Help: having only unparsed logs

1

Hey,

I have one system which seems not to parse any logs. It also does not show any decissions and on alterts only thing there is the update of the community rulesets. So looks like it is really not doing anything at the moment. I tried to find some clues but other similar threads mentioned in the Forum didn鈥檛 show any solution. Maybe just a minor Problem.

cscli metrics

INFO[0000] Acquisition Metrics:
+-----------------------------------+------------+--------------+----------------+------------------------+
|              SOURCE               | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+-----------------------------------+------------+--------------+----------------+------------------------+
| /var/log/auth.log                 |        173 | -            |            173 | -                      |
| /var/log/caddy/dav-mgz.access.log |          1 | -            |              1 | -                      |
| /var/log/caddy/ip3q.access.log    |         16 | -            |             16 | -                      |
| /var/log/caddy/mgz.access.log     |        255 | -            |            255 | -                      |
| /var/log/syslog                   |       8484 | -            |           8484 | -                      |
+-----------------------------------+------------+--------------+----------------+------------------------+
INFO[0000] Parser Metrics:
+----------------------------------+------+--------+----------+
|             PARSERS              | HITS | PARSED | UNPARSED |
+----------------------------------+------+--------+----------+
| child-crowdsecurity/apache2-logs |  544 | -      |      544 |
| child-crowdsecurity/sshd-logs    |   65 | -      |       65 |
| crowdsecurity/apache2-logs       |  272 | -      |      272 |
| crowdsecurity/non-syslog         |  272 |    272 | -        |
| crowdsecurity/sshd-logs          |   13 | -      |       13 |
| crowdsecurity/syslog-logs        | 8657 |   8657 | -        |
+----------------------------------+------+--------+----------+
INFO[0000] Local Api Metrics:
+----------------------+--------+------+
|        ROUTE         | METHOD | HITS |
+----------------------+--------+------+
| /v1/alerts           | GET    |    1 |
| /v1/decisions/stream | GET    | 1062 |
| /v1/watchers/login   | POST   |    7 |
+----------------------+--------+------+
INFO[0000] Local Api Machines Metrics:
+----------------------------------+------------+--------+------+
|             MACHINE              |   ROUTE    | METHOD | HITS |
+----------------------------------+------------+--------+------+
| xxx| /v1/alerts | GET    |    1 |
+----------------------------------+------------+--------+------+
INFO[0000] Local Api Bouncers Metrics:
+------------------------------+----------------------+--------+------+
|           BOUNCER            |        ROUTE         | METHOD | HITS |
+------------------------------+----------------------+--------+------+
| cs-firewall-bouncer-SethwuNZ | /v1/decisions/stream | GET    | 1062 |
+------------------------------+----------------------+--------+------+

cscli parsers list

-------------------------------------------------------------------------------------------------------------
 NAME                            馃摝 STATUS   VERSION  LOCAL PATH
-------------------------------------------------------------------------------------------------------------
 crowdsecurity/iptables-logs     鉁旓笍  enabled  0.2      /etc/crowdsec/parsers/s01-parse/iptables-logs.yaml
 crowdsecurity/apache2-logs      鉁旓笍  enabled  0.4      /etc/crowdsec/parsers/s01-parse/apache2-logs.yaml
 crowdsecurity/dateparse-enrich  鉁旓笍  enabled  0.1      /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
 crowdsecurity/http-logs         鉁旓笍  enabled  0.5      /etc/crowdsec/parsers/s02-enrich/http-logs.yaml
 crowdsecurity/whitelists        鉁旓笍  enabled  0.1      /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
 crowdsecurity/geoip-enrich      鉁旓笍  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
 crowdsecurity/mysql-logs        鉁旓笍  enabled  0.1      /etc/crowdsec/parsers/s01-parse/mysql-logs.yaml
 crowdsecurity/sshd-logs         鉁旓笍  enabled  0.1      /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
 crowdsecurity/syslog-logs       鉁旓笍  enabled  0.1      /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
-------------------------------------------------------------------------------------------------------------

cscli scenarios list

--------------------------------------------------------------------------------------------------------------------------
 NAME                                       馃摝 STATUS   VERSION  LOCAL PATH
--------------------------------------------------------------------------------------------------------------------------
 crowdsecurity/http-path-traversal-probing  鉁旓笍  enabled  0.2      /etc/crowdsec/scenarios/http-path-traversal-probing.yaml
 crowdsecurity/http-probing                 鉁旓笍  enabled  0.2      /etc/crowdsec/scenarios/http-probing.yaml
 crowdsecurity/mysql-bf                     鉁旓笍  enabled  0.1      /etc/crowdsec/scenarios/mysql-bf.yaml
 crowdsecurity/http-bad-user-agent          鉁旓笍  enabled  0.3      /etc/crowdsec/scenarios/http-bad-user-agent.yaml
 crowdsecurity/http-crawl-non_statics       鉁旓笍  enabled  0.2      /etc/crowdsec/scenarios/http-crawl-non_statics.yaml
 crowdsecurity/http-sensitive-files         鉁旓笍  enabled  0.2      /etc/crowdsec/scenarios/http-sensitive-files.yaml
 crowdsecurity/ssh-bf                       鉁旓笍  enabled  0.1      /etc/crowdsec/scenarios/ssh-bf.yaml
 crowdsecurity/http-backdoors-attempts      鉁旓笍  enabled  0.2      /etc/crowdsec/scenarios/http-backdoors-attempts.yaml
 crowdsecurity/http-sqli-probing            鉁旓笍  enabled  0.2      /etc/crowdsec/scenarios/http-sqli-probing.yaml
 ltsich/http-w00tw00t                       鉁旓笍  enabled  0.1      /etc/crowdsec/scenarios/http-w00tw00t.yaml
 crowdsecurity/iptables-scan-multi_ports    鉁旓笍  enabled  0.1      /etc/crowdsec/scenarios/iptables-scan-multi_ports.yaml
 crowdsecurity/http-xss-probing             鉁旓笍  enabled  0.2      /etc/crowdsec/scenarios/http-xss-probing.yaml
--------------------------------------------------------------------------------------------------------------------------

cscli collections list

----------------------------------------------------------------------------------------------------------------
 NAME                                 馃摝 STATUS   VERSION  LOCAL PATH
----------------------------------------------------------------------------------------------------------------
 crowdsecurity/apache2                鉁旓笍  enabled  0.1      /etc/crowdsec/collections/apache2.yaml
 crowdsecurity/base-http-scenarios    鉁旓笍  enabled  0.3      /etc/crowdsec/collections/base-http-scenarios.yaml
 crowdsecurity/whitelist-good-actors  鉁旓笍  enabled  0.1      /etc/crowdsec/collections/whitelist-good-actors.yaml
 crowdsecurity/sshd                   鉁旓笍  enabled  0.1      /etc/crowdsec/collections/sshd.yaml
 crowdsecurity/linux                  鉁旓笍  enabled  0.2      /etc/crowdsec/collections/linux.yaml
 crowdsecurity/mysql                  鉁旓笍  enabled  0.1      /etc/crowdsec/collections/mysql.yaml
 crowdsecurity/iptables               鉁旓笍  enabled  0.1      /etc/crowdsec/collections/iptables.yaml
----------------------------------------------------------------------------------------------------------------

In the logs there is no error.

Thanks for any Idea

2

Hello @tcpip !

Welcome and let鈥檚 look into this :slightly_smiling_face:

From your metrics (the acquisition section) it seems that you are ingesting mostly caddy logs, and they aren鈥檛 parsed. I鈥檓 not too familiar with the log format, but it seems that apache2 tried and didn鈥檛 manage to parse them. You have as well some syslog and auth.log that aren鈥檛 parsed, but depending on your setup it might be normal.

Would you mind posting some (preferably anonymized) logs here so we can check if why it isn鈥檛 parsed by apache2 parsers ? (you can message me privately if you don鈥檛 feel comfortable posting it here).

Cheers,

3

Yes its mostly Caddy and SSHD I want to parse.
I setup Caddy to use common apache2 log format here some examples:

116.203.xxx.xxx - - [05/Mar/2021:09:01:38 +0100] "GET /test/lists/sip_30d.txt HTTP/1.0" 200 1513
2a01:4f8:xxx:xxx:xxx::1 - - [05/Mar/2021:09:30:01 +0100] "GET /test/lists/sip_30d.txt.gz HTTP/1.0" 200 1523
116.203.xxx.xxx - - [05/Mar/2021:10:01:02 +0100] "GET /test/lists/sip_30d.txt.gz HTTP/2.0" 200 1498
116.203.xxx.xxx - - [05/Mar/2021:11:01:01 +0100] "GET /test/lists/sip_30d.txt.gz HTTP/2.0" 200 1498
83.151.xxx.xxx - - [05/Mar/2021:11:16:38 +0100] "POST /test/test.php HTTP/1.1" 200 0
63.143.xxx.xxx - - [05/Mar/2021:11:26:22 +0100] "HEAD / HTTP/1.1" 200 0
93.240.xxx.xxx - - [05/Mar/2021:11:27:29 +0100] "GET / HTTP/2.0" 200 1072
93.240.xxx.xxx - - [05/Mar/2021:11:27:29 +0100] "GET /favicon.ico HTTP/2.0" 404 0
93.240.xxx.xxx - - [05/Mar/2021:11:27:39 +0100] "GET / HTTP/2.0" 200 1072
93.240.xxx.xxx - - [05/Mar/2021:11:27:39 +0100] "GET /favicon.ico HTTP/2.0" 404 0
93.240.xxx.xxx - - [05/Mar/2021:11:30:18 +0100] "GET / HTTP/2.0" 401 0
93.240.xxx.xxx - - [05/Mar/2021:11:30:19 +0100] "GET / HTTP/2.0" 401 0
93.240.xxx.xxx - - [05/Mar/2021:11:30:43 +0100] "GET / HTTP/2.0" 401 0
93.240.xxx.xxx - - [05/Mar/2021:11:30:47 +0100] "GET / HTTP/2.0" 401 0
93.240.xxx.xxx - - [05/Mar/2021:11:30:52 +0100] "GET / HTTP/2.0" 401 0
93.240.xxx.xxx - - [05/Mar/2021:11:30:53 +0100] "GET / HTTP/2.0" 401 0
93.240.xxx.xxx - - [05/Mar/2021:11:30:55 +0100] "GET / HTTP/2.0" 401 0
93.240.xxx.xxx - - [05/Mar/2021:11:30:55 +0100] "GET / HTTP/2.0" 401 0

The strange thing is that from the metrics none of the log lines is parsed. Even mysql which is pretty standard everything not parsing.

+-----------------------------------+------------+--------------+----------------+------------------------+
|              SOURCE               | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+-----------------------------------+------------+--------------+----------------+------------------------+
| /var/log/auth.log                 |        542 | -            |            542 | -                      |
| /var/log/caddy/dav-mgz.access.log |         34 | -            |             34 | -                      |
| /var/log/caddy/ip3q.access.log    |         19 | -            |             19 | -                      |
| /var/log/caddy/mgz.access.log     |        355 | -            |            355 | -                      |
| /var/log/mysql/error.log          |          2 | -            |              2 | -                      |
| /var/log/syslog                   |      11881 | -            |          11881 | -                      |
+-----------------------------------+------------+--------------+----------------+------------------------+

Some other posts suggest to check the dependencies but I went throu it and all are installed as far as I see.

If I try to process the file manually I only receive this:

crowdsec -file mgz.access.log -type apache2

INFO[05-03-2021 12:17:50] [file datasource] opening file 'mgz.access.log'
ERRO[05-03-2021 12:17:50] Failed to notify(sent: false): <nil>
WARN[05-03-2021 12:17:50] Starting processing data
INFO[05-03-2021 12:17:50] reading mgz.access.log at once
127.0.0.1 - [Fri, 05 Mar 2021 12:17:51 CET] "POST /v1/watchers/login HTTP/1.1 200 237.414315ms "crowdsec/v1.0.7-18ff3a3a306d1xxx" "
WARN[05-03-2021 12:17:51] Acquisition is finished, shutting down
INFO[05-03-2021 12:17:51] Killing parser routines
INFO[05-03-2021 12:17:51] Bucket routine exiting
4

Hey !

I just checked, and I think our current apache2 log parser is a bit too restrictive and expects your logs to have the user-agent for example.

Would you mind trying the solution described in apache2 : parser is too restrictive 路 Issue #157 路 crowdsecurity/hub 路 GitHub and see if it improves parsing capabilities ?

I will try to upstream this change soon :+1:

5

Thanks alot, for the Caddy Log this did the trick. It鈥檚 parsed now.

INFO[0000] Acquisition Metrics:
+-----------------------------------+------------+--------------+----------------+------------------------+
|              SOURCE               | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+-----------------------------------+------------+--------------+----------------+------------------------+
| /var/log/auth.log                 |         16 | -            |             16 | -                      |
| /var/log/caddy/dav-mgz.access.log |          8 |            8 | -              |                      3 |
| /var/log/caddy/mgz.access.log     |         11 |           11 | -              |                     10 |
| /var/log/syslog                   |         98 | -            |             98 | -                      |
+-----------------------------------+------------+--------------+----------------+------------------------+

Another Question is why the SSH logs are unparsed. Even if I manually cause an auth error it鈥檚 not hitting.

#/var/log/auth.log
Mar  5 20:24:14 testhost sshd[455340]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.200.xxx.xxx  user=root
Mar  5 20:24:17 testhost sshd[455336]: error: PAM: Authentication failure for root from 178.200.xxx.xxx
6

Hello,

I have opened the MR to make the [change of apache2 upstream](https://git hub.com/crowdsecurity/hub/pull/176).
I will try to look into the ssh stuff a bit later, would you mind sharing a few more log sample ?

Thanks,

7

and hello again, I opened an issue to keep track of the sshd logs issue

8

Hello, this has been merged : add grok to catch auth fail log by he2ss 路 Pull Request #188 路 crowdsecurity/hub 路 GitHub

Please let me know if it fixes your issue :slight_smile: