Hi Everyone!

We're just playing with ingestion by the moment trying our first data sources, but We're facing some weird issue.

I've set up a rsyslog server forwarding syslog to a forwarder via UDP in the same docker server (so expect traffic from and to 192.168.0.195 here). Just for testing, I'm forwarding the login related stuff only.

auth.*,user.*,authpriv.* @192.168.0.195:1515

Then, I've set up a Unix System listener in the forwarder (no block filters at all), and we can see some successful login events in the SIEM.

But, for example, any unsuccessful logins are not shown at all. I though that maybe my format wasn't correct (I'm running Arch on my server), but even looking those events in a raw log search, I got nothing.

Just for testing, I've installed tcpdump inside cfps container and I can see those logs arriving.

 192.168.0.195.46128 > 192.168.0.195.1515: [bad udp cksum 0x838d -> 0xe08b!] UDP, length 157
E...<z@.@.z..........0......<85>Feb 12 14:49:15 archserver sshd-session[2959074]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.209 user=root

When I check container logs, during a failed login I see a batch of unix events are being forwarded.

I0212 17:48:30.447992 486 malachite.go:257] Batch (1, NIX_SYSTEM) successfully uploaded.
I0212 17:48:40.920299 486 malachite.go:257] Batch (7, NIX_SYSTEM) successfully uploaded.
I0212 17:48:51.420241 486 malachite.go:257] Batch (1, NIX_SYSTEM) successfully uploaded.
I0212 17:49:02.470379 486 malachite.go:257] Batch (5, NIX_SYSTEM) successfully uploaded. 

What am I missing here?

Thanks in advance

Pablo