Cowdsec missing vsftp failures

I want to add a custom parser for vsftpd because of many lines like below…in our vsftpd.log

Mon Apr 12 15:19:22 2021 [pid 15685] [www-data] FTP response: Client “123.123.123.123”, “530 Permission denied.”

Can I just copy /etc/crowdsec/parsers/s01-parse/vsftpd-logs.yaml and change the pattern_syntax ?
Or is more involved ?

cf. our discussion on Gitter, here is the proposal to add this new pattern:

onsuccess: next_stage
name: vsftpd-logs
description: "Parse VSFTPD logs"
filter: "evt.Parsed.program == 'vsftpd'"
#debug: true
nodes:
  - pattern_syntax:
      FTP_AUTH_FAIL: '%{HTTPDERROR_DATE:timestamp} \[pid %{NUMBER}\] \[%{GREEDYDATA:user}\] FAIL LOGIN: Client "(::ffff:)?%{IP:source_ip}"'
    grok:
      pattern: "%{FTP_AUTH_FAIL}"
      apply_on: message
    statics:
        - meta: program
          value: vsftpd
        - meta: log_type
          value: ftp_failed_auth
        - meta: source_ip
          expression: "evt.Parsed.source_ip"
        - meta: user
          expression: "evt.Parsed.user"
        - target: evt.StrTime
          expression: evt.Parsed.timestamp
  - pattern_syntax:
      FTP_PERMISSION_DENIED: '%{HTTPDERROR_DATE:timestamp} [pid %{NUMBER}] [%{GREEDYDATA:user}] FTP response: Client "(::ffff:)?%{IP:source_ip}", "530 Permission denied."'
    grok:
      pattern: "%{FTP_PERMISSION_DENIED}"
      apply_on: message
    statics:
        - meta: program
          value: vsftpd
        - meta: log_type
          value: ftp_permission_denied
        - meta: source_ip
          expression: "evt.Parsed.source_ip"
        - meta: user
          expression: "evt.Parsed.user"
        - target: evt.StrTime
          expression: evt.Parsed.timestamp 
1 Like