Hi everyone!
Help me please. I’m writing to tell the parser to take certain lines from the asterisk log (/ var/ log/ asterisk/ messages). Unfortunately, the syntax does not allow adding words with the sign ’ ’
Examples of entries from the log file:
[Oct 24 18:47:36] NOTICE[2387] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:109 @0.0.0.0>’ failed for ‘0.0.0.0:57472’ (callid: e5f4a96034105e4f7a109) - Failed to authenticate
[Oct 25 12:37:58] NOTICE[2990] res_pjsip/pjsip_distributor.c: Request ‘INVITE’ from ‘“0.0.0.0” <sip:0.0.0.0 @0.0.0.0>’ failed for ‘0.0.0.0:21840’ (callid: 1703121477 @0.0.0.0) - Failed to authenticate
I wrote patterns:
'[%{DATA:timestamp}] NOTICE[%{NUMBER}].* Request ‘REGISTER’ from ‘<sip: %{USERNAME:username} @ % {IPORHOST:target_ip}>’ failed for ‘%{IPORHOST:source_ip}:%{NUMBER:source_port}’
'[%{DATA:timestamp}] NOTICE[%{NUMBER}].* Request ‘INVITE’ from ‘<sip:%{USERNAME:username} @ % {IPORHOST:target_ip}>’ failed for ‘% {IPORHOST:source_ip}:%{NUMBER:source_port}’
My templates are not working for some reason. I decided to try to write an abbreviated part of the lines for catching by the parser. After applying such entries (I wrote them below), an error occurs:
Error decoding parsing configuration file ‘/etc/crowdsec/parsers/s01-parse/asterisk-logs.yaml’: yaml: line 48: did not find expected key
/etc /crowdsec /parsers /s01-parse /asterisk-logs.yaml
name: crowdsecurity/asterisk-logs
description: “Parse Asterisk logs”
filter: “evt.Parsed.program == ‘asterisk’”
onsuccess: next_stage
nodes:
-
grok:
pattern: ‘[%{DATA:timestamp}] NOTICE[%{NUMBER}].* Request REGISTER from’apply_on: message
statics:
- meta: log_type
value: asterisk_failed_auth
- target: evt.StrTime
expression: evt.Parsed.timestamp
- meta: target_user
expression: evt.Parsed.username
- meta: session_id
expression: evt.Parsed.asterisk_session_id
- meta: asterisk_service
expression: evt.Parsed.asterisk_service -
grok:
pattern: ‘[%{DATA:timestamp}] NOTICE[%{NUMBER}].* Request INVITE from’
apply_on: message
statics:
- meta: log_type
value: asterisk_failed_auth
- target: evt.StrTime
expression: evt.Parsed.timestamp
- meta: target_user
expression: evt.Parsed.username
- meta: session_id
expression: evt.Parsed.asterisk_session_id
- meta: asterisk_service
expression: evt.Parsed.asterisk_service -
grok:
pattern: ‘[%{DATA:timestamp}] NOTICE[%{NUMBER}].* Failed to authenticate’
apply_on: message
statics:
- meta: log_type
value: asterisk_failed_auth
- target: evt.StrTime
expression: evt.Parsed.timestamp
- meta: target_user
expression: evt.Parsed.username
- meta: session_id
expression: evt.Parsed.asterisk_session_id
- meta: asterisk_service
expression: evt.Parsed.asterisk_service
statics:
- meta: service
value: asterisk
- meta: source_ip
expression: evt.Parsed.source_ip