anti 9350ce195a fix(collector,correlation): extract attacker IP from sshd/pam free-form prose ...

Native sshd and pam_unix lines route through rsyslog without the
relay@55555 SD wrapper and without key=value pairs, so attacker_ip
fell through to "Unknown". Add a prose-IP fallback to both parsers:
anchored patterns (from/rhost/client/src) win first so we never pick
the local listener in "Connection from X port Y on Z port 22", with
a bare-IPv4 scan as the last resort.

2026-04-27 23:16:42 -04:00

5.1 KiB

Raw Blame History

View Raw