Just parsed raw data from an auth log on Ubuntu server to something more unified. Ingress authentications on Windows/Linux are now structured into the same format using Universal Event Format and unified into a dashboard on their incident response suite InsightIDR.

Test sample..


Some things need to be cleaned up though, notably the source IP.

It's more difficult to do unstructured auth logs, because you are most likely dealing with different types of key value pairs.

When you use EventLog for monitoring ingress to Windows servers you are already working with structured data.

See infosec.exchange/@superruserr/

Going to draft a post more about this topic. But it'll be a bit longer and probably won't be published for 'a while'.

I want to do more but I need to move on to other things that are also exciting.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.