Hi,
ive got a log which consist of several lines. i need to extract from 1 line the remote ip-adress and from other line the message text for bad login.
I dont know how to combine the 2 lines for one event
Could anybody help and explain how to handel the parser.yaml
is there a unique identifier which allows you to know that one line is affiliated with another line? typically this might be an id or uuid on the log line.
If the logs do not have this unique identifier then it pretty difficult to achieve a 2 log line parse as you cannot guarantee the order that is written to a file so it can mistakenly affiliate a missed login to another line.
this is the whole log:
Feb 28 11:16:19 DMZ node[110]: ‘x-forwarded-for’: ‘111.111.194.60’,
Feb 28 11:16:19 DMZ node[110]: ‘x-real-ip’: ‘111.111.194.60’,
Feb 28 11:16:19 DMZ node[110]: ‘content-length’: ‘61’,
Feb 28 11:16:19 DMZ node[110]: ‘user-agent’: ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0’,
Feb 28 11:16:19 DMZ node[110]: accept: ‘text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8’,
Feb 28 11:16:19 DMZ node[110]: ‘accept-language’: ‘de,en-US;q=0.7,en;q=0.3’,
Feb 28 11:16:19 DMZ node[110]: ‘accept-encoding’: ‘gzip, deflate, br, zstd’,
Feb 28 11:16:19 DMZ node[110]: ‘content-type’: ‘application/x-www-form-urlencoded’,
Feb 28 11:16:19 DMZ node[110]: origin: ‘null’,
Feb 28 11:16:19 DMZ node[110]: cookie: ‘xid=e30=; xid.sig=idT5T7-04d8tRcbncfgDpH7_ytV0cOMk3aCtRYCb-VCkOOMQZqnu-rHJnwaxl0jG’,
Feb 28 11:16:19 DMZ node[110]: ‘upgrade-insecure-requests’: ‘1’,
Feb 28 11:16:19 DMZ node[110]: ‘sec-fetch-dest’: ‘document’,
Feb 28 11:16:19 DMZ node[110]: ‘sec-fetch-mode’: ‘navigate’,
Feb 28 11:16:19 DMZ node[110]: ‘sec-fetch-site’: ‘same-origin’,
Feb 28 11:16:19 DMZ node[110]: ‘sec-fetch-user’: ‘?1’,
Feb 28 11:16:19 DMZ node[110]: priority: ‘u=0, i’
Feb 28 11:16:19 DMZ node[110]: WEBREQUEST: (172.16.10.2) /
Feb 28 11:16:19 DMZ node[110]: WEB: handleRootPostRequest, action: login
Feb 28 11:16:22 DMZ node[110]: WEB: handleLoginRequest: login failed, bad username and password
these few lines comming from debian journal if someone trying to enter bad password.
i need the ‘x-real-ip’ and the message “WEB: handleLoginRequest: login failed, bad username and password” to block the correct IP for bf-attack
Is this a custom application or a open source application? as currently from the logs I dont see an easy way to link multiple lines together.
Its not open source and there is no way to modify the log. The server first bring the http header with the real forward ip and then in the last line the event what happend with the local ip from reverse proxy…
Okay, and you cant detect these bruteforce on the reverse proxy level instead? as unfortunately becuase the logs are not compatible with crowdsec as there needs to be an identifier to match multiple lines together and since you cant change the log format there little we can do.