Mozilla Security Simultaneous Usage, Tracking Variation
This plugin uses Heka selprinc to parse and normalize authentication or application usage activity, and identifies scenarios where usage is seen from two different tracking values within a fixed window of time.
The width configuration parameter can be used to specify the window size (in seconds) for which events will be compared with each other. As an example, if an event is seen for tracked value X, then tracked value Y, and then tracked value X again for the same user where the delta between the third and second events is less than width, an alert will be generated.
The Timestamp field is used to determine the event timestamp and should be set appropriately in the input plugin.
Suitable parameters for tracking include selprinc auxilliary values such as GeoIP country.
If enable_metrics is true, the module will submit metrics events for collection by the metrics output sandbox. Ensure process_message_inject_limit is set appropriately, as if enabled process_event will submit up to 2 messages (the alert, and the metric event).
1. Sample Configuration
filename = "moz_security_simuse.lua"
message_matcher = "Type ~= 'mozphab'%"
ticker_interval = 0
process_message_inject_limit = 1
-- preserve the tracking data across process restarts
preserve_data = true
-- preservation_version = 0 -- optional, increment if config is changed
-- acceptable_message_drift = 1500 -- optional, default shown, 0 to disable
-- width = 21600 -- optional, inspection width default 21600 (6 hours)
selprinc_track = { "geocountry" }
heka_selprinc = {
events = {
ssh = {
select_field = "Fields[controller]",
select_match = ".+",
subject_field = "Fields[user]",
object_field = "Fields[controller]",
sourceip_field = "Fields[ip]",
aux = {
{ "geocity", "Fields[ip_city]" },
{ "geocountry", "Fields[ip_country]" }
}
}
}
}
-- enable_metrics = false -- optional, if true enable secmetrics submission
source code: moz_security_simuse.lua