
],
|
||||
"details": {
|
||||
"destinationipaddress": "10.0.0.170",
|
||||
"uid": "CAz8qn41YD9T8eNuh1",
|
||||
"proto": "tcp",
|
||||
"ts": "1397804793.952344",
|
||||
"note": "SSL::Certificate_Expired",
|
||||
"sourceport": "39764",
|
||||
"destinationport": "311",
|
||||
"msg": "Certificate CN=example.com expired at 2013-02-01-21:38:50.000000000",
|
||||
"sourceipaddress": "10.0.0.128",
|
||||
"payload": "",
|
||||
"sub": "-"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -2,14 +2,11 @@
|
|||
{
|
||||
"category": "bro_intel",
|
||||
"processid": "0",
|
||||
"receivedtimestamp": "2014-07-16T21:32:07.502716+00:00",
|
||||
"severity": "7",
|
||||
"utctimestamp": "2014-07-16T21:32:07+00:00",
|
||||
"tags": "nsm,bro,intel",
|
||||
"timestamp": "2014-07-16T21:32:07+00:00",
|
||||
"tags": ["nsm","bro","intel"],
|
||||
"hostname": "nsm5",
|
||||
"summary": "Bro intel match: 0.0.139.213",
|
||||
"eventsource": "nsm",
|
||||
"summary": "Bro intel match: <randomipaddress>",
|
||||
"file": "nsm",
|
||||
"details": {
|
||||
"category": "bro_intel",
|
||||
"destinationipaddress": "0.0.82.27",
|
||||
|
|
@ -18,153 +15,11 @@
|
|||
"ts": "1405546326.853474",
|
||||
"seenindicator": "0.0.139.213",
|
||||
"sources": "CIF - need-to-know",
|
||||
"sourceipv4address": "0.0.82.208",
|
||||
"seenindicatortype": "HTTP::IN_X_FORWARDED_FOR_HEADER",
|
||||
"destinationport": 443,
|
||||
"sourceport": 58969,
|
||||
"sourceipaddress": "0.0.82.208",
|
||||
"destinationipv4address": "0.0.82.27",
|
||||
"severity": "NOTICE"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bro_intel",
|
||||
"processid": "0",
|
||||
"receivedtimestamp": "2014-07-16T21:32:07.499594+00:00",
|
||||
"severity": "7",
|
||||
"utctimestamp": "2014-07-16T21:32:07+00:00",
|
||||
"tags": "nsm,bro,intel",
|
||||
"timestamp": "2014-07-16T21:32:07+00:00",
|
||||
"hostname": "nsm5",
|
||||
"summary": "Bro intel match: 0.0.139.213",
|
||||
"eventsource": "nsm",
|
||||
"details": {
|
||||
"category": "bro_intel",
|
||||
"destinationipaddress": "0.0.82.28",
|
||||
"seenwhere": "Intel::ADDR",
|
||||
"uid": "Ce58I13SIYMCYbcAw4",
|
||||
"seenindicator": "0.0.139.213",
|
||||
"ts": "1405546326.853474",
|
||||
"sources": "CIF - need-to-know",
|
||||
"sourceipv4address": "0.0.82.208",
|
||||
"seenindicatortype": "HTTP::IN_X_FORWARDED_FOR_HEADER",
|
||||
"destinationport": 443,
|
||||
"sourceport": 13711,
|
||||
"sourceipaddress": "0.0.82.208",
|
||||
"destinationipv4address": "0.0.82.28",
|
||||
"severity": "NOTICE"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bro_intel",
|
||||
"processid": "0",
|
||||
"receivedtimestamp": "2014-07-16T21:32:07.499594+00:00",
|
||||
"severity": "7",
|
||||
"utctimestamp": "2014-07-16T21:32:07+00:00",
|
||||
"tags": "nsm,bro,intel",
|
||||
"timestamp": "2014-07-16T21:32:07+00:00",
|
||||
"hostname": "nsm5",
|
||||
"summary": "Bro intel match: 0.0.139.213",
|
||||
"eventsource": "nsm",
|
||||
"details": {
|
||||
"category": "bro_intel",
|
||||
"destinationipaddress": "0.0.82.28",
|
||||
"seenwhere": "Intel::ADDR",
|
||||
"uid": "Ce58I13SIYMCYbcAw4",
|
||||
"seenindicator": "0.0.139.213",
|
||||
"ts": "1405546326.853474",
|
||||
"sources": "CIF - need-to-know",
|
||||
"sourceipv4address": "0.0.82.208",
|
||||
"seenindicatortype": "HTTP::IN_X_FORWARDED_FOR_HEADER",
|
||||
"destinationport": 443,
|
||||
"sourceport": 13711,
|
||||
"sourceipaddress": "0.0.82.208",
|
||||
"destinationipv4address": "0.0.82.28",
|
||||
"severity": "NOTICE"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bro_intel",
|
||||
"processid": "0",
|
||||
"receivedtimestamp": "2014-07-16T21:32:07.499594+00:00",
|
||||
"severity": "7",
|
||||
"utctimestamp": "2014-07-16T21:32:07+00:00",
|
||||
"tags": "nsm,bro,intel",
|
||||
"timestamp": "2014-07-16T21:32:07+00:00",
|
||||
"hostname": "nsm5",
|
||||
"summary": "Bro intel match: 0.0.139.213",
|
||||
"eventsource": "nsm",
|
||||
"details": {
|
||||
"category": "bro_intel",
|
||||
"destinationipaddress": "0.0.82.28",
|
||||
"seenwhere": "Intel::ADDR",
|
||||
"uid": "Ce58I13SIYMCYbcAw4",
|
||||
"seenindicator": "0.0.139.213",
|
||||
"ts": "1405546326.853474",
|
||||
"sources": "CIF - need-to-know",
|
||||
"sourceipv4address": "0.0.82.208",
|
||||
"seenindicatortype": "HTTP::IN_X_FORWARDED_FOR_HEADER",
|
||||
"destinationport": 443,
|
||||
"sourceport": 13711,
|
||||
"sourceipaddress": "0.0.82.208",
|
||||
"destinationipv4address": "0.0.82.28",
|
||||
"severity": "NOTICE"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bro_intel",
|
||||
"processid": "0",
|
||||
"receivedtimestamp": "2014-07-16T21:32:07.499594+00:00",
|
||||
"severity": "7",
|
||||
"utctimestamp": "2014-07-16T21:32:07+00:00",
|
||||
"tags": "nsm,bro,intel",
|
||||
"timestamp": "2014-07-16T21:32:07+00:00",
|
||||
"hostname": "nsm5",
|
||||
"summary": "Bro intel match: 0.0.139.213",
|
||||
"eventsource": "nsm",
|
||||
"details": {
|
||||
"category": "bro_intel",
|
||||
"destinationipaddress": "0.0.82.28",
|
||||
"seenwhere": "Intel::ADDR",
|
||||
"uid": "Ce58I13SIYMCYbcAw4",
|
||||
"seenindicator": "0.0.139.213",
|
||||
"ts": "1405546326.853474",
|
||||
"sources": "CIF - need-to-know",
|
||||
"sourceipv4address": "0.0.82.208",
|
||||
"seenindicatortype": "HTTP::IN_X_FORWARDED_FOR_HEADER",
|
||||
"destinationport": 443,
|
||||
"sourceport": 13711,
|
||||
"sourceipaddress": "0.0.82.208",
|
||||
"destinationipv4address": "0.0.82.28",
|
||||
"severity": "NOTICE"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "bro_intel",
|
||||
"processid": "0",
|
||||
"receivedtimestamp": "2014-07-16T21:32:07.499594+00:00",
|
||||
"severity": "7",
|
||||
"utctimestamp": "2014-07-16T21:32:07+00:00",
|
||||
"tags": "nsm,bro,intel",
|
||||
"timestamp": "2014-07-16T21:32:07+00:00",
|
||||
"hostname": "nsm5",
|
||||
"summary": "Bro intel match: 0.0.139.213",
|
||||
"eventsource": "nsm",
|
||||
"details": {
|
||||
"category": "bro_intel",
|
||||
"destinationipaddress": "0.0.82.28",
|
||||
"seenwhere": "Intel::ADDR",
|
||||
"uid": "Ce58I13SIYMCYbcAw4",
|
||||
"seenindicator": "0.0.139.213",
|
||||
"ts": "1405546326.853474",
|
||||
"sources": "CIF - need-to-know",
|
||||
"sourceipv4address": "0.0.82.208",
|
||||
"seenindicatortype": "HTTP::IN_X_FORWARDED_FOR_HEADER",
|
||||
"destinationport": 443,
|
||||
"sourceport": 13711,
|
||||
"sourceipaddress": "0.0.82.208",
|
||||
"destinationipv4address": "0.0.82.28",
|
||||
"severity": "NOTICE"
|
||||
}
|
||||
}
|
||||
]
|
||||
]
|
||||
|
|
|
|||
|
|
@ -2,16 +2,13 @@
|
|||
{
|
||||
"category": "bro_notice",
|
||||
"processid": "0",
|
||||
"receivedtimestamp": "2014-07-17T05:37:57.617362+00:00",
|
||||
"severity": "NOTICE",
|
||||
"utctimestamp": "2014-07-17T05:37:56+00:00",
|
||||
"tags": "nsm,bro,notice",
|
||||
"timestamp": "2014-07-17T05:37:56+00:00",
|
||||
"tags": ["nsm","bro","intel"],
|
||||
"hostname": "nsm7",
|
||||
"summary": "MozillaHTTPErrors::Excessive_HTTP_Errors_Attacker Excessive HTTP errors for requests from 0.0.224.14 3 in 1.0 hr, eps: 0",
|
||||
"eventsource": "nsm",
|
||||
"summary": "MozillaHTTPErrors::Excessive_HTTP_Errors_Attacker Excessive HTTP errors for requests from <randomipaddress> 10 in 1.0 hr, eps: 0",
|
||||
"file": "nsm",
|
||||
"details": {
|
||||
"payload": ""
|
||||
}
|
||||
}
|
||||
]
|
||||
]
|
||||
|
|
|
|||
|
|
@ -5,11 +5,12 @@
|
|||
"severity": "NOTICE",
|
||||
"hostname": "example.com",
|
||||
"summary": "%-SSHD_LOGIN_FAILED: Login failed for user 'ch' from host <randomipaddress>",
|
||||
"eventsource": "systemslogs",
|
||||
"file": "systemslogs",
|
||||
"details": {
|
||||
"processid": "",
|
||||
"processid": "188",
|
||||
"hostname": "example.com",
|
||||
"program": "sshd"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
||||
|
|
|
|||
|
|
@ -2,36 +2,12 @@
|
|||
{
|
||||
"category": "syslog",
|
||||
"processid": "0",
|
||||
"receivedtimestamp": "2014-07-17T15:57:19.358119+00:00",
|
||||
"severity": "WARNING",
|
||||
"utctimestamp": "2014-07-17T15:57:18+00:00",
|
||||
"timestamp": "2014-07-17T15:57:18+00:00",
|
||||
"hostname": "example.com",
|
||||
"summary": "The IP 0.0.141.210 has been banned for 21600 seconds after 4 failed attempts against SIP\n",
|
||||
"eventsource": "systemslogs",
|
||||
"summary": "The IP <randomipaddress> has been banned for 21600 seconds after 4 failed attempts against SIP\n",
|
||||
"file": "systemslogs",
|
||||
"details": {
|
||||
"processid": "",
|
||||
"sourceipv4address": "0.0.141.210",
|
||||
"timestamp": "Jul 17 15:57:16",
|
||||
"hostname": "pbx1",
|
||||
"program": "fail2ban",
|
||||
"sourceipgeolocation": {
|
||||
"city": "Buffalo",
|
||||
"region_code": "NY",
|
||||
"area_code": 716,
|
||||
"time_zone": "America/New_York",
|
||||
"dma_code": 514,
|
||||
"metro_code": "Buffalo, NY",
|
||||
"country_code3": "USA",
|
||||
"latitude": 42.9864,
|
||||
"postal_code": "14221",
|
||||
"longitude": -78.7279,
|
||||
"country_code": "US",
|
||||
"country_name": "United States",
|
||||
"continent": "NA"
|
||||
},
|
||||
"sourceipaddress": "0.0.141.210",
|
||||
"payload": ""
|
||||
"program": "fail2ban"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
|||
|
|
@ -0,0 +1,38 @@
|
|||
[
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"summary": "%-RT_FLOW_SESSION_CREATE: session created 10.2.2.59/41228->63.245.215.25/443 junos-https 63.245.221.32/38987->63.245.215.25/443 natrulename None 6 any--any corp external 251204 N/A(N/A) reth10.2\n",
|
||||
"file": "networklogs",
|
||||
"details": {
|
||||
"protocol": "6",
|
||||
"sourceipv4address": "10.2.2.59",
|
||||
"payload": "",
|
||||
"sourceipaddress": "10.2.2.59",
|
||||
"service": "junos-https",
|
||||
"hostname": "fw1.example.com",
|
||||
"program": "RT_FLOW",
|
||||
"destinationport": "443",
|
||||
"policy": "any--any",
|
||||
"destinationnatrule": "None",
|
||||
"destinationipaddress": "63.245.215.25",
|
||||
"destinationzone": "external",
|
||||
"destinationipv4address": "63.245.215.25"
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "network",
|
||||
"processid": "0",
|
||||
"severity": "INFO",
|
||||
"hostname": "syslog1.example.com",
|
||||
"summary": "%-RT_FLOW_SESSION_CLOSE: session closed idle Timeout: 10.6.4.3/9601->20.21.23.121/64635 icmp 63.245.214.82/47722->20.21.23.121/64635 a-nat None 1 global-icmp-permit srv untrust 20434750 0(0) 0(0) 1 UNKNOWN UNKNOWN N/A(N/A) reth10.8 UNKNOWN\n",
|
||||
"file": "networklogs",
|
||||
"details": {
|
||||
"processid": "",
|
||||
"program": "RT_FLOW",
|
||||
"hostname": "fw1.example.com",
|
||||
"payload": ""
|
||||
}
|
||||
}
|
||||
]
|
||||
Загрузка…
Ссылка в новой задаче