Hi, can anyone provide an example query that tracks failed ssh attempts on linux? I couldn't find a table that stores this info. I'm about to try creating a lense for /var/log/auth.log and getting the info that way but wonder if there is an easier approach.
07/26/2022, 1:50 PM
I had to resort to Apple Unified Logs for this same use case on macOS
07/26/2022, 3:53 PM
I'm not aware of a place the OS stores this. There might be an event somewhere, otherwise it's log parsing.
07/27/2022, 6:58 AM
After doing some more research, it looks like augeas lenses are meant for parsing standard configuration files rather than logs, so it won't work. Probably best to craete a new osquery table module that parses and stores the content of the target log file.