Since I spent half a day working it out and I wish someone had already done it, here is a logstash config file that handles your ssh auth.log, tags it, and then uses geoip lookup to add country information based on the source IP address. Should work using the default layout of the auth.log in Ubuntu releases. Don't forget to change/remove the "type" tag depending on your circumstances.
https://github.com/glenritchie/logstash-conf/blob/master/10-authlog.conf
Enjoy.
No comments:
Post a Comment