Hi
Has someone did some work to process Sympa logs for crowdsec ?
To detect bad scan like :
... wwsympa[1278]: info main:: [robot listes.comptoir.net] [session 78542549836374] [client 172.192.56.48] Unknown list "pki-validation"
... wwsympa[1278]: info main:: [robot listes.comptoir.net] [session 78542549836374] [client 172.192.56.48] Unknown list "packed.php"
... wwsympa[1278]: info main:: [robot listes.comptoir.net] [session 78542549836374] [client 172.192.56.48] Unknown list "log.php"
... wwsympa[1278]: info main:: [robot listes.comptoir.net] [session 78542549836374] [client 172.192.56.48] Unknown list "js"
... wwsympa[1278]: info main:: [robot listes.comptoir.net] [session 78542549836374] [client 172.192.56.48] Unknown list ".ll"
... wwsympa[1278]: info main:: [robot listes.comptoir.net] [session 78542549836374] [client 172.192.56.48] Unknown list "IXR"
... wwsympa[1278]: info main:: [robot listes.comptoir.net] [session 78542549836374] [client 172.192.56.48] Unknown list "themes"
Thanks & cheers
Safe to presume if there is no issue on the hub then nobody has brought it up before.
Like I did not found any stuff for “Sympa” I’m starting to write a parser for it.
This is working:
- no error
- metadata well extracted
name: local/sympa_ww-logs
description: "Parse wwsympa syslog lines"
stage: s01-parse
filter: "evt.Parsed.program startsWith 'wwsympa'"
nodes:
- grok:
pattern: '%{WORD:sympa_loglevel} %{GREEDYDATA:sympa_where_action} (?:\[robot %{DATA:sympa_robot}\]) (?:\[session %{DATA:sympa_session}\]) (?:\[client %{IPORHOST:sympa_client}\])( %{GREEDYD>
#apply_on: Line.Raw
apply_on: message
# statics : on déclare un log_type et on transforme le timestamp en Time
statics:
# - meta: log_type
# value: sympa_ww
# - target: evt.StrTime
# expression: evt.Parsed.time_local
- meta: service
value: sympa
nodes:
- filter: "evt.Parsed.sympa_message contains ' Unknown action '"
statics:
- meta: sympa_warn
value: unknow-action
statics:
- meta: service
value: sympa
- meta: sympa_where_action
expression: "evt.Parsed.sympa_where_action"
- meta: sympa_robot
expression: "evt.Parsed.sympa_robot"
An explain say :
line: Nov 06 10:02:52 tools.comptoir.net wwsympa[1278]: info main:: [robot listes.comptoir.net] [session 08203929330290] [client 109.74.87.2] [user root@comptoir.net] Unknown action favicon.ico
├ s00-raw
| └ 🟢 crowdsecurity/syslog-logs (+12 ~9)
| â”” update evt.ExpectMode : %!s(int=0) -> 1
| â”” update evt.Stage : -> s01-parse
| â”” update evt.Line.Raw : -> Nov 06 10:02:52 tools.comptoir.net wwsympa[1278]: info main:: [robot listes.comptoir.net] [session 08203929330290] [client 109.74.87.2] [user root@comptoir.net] Unknown action favicon.ico
| â”” update evt.Line.Src : -> /home/pollux/crowdsec/sympa01-dev.log
| â”” update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-11-06 16:21:50.659196358 +0000 UTC
| â”” create evt.Line.Labels.type : syslog
| â”” update evt.Line.Process : %!s(bool=false) -> true
| â”” update evt.Line.Module : -> file
| â”” create evt.Parsed.program : wwsympa
| â”” create evt.Parsed.timestamp : Nov 06 10:02:52
| â”” create evt.Parsed.timestamp8601 :
| â”” create evt.Parsed.facility :
| â”” create evt.Parsed.logsource : syslog
| â”” create evt.Parsed.message : info main:: [robot listes.comptoir.net] [session 08203929330290] [client 109.74.87.2] [user root@comptoir.net] Unknown action favicon.ico
| â”” create evt.Parsed.pid : 1278
| â”” create evt.Parsed.priority :
| â”” update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-11-06 16:21:50.65937763 +0000 UTC
| â”” update evt.StrTime : -> Nov 06 10:02:52
| â”” create evt.Meta.datasource_path : /home/pollux/crowdsec/sympa01-dev.log
| â”” create evt.Meta.datasource_type : file
| â”” create evt.Meta.machine : tools.comptoir.net
├ s01-parse
| └ 🟢 local/sympa_ww-logs (+10)
| â”” create evt.Parsed.sympa_client : 109.74.87.2
| â”” create evt.Parsed.sympa_loglevel : info
| â”” create evt.Parsed.sympa_message : [user root@comptoir.net] Unknown action favicon.ico
| â”” create evt.Parsed.sympa_robot : listes.comptoir.net
| â”” create evt.Parsed.sympa_session : 08203929330290
| â”” create evt.Parsed.sympa_where_action : main::
| â”” create evt.Meta.sympa_where_action : main::
| â”” create evt.Meta.service : sympa
| â”” create evt.Meta.sympa_robot : listes.comptoir.net
| â”” create evt.Meta.sympa_warn : unknow-action
â””-------- parser failure đź”´
I don’t understand the final “parser failure 
” … I’ve I missed something ?
Yes for logs you must pass one s02 stage so the easiest is you set source_ip in the meta which is the “connecting” ip address for geoip-enrich to work.
For “cold log” mode you must also set evt.StrTime for the dateparser-enrich, which will format the time of log, rather than in “live mode” which uses the time of when the log was read.
1 Like
Ok, I’ve made a test environnement and it’s now much clearer 