Peter Panko

07/26/2022, 11:44 AM
Hi, can anyone provide an example query that tracks failed ssh attempts on linux? I couldn't find a table that stores this info. I'm about to try creating a lense for /var/log/auth.log and getting the info that way but wonder if there is an easier approach.

Brandon Mesa

07/26/2022, 1:50 PM
I had to resort to Apple Unified Logs for this same use case on macOS


07/26/2022, 3:53 PM
I'm not aware of a place the OS stores this. There might be an event somewhere, otherwise it's log parsing.

Peter Panko

07/27/2022, 6:58 AM
After doing some more research, it looks like augeas lenses are meant for parsing standard configuration files rather than logs, so it won't work. Probably best to craete a new osquery table module that parses and stores the content of the target log file.