I want to add a custom parser for vsftpd because of many lines like below…in our vsftpd.log
Mon Apr 12 15:19:22 2021 [pid 15685] [www-data] FTP response: Client “123.123.123.123”, “530 Permission denied.”
Can I just copy /etc/crowdsec/parsers/s01-parse/vsftpd-logs.yaml and change the pattern_syntax ?
Or is more involved ?
cf. our discussion on Gitter, here is the proposal to add this new pattern:
onsuccess: next_stage
name: vsftpd-logs
description: "Parse VSFTPD logs"
filter: "evt.Parsed.program == 'vsftpd'"
#debug: true
nodes:
- pattern_syntax:
FTP_AUTH_FAIL: '%{HTTPDERROR_DATE:timestamp} \[pid %{NUMBER}\] \[%{GREEDYDATA:user}\] FAIL LOGIN: Client "(::ffff:)?%{IP:source_ip}"'
grok:
pattern: "%{FTP_AUTH_FAIL}"
apply_on: message
statics:
- meta: program
value: vsftpd
- meta: log_type
value: ftp_failed_auth
- meta: source_ip
expression: "evt.Parsed.source_ip"
- meta: user
expression: "evt.Parsed.user"
- target: evt.StrTime
expression: evt.Parsed.timestamp
- pattern_syntax:
FTP_PERMISSION_DENIED: '%{HTTPDERROR_DATE:timestamp} [pid %{NUMBER}] [%{GREEDYDATA:user}] FTP response: Client "(::ffff:)?%{IP:source_ip}", "530 Permission denied."'
grok:
pattern: "%{FTP_PERMISSION_DENIED}"
apply_on: message
statics:
- meta: program
value: vsftpd
- meta: log_type
value: ftp_permission_denied
- meta: source_ip
expression: "evt.Parsed.source_ip"
- meta: user
expression: "evt.Parsed.user"
- target: evt.StrTime
expression: evt.Parsed.timestamp