in source/lambda/es_loader/siem/sf_linux_os_syslog.py [0:0]
def extract_from_sshd(logdata, linux_dict):
linux_dict['event'] = {'module': 'secure'}
data = {}
for RE_SSHD in RE_LIST_SSHD:
m = RE_SSHD.search(logdata['syslog_message'])
if m:
for key in m.groupdict():
data[key] = m.group(key)
break
if 'user' in data:
linux_dict['user'] = {'name': data['user']}
if 'source_ip' in data:
linux_dict['source'] = {
'ip': data['source_ip'], 'port': data.get('source_port', '')}
if 'action' in data:
linux_dict['event']['category'] = 'authentication'
linux_dict['event']['action'] = data['action']
action = data['action'].lower()
if 'accept' in action or 'opened' in action:
linux_dict['event']['outcome'] = 'success'
elif 'fail' in action or 'invalid' in action or 'err' in action:
linux_dict['event']['outcome'] = 'failure'
elif 'disconnect' in action or 'reset' in action or 'close' in action:
# linux_dict['event']['outcome'] is empty for disconnection event
pass
else:
linux_dict['event']['outcome'] = 'unknown'
return linux_dict