Linux is a ubiquitous, open-source operating system that powers everything from servers and cloud infrastructure to desktop systems and embedded devices.
This technology pack provides common log parsing, normalization, and enrichment for Debian/Ubuntu Linux distributions.
Supported Distributions
-
Ubuntu 20.04 LTS (Focal Fossa) and 22.04 LTS (Jammy Jellyfish)
-
Debian 11 (bullseye) and 12 (bookworm)
Requirements
-
Graylog 6.0.1+ with a valid Enterprise license
Stream Configuration
This technology pack includes 1 stream:
- Illuminate:Linux System Messages
Hint: If this stream does not exist prior to the
activation of this pack then it will be created and configured to route messages to this stream and the
associated index set. There should not be any stream rules configured for this stream.
Index Set Configuration
This technology pack includes 1 index set definition:
- Linux System Logs
Hint: If this index set is already defined, then
nothing will be changed. If this index set does not exist, then it will be created with retention
settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after
installation.
What is Provided
-
Rules to parse, normalize, and enrich Linux system log messages
-
A dashboard displaying events and statistics of interest
Events Processed by This Technology Pack
The Linux System Logs content pack supports the following log types. Generic processing will be provided for log types not listed.
-
SSH Logs
-
Login Logs
-
Sudo Logs
-
Su Logs
-
PAM Logs
-
Systemd Logs
-
Cron Logs
-
UFW Logs
-
Iptables Logs
-
User Activity Logs
-
Group Activity Logs
GIM Categorization
GIM categorization is provided for the following messages:
| Log Type | Vendor Event Description | GIM Category | GIM Subcategory | GIM Event Type Code |
|---|---|---|---|---|
| login | Failed login on console or terminal | authentication | authentication.access notice | 101001 |
| login | Root login on console or terminal | authentication | authentication.access notice | 101000 |
| login | Successful login on console or terminal | authentication | authentication.logon | 100000 |
| login | Authentication message | authentication | authentication.default | 109999 |
| pam | Authentication success | authentication | authentication.credential validation | 100500 |
| pam | Authentication failure (credential validation) | authentication | authentication.credential validation | 100501 |
| pam | Access denied | authentication | authentication.access policy | 101500 |
| pam | Account notice | authentication | authentication.access notice | 101000 |
| pam | Session opened | authentication | authentication.logon | 100000 |
| pam | Session closed | authentication | authentication.logon | 100001 |
| pam | Authentication failure | authentication | authentication.default | 109999 |
| ssh | Postponed keyboard-interactive | authentication | authentication.default | 109999 |
| ssh | Accepted password | authentication | authentication.credential validation | 100500 |
| ssh | Accepted publickey | authentication | authentication.credential validation | 100500 |
| ssh | Failed password (for invalid/illegal user) | authentication | authentication.credential validation | 100501 |
| ssh | Failed publickey (for invalid/illegal user) | authentication | authentication.credential validation | 100501 |
| ssh | Connection closed by authenticating user | authentication | authentication.logoff | 102500 |
| ssh | Connection reset by invalid/illegal user | authentication | authentication.credential validation | 100501 |
| ssh | Invalid user | authentication | authentication.credential validation | 100501 |
| ssh | Disconnected from user | authentication | authentication.logoff | 102501 |
| ssh | User not allowed by access control directives | authentication | authentication.access policy | 101500 |
| ssh | Root login refused | authentication | authentication.access policy | 101500 |
| ssh | User not allowed because account is locked | authentication | authentication.access policy | 101502 |
| su | User switched to another user | authentication | authentication.access notice | 101000 |
| su | Authentication message | authentication | authentication.default | 109999 |
| sudo | User executed a command with elevated privileges | authentication | authentication.access notice | 101000 |
| sudo | Authentication message | authentication | authentication.default | 109999 |
| systemd | Starting or stopping systemd unit | service | service.start | 210000 |
| systemd | Stopping or completing systemd unit | service | service.stop | 210100 |
| systemd | Reloading systemd unit | service | service.configuration | 211000 |
| systemd | Failed with result | service | service.state | 211504 |
| systemd | Service status message | service | service.default | 219999 |
| cron | Cron job initiated | process | process.execute | 190000 |
| cron | Cron job completed | process | process.end | 190100 |
| kernel/ufw | UFW ALLOW/BLOCK | network | network.network connection | 120000 |
| kernel/ufw | UFW AUDIT | network | network.default | 129999 |
| kernel/iptables | IPTABLES-ALLOW/DROP | network | network.network connection | 120000 |
| kernel/iptables | iptables-log | network | network.default | 129999 |
| users/groups | Changed password expiry for user | iam | iam.default | 119999 |
| users/groups | Changed user information | iam | iam.default | 119999 |
| users/groups | Changed user shell | iam | iam.default | 119999 |
| users/groups | User added to group | iam | iam.default | 119999 |
| users/groups | User removed from group | iam | iam.default | 119999 |
| users/groups | User created | iam | iam.default | 119999 |
| users/groups | User deleted | iam | iam.default | 119999 |
| users/groups | User username changed | iam | iam.default | 119999 |
| users/groups | User password changed | iam | iam.default | 119999 |
| users/groups | User ID changed | iam | iam.default | 119999 |
| users/groups | Group removed | iam | iam.default | 119999 |
| users/groups | Group ID changed | iam | iam.default | 119999 |
| users/groups | Group password changed by user | iam | iam.default | 119999 |
| users/groups | Group password removed by user | iam | iam.default | 119999 |
Message Fields Included in This Pack
General Parsing
Fields List ▼
| Field Name | Example Value | Field Type | Description |
|---|---|---|---|
| event_action | blocked | keyword | Normalized action of the event, mapped from vendor_event_action |
| event_created | 2025-03-25T10:08:00.000Z | date | Syslog timestamp in messages delivered via Filebeat |
| event_log_path | /var/log/auth.log | keyword | The full path of the source log file in messages delivered via Filebeat |
| event_reporter_hostname | corp.srv.lxv01 | keyword | Hostname provided by Filebeat |
| event_source | lxs1 | keyword | Syslog hostname in messages delivered via Filebeat |
| application_name | sshd | keyword | This field is generated by the Syslog input or parsed from the Syslog header in Filebeat messages |
| facility | security/authorization | keyword | This field is generated by the Syslog input |
| process_id | 5222 | keyword/loweronly | This field is generated by the Syslog input |
| process_name | sshd | keyword | Process name extracted from the process command line |
| source | prodlxv01 | keyword | Hostname or IP of the source system that generated the event |
| source_user_domain | corp.internal | keyword | AD or LDAP domain extracted from source user account names where applicable |
| user_domain | corp.internal | keyword | AD or LDAP domain extracted from user account names where applicable |
SSH
Fields List ▼
| Field Name | Example Value | Field Type | Description |
|---|---|---|---|
| event_outcome | success | keyword | The outcome of the event |
| event_repeat_count | 3 | long | Count of times a message has been repeated |
| host_hostname | ssh.corp.example.com | keyword | Hostname that the SSH server binds to |
| host_ip | 10.1.2.3 | ip | IP address that the SSH server binds to |
| host_port | 22 | long | Port that the SSH server listens on |
| source_hostname | workstation.corp.example.com | keyword | Hostname of the client |
| source_ip | 10.1.2.3 | ip | IP address of the client |
| source_port | 62681 | long | Port from which the client connects |
| source_user_name | user1 | keyword | The remote user that made the authentication attempt |
| user_name | webadmin | keyword | The user used to authenticate or associated with the session |
| vendor_credential_type | publickey | keyword | The type of credentials used for authentication |
| vendor_event_action | refused | keyword | The action taken in the event |
| vendor_event_description | Accepted password | keyword | The description of the event action |
| vendor_event_outcome | not allowed | keyword | The vendor-defined outcome of the action described in the message |
| vendor_event_outcome_reason | not listed in AllowUsers | keyword | The vendor-provided text detailing the reason for the event outcome |
| vendor_pam_euid | 0 | keyword | The effective user ID used to execute the process |
| vendor_pam_logname | user1 | keyword | The login name of the user |
| vendor_pam_uid | 0 | keyword | ID of the user being authenticated or of the process facilitating the authentication |
| vendor_ssh_disconnect_code | 11 | keyword | The disconnect reason code sent by the client |
| vendor_ssh_disconnect_message | disconnected by user | keyword | The disconnect reason message sent by the client |
| vendor_ssh_signal_type | SIGHUP | keyword | The signal type received by the SSH server |
| vendor_ssh_signature | ED25519 SHA256:YbexxF5dVcxxmEh9xx/DuXoUX6xxLvKI2u3xx7LjYuw | keyword | The fingerprint of the key or certificate used for authentication |
| vendor_ssh_term_signal | 15 | keyword | The signal number that caused the SSH server to terminate |
| vendor_tty | ssh | keyword | The terminal over which the authentication attempt was made |
Login
Fields List ▼
| Field Name | Example Value | Field Type | Description |
|---|---|---|---|
| event_outcome | failure | keyword | The outcome of the event |
| event_repeat_count | 1 | long | Count of times a message has been repeated |
| source_hostname | localhost | keyword | Hostname from which the login was attempted |
| source_ip | 10.1.2.3 | ip | IP address from which the login was attempted |
| user_name | pi | keyword | The user account for which the login was attempted |
| vendor_event_description | Failed login on console or terminal | keyword | The description of the event action |
| vendor_event_outcome | FAILED | keyword | The vendor-defined outcome of the login attempt |
| vendor_event_outcome_reason | Authentication failure | keyword | The vendor-provided text detailing the reason for the failed login |
| vendor_tty | /dev/tty1 | keyword | The terminal on which the login was attempted |
Sudo
Fields List ▼
| Field Name | Example Value | Field Type | Description |
|---|---|---|---|
| event_outcome | success | keyword | The outcome of the event |
| process_command_line | /bin/bash | keyword | The full command line that the user attempted to execute |
| process_working_directory | /home/user1 | keyword | The current working directory that the process was called from |
| source_user_name | user1 | keyword | The user that initiated the request to run a command with elevated privileges |
| user_name | root | keyword | The user that the command is run as |
| vendor_event_description | User executed a command with elevated privileges | keyword | The description of the event action |
| vendor_event_outcome | success | keyword | The outcome describing whether the sudo attempt was successful or not |
| vendor_sudo_error | user NOT in sudoers | keyword | The error that occurred, often indicating a failed sudo attempt |
| vendor_tty | pts/1 | keyword | The terminal from which the sudo command was executed |
Su
Fields List ▼
| Field Name | Example Value | Field Type | Description |
|---|---|---|---|
| event_outcome | success | keyword | The outcome of the event |
| source_user_name | user1 | keyword | The user that initiated the action to switch to another user |
| user_name | user2 | keyword | The target user that the original user attempted to switch to |
| vendor_event_description | Failed user attempt to switch to another user | keyword | The description of the event action |
| vendor_event_outcome | FAILED | keyword | The outcome describing whether the su attempt was successful or not |
| vendor_tty | pts/0 | keyword | The terminal from which the su command was executed |
PAM
Fields List ▼
| Field Name | Example Value | Field Type | Description |
|---|---|---|---|
| event_error_code | 4 | keyword | The error code returned by the PAM module |
| event_error_description | System error | keyword | The description of the error returned by the PAM module |
| event_outcome | failure | keyword | The outcome of the event |
| source_hostname | workstation.corp.example.com | keyword | Remote hostname from which the authentication attempt originated |
| source_ip | 10.1.2.3 | ip | Remote IP address from which the authentication attempt originated |
| source_user_id | 0 | keyword | ID of the user or process that initiated the session for another user |
| source_user_name | user1 | keyword | The remote user that made the authentication attempt or user that initiated the session |
| user_id | 1000 | keyword | ID of the user for which a session was opened or closed |
| user_name | user2 | keyword | The user account being authenticated or the user for which a session was opened or closed |
| vendor_event_action | opened | keyword | The action taken in the event |
| vendor_event_description | Session opened for user | keyword | The description of the event action |
| vendor_event_outcome | failure | keyword | The vendor-defined outcome of the action described in the message |
| vendor_pam_euid | 0 | keyword | The effective user ID used to execute the process, which may differ from the real user ID |
| vendor_pam_function | auth | keyword | The specific function being invoked by PAM |
| vendor_pam_logname | user1 | keyword | The login name of the user |
| vendor_pam_module | pam_unix | keyword | The name of the PAM module handling the authentication |
| vendor_pam_service_name | sshd | keyword | The service or application using PAM for authentication |
| vendor_pam_uid | 0 | keyword | ID of the user being authenticated or of the process facilitating the authentication |
| vendor_tty | /dev/pts/0 | keyword | The terminal over which the authentication attempt was made |
Systemd
Fields List ▼
| Field Name | Example Value | Field Type | Description |
|---|---|---|---|
| event_outcome | failure | keyword | The outcome of the event |
| service_name | logrotate | keyword | The name of the service |
| service_state | active | keyword | The state of the service |
| vendor_event_action | Finished | keyword | The action taken in the event |
| vendor_event_description | Main process exited | keyword | The description of the event action |
| vendor_event_outcome | Failed | keyword | The vendor-defined outcome of the action described in the message |
| vendor_systemd_code | exited | keyword | The exit code returned by the process when it terminates |
| vendor_systemd_result | exit-code | keyword | The result string describing why the service failed |
| vendor_systemd_service_status | Deactivated successfully. | keyword | The general status of the service |
| vendor_systemd_status_code | 1 | keyword | The status code that indicates the result of the process |
| vendor_systemd_status_description | FAILURE | keyword | The description of the status of the service after its process has terminated |
| vendor_systemd_unit_description | Rotate log files | keyword | The description of the systemd unit, often from when it changes state |
Cron
Fields List ▼
| Field Name | Example Value | Field Type | Description |
|---|---|---|---|
| process_command_line | cd / && run-parts --report /etc/cron.hourly | keyword | The full command line scheduled to run |
| source_user_name | root | keyword | The user that modified the crontab of itself or another user |
| user_name | user1 | keyword | The user that the command is run under or whose crontab is modified |
| vendor_cron_error | grandchild #2176 failed with exit status 1 | keyword | The error that occurred during a job or when processing crontab |
| vendor_cron_info | Running @reboot jobs | keyword | The general information output from a cron daemon |
| vendor_event_description | Cron job initiated | keyword | The description of the event action |
User and Group Activity
Fields List ▼
| Field Name | Example Value | Field Type | Description |
|---|---|---|---|
| event_action | created | keyword | The normalized action taken in the event |
| group_id | 999 | keyword | ID of the group |
| group_name | graylog | keyword | Name of the group |
| source_user_id | 1001 | keyword | ID of the user account impacting another user account, or the ID before a change |
| source_user_name | user1 | keyword | Name of the user account impacting another user account, or the name before a change |
| user_id | 1002 | keyword | ID of the user account |
| user_name | user2 | keyword | Name of the user account |
| vendor_event_action | created | keyword | The vendor-defined action taken in the event |
| vendor_event_description | User created | keyword | The description of the event action |
| vendor_pam_function | session | keyword | The specific PAM function being invoked, present in password-related events |
| vendor_pam_module | pam_unix | keyword | The PAM module handling the operation, present in password-related events |
| vendor_pam_service_name | passwd | keyword | The service using PAM for the operation, present in password-related events |
| vendor_source_group_name | oldgroup | keyword | Name of the group before a change |
| vendor_tty | /dev/pts/0 | keyword | The terminal from which an action was taken |
| vendor_user_home | /home/user1 | keyword | User home directory |
| vendor_user_shell | /bin/bash | keyword | User login shell |
UFW
Fields List ▼
| Field Name | Example Value | Field Type | Description |
|---|---|---|---|
| destination_ip | 192.168.1.204 | ip | Destination IP address of the packet |
| destination_mac | e8:ff:1e:d8:d2:2d | keyword | Destination MAC address of the packet |
| destination_port | 46026 | long | Destination port of the packet |
| event_action | blocked | keyword | The normalized action taken by UFW on the network connection |
| network_bytes | 36 | long | The length of the packet in bytes |
| network_iana_number | 7 | long | The protocol number of the packet |
| network_interface_in | ens33 | keyword/loweronly | Name of interface receiving traffic |
| network_interface_out | wlp3s0 | keyword/loweronly | Name of interface sending traffic |
| network_transport | tcp | keyword | The transport protocol of the packet |
| source_ip | 192.168.1.151 | ip | Source IP address of the packet |
| source_mac | 94:08:53:70:ff:b3 | keyword | Source MAC address of the packet |
| source_port | 5044 | long | Source port of the packet |
| vendor_ethertype | 0x0800 | keyword | The EtherType value from the packet header |
| vendor_event_action | BLOCK | keyword | The vendor-defined action taken by UFW on the network connection |
| vendor_event_description | UFW BLOCK | keyword | The description of the event action |
| vendor_ufw_id | 35670 | keyword | The unique ID of the IP datagram, shared across packet fragments |
| vendor_ufw_ttl | 64 | keyword | The packet Time to Live |
| vendor_ufw_window | 50336 | keyword | The TCP window size of the packet |
| vendor_uptime | 16058.979911 | keyword | The kernel time in seconds since boot |
Iptables
Fields List ▼
| Field Name | Example Value | Field Type | Description |
|---|---|---|---|
| destination_ip | 192.168.1.204 | ip | Destination IP address of the packet |
| destination_mac | e8:ff:1e:d8:d2:2d | keyword | Destination MAC address of the packet |
| destination_port | 46026 | long | Destination port of the packet |
| event_action | allowed | keyword | The normalized action taken by iptables on the network connection |
| network_bytes | 266 | long | The length of the packet in bytes |
| network_iana_number | 2 | long | The protocol number of the packet |
| network_interface_in | ens33 | keyword/loweronly | Name of interface receiving traffic |
| network_interface_out | wlp1s0 | keyword/loweronly | Name of interface sending traffic |
| network_transport | tcp | keyword | The transport protocol of the packet |
| source_ip | 192.168.1.151 | ip | Source IP address of the packet |
| source_mac | 94:08:53:70:ff:b3 | keyword | Source MAC address of the packet |
| source_port | 5044 | long | Source port of the packet |
| vendor_ethertype | 0x0800 | keyword | The EtherType value from the packet header |
| vendor_event_action | DROP | keyword | The vendor-defined action taken by iptables on the network connection |
| vendor_event_description | IPTABLES-DROP | keyword | The description of the event action |
| vendor_iptables_id | 34317 | keyword | The unique ID of the IP datagram, shared across packet fragments |
| vendor_iptables_ttl | 47 | keyword | The packet Time to Live |
| vendor_iptables_window | 13426 | keyword | The TCP window size of the packet |
| vendor_uptime | 531661.188230 | keyword | The kernel time in seconds since boot |
Hint: User names are case-sensitive in some Linux
distributions. While case is retained in the original message and in extracted fields like
user_name and source_user_name, searches will
treat the values as case-insensitive. For example, a search for user_name:user1 would return results containing both cases such as user1 and USER1.
Linux System Logs Spotlight Content Pack
This spotlight offers a dashboard with 4 tabs:
Overview
SSH
Sudo
User and Group Activity
