Custom parser asterisk on messages file log

crowdsec
1

Hi everyone!

Help me please. I’m writing to tell the parser to take certain lines from the asterisk log (/ var/ log/ asterisk/ messages). Unfortunately, the syntax does not allow adding words with the sign ’ ’

Examples of entries from the log file:

[Oct 24 18:47:36] NOTICE[2387] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:109 @0.0.0.0>’ failed for ‘0.0.0.0:57472’ (callid: e5f4a96034105e4f7a109) - Failed to authenticate

[Oct 25 12:37:58] NOTICE[2990] res_pjsip/pjsip_distributor.c: Request ‘INVITE’ from ‘“0.0.0.0” <sip:0.0.0.0 @0.0.0.0>’ failed for ‘0.0.0.0:21840’ (callid: 1703121477 @0.0.0.0) - Failed to authenticate

I wrote patterns:

'[%{DATA:timestamp}] NOTICE[%{NUMBER}].* Request ‘REGISTER’ from ‘<sip: %{USERNAME:username} @ % {IPORHOST:target_ip}>’ failed for ‘%{IPORHOST:source_ip}:%{NUMBER:source_port}’

'[%{DATA:timestamp}] NOTICE[%{NUMBER}].* Request ‘INVITE’ from ‘<sip:%{USERNAME:username} @ % {IPORHOST:target_ip}>’ failed for ‘% {IPORHOST:source_ip}:%{NUMBER:source_port}’

My templates are not working for some reason. I decided to try to write an abbreviated part of the lines for catching by the parser. After applying such entries (I wrote them below), an error occurs:

Error decoding parsing configuration file ‘/etc/crowdsec/parsers/s01-parse/asterisk-logs.yaml’: yaml: line 48: did not find expected key
/etc /crowdsec /parsers /s01-parse /asterisk-logs.yaml

name: crowdsecurity/asterisk-logs
description: “Parse Asterisk logs”
filter: “evt.Parsed.program == ‘asterisk’”
onsuccess: next_stage
nodes:

  • grok:
    pattern: ‘[%{DATA:timestamp}] NOTICE[%{NUMBER}].* Request REGISTER from’

    apply_on: message
    statics:
    - meta: log_type
    value: asterisk_failed_auth
    - target: evt.StrTime
    expression: evt.Parsed.timestamp
    - meta: target_user
    expression: evt.Parsed.username
    - meta: session_id
    expression: evt.Parsed.asterisk_session_id
    - meta: asterisk_service
    expression: evt.Parsed.asterisk_service

  • grok:
    pattern: ‘[%{DATA:timestamp}] NOTICE[%{NUMBER}].* Request INVITE from’
    apply_on: message
    statics:
    - meta: log_type
    value: asterisk_failed_auth
    - target: evt.StrTime
    expression: evt.Parsed.timestamp
    - meta: target_user
    expression: evt.Parsed.username
    - meta: session_id
    expression: evt.Parsed.asterisk_session_id
    - meta: asterisk_service
    expression: evt.Parsed.asterisk_service

  • grok:
    pattern: ‘[%{DATA:timestamp}] NOTICE[%{NUMBER}].* Failed to authenticate’
    apply_on: message
    statics:
    - meta: log_type
    value: asterisk_failed_auth
    - target: evt.StrTime
    expression: evt.Parsed.timestamp
    - meta: target_user
    expression: evt.Parsed.username
    - meta: session_id
    expression: evt.Parsed.asterisk_session_id
    - meta: asterisk_service
    expression: evt.Parsed.asterisk_service

statics:
- meta: service
value: asterisk
- meta: source_ip
expression: evt.Parsed.source_ip