Linux Syslog
Linux syslog (RFC 3164) — SSH authentication, sudo/su privilege escalation, cron jobs, systemd service lifecycle, kernel messages, UFW firewall, PAM, DHCP, Postfix mail, and package management from rsyslog/syslog-ng.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/linux-syslog/generator.yml \
--id syslog \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| sshd-auth | SSH authentication (publickey, password, failed, invalid user) | ~17% | authentication |
| systemd-lifecycle | Service started, stopped, and failed | ~17% | process |
| cron | Cron job execution | ~14% | process |
| sudo | Sudo command execution and auth failure | ~11% | process |
| sshd-session | SSH session opened, closed, disconnect | ~8% | session |
| kernel-generic | Filesystem, device, OOM, and misc kernel messages | ~7% | host |
| pam | PAM session and authentication across services | ~6% | authentication |
| kernel-firewall | UFW BLOCK/ALLOW firewall messages | ~5% | network |
| postfix | SMTP delivery, connect, and disconnect | ~5% | |
| dhcp | DHCPACK, DHCPREQUEST, DHCPDISCOVER | ~3% | network |
| package-mgmt | dpkg/apt install, configure, remove | ~3% | package |
| su | su privilege escalation | ~2% | authentication |
| rsyslog | rsyslog internal and logrotate messages | ~1% | host |
Realism Features
- RFC 3164 syslog lines in event.original with correct PRI values (facility * 8 + severity)
- Correlated SSH sessions — sshd-auth pushes sessions consumed by sshd-session for close/disconnect
- Correlated systemd lifecycle — service start creates entries consumed by service stop
- 15-host fleet with OS-specific log paths (/var/log/syslog for Debian, /var/log/messages for Rocky)
- Per-host monotonic log.offset counters simulating file byte positions
- Realistic failure rates — SSH auth (20%), sudo (15%), systemd (15%), su (20%)
Sample Output
{
"@timestamp": "2026-03-06T14:33:01.000000+00:00",
"event": {
"original": "<86>Mar 6 14:33:01 web-01 sshd[12345]: Accepted publickey for jsmith from 10.1.3.5 port 52341 ssh2",
"dataset": "system.syslog",
"module": "system",
"kind": "event",
"category": ["authentication"],
"type": ["info"]
},
"message": "Accepted publickey for jsmith from 10.1.3.5 port 52341 ssh2",
"host": { "hostname": "web-01" },
"process": { "name": "sshd", "pid": 12345 },
"source": { "ip": "10.1.3.5", "port": 52341 },
"user": { "name": "jsmith" },
"system": { "syslog": {} }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| fqdn_suffix | example.com | Domain suffix appended to hostname |
| agent_version | 8.17.0 | Filebeat version string |
| network_prefix | 10.1 | Internal network prefix for IPs and firewall rules |
Related Generators
Windows Security Event Log
The Security channel of Windows Event Log — logon/logoff sessions, process creation, privilege escalation, account management, and audit policy changes from a 120-host Active Directory fleet.
Windows PowerShell
PowerShell classic and operational channels — engine lifecycle, script block logging, module invocations, pipeline execution, and provider starts. Includes obfuscated command detection and suspicious script patterns.
Windows Sysmon
Sysmon (System Monitor) operational channel — process creation with full command lines, network connections, file creates, registry modifications, DNS queries, and WMI events. SwiftOnSecurity-style tuning.