Proxmox failed auth parser

unam · January 4, 2022, 10:05am

Hi,

I’m trying to write a parser for proxmox virtual env (pve) authentication system.

It currently write to syslog something like :

Jan  3 17:42:01 dedie-h pvedaemon[2885697]: authentication failure; rhost=::ffff:1.2.3.4 user=root@pam msg=Authentication failure

Following this doc : Creating parsers | CrowdSec I am writing the parser. When I try to run it against my log file, the first part (syslog parser) is ok but it always returns false against my proxmox-logs parser.

I am pretty sure it’s a stupid mistake from my part but I 'can’t find where.

parsers/s01-parse/crowdsecurity/proxmox-logs.yaml

debug: true
name: crowdsecurity/proxmox-logs
description: "Parse syslog, searching for proxmox bruteforce patterns"
filter: "evt.Parsed.program == 'pvedaemon'"
onsuccess: next_stage
pattern_syntax:
  IPv4_WORKAROUND: (?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
  IP_WORKAROUND: (?:%{IPV6}|%{IPv4_WORKAROUND})
  PVE_AUTH_FAIL: '%{SYSLOGTIMESTAMP} %{SYSLOGHOST} %{SYSLOGPROG}: authentication failure; rhost=%{IPV6}:%{IP_WORKAROUND:client_ip} user=%{USERNAME:source_user}@%{WORD:realm} msg=Authentication failure'
nodes:
  - grok:
      name: "PVE_AUTH_FAIL"
      apply_on: message
      statics:
        - meta: log_type
          value: pve_failed-auth
        - meta: source_user
          expression: "evt.Parsed.source_user"
statics:
    - meta: service
      value: pvedaemon
    - meta: source_ip
      expression: "evt.Parsed.client_ip"

Note : I just tried with the IPv4_WORKAROUND variable without sucess. Before that change I was using %{IPV4}

.tests/proxmox-logs/config.yaml

parsers:
- crowdsecurity/syslog-logs
- parsers/s01-parse/crowdsecurity/proxmox-logs.yaml
scenarios:
- ""
postoverflows:
- ""
log_file: proxmox-logs.log
log_type: syslog
labels: {}
ignore_parsers: false

Thanks for you reply

thibault · January 4, 2022, 10:29am

Hello !

At first glance, it seems that you are trying to “re” parse the syslog headers, but the syslog parser did it already, so you just have to parse the message itself (syslogtimestamp, sysloghost and syslogprog are already taken care of).

You can use cscli explain to see exactly what happens !

Hope this helps,

unam · January 4, 2022, 10:42am

My bad, just did removing the syslog part, thank !
I also removed the IPv4_WORKAROUND, no needed anymore.

Here is the final result :

debug: true
name: crowdsecurity/proxmox-logs
description: "Parse syslog, searching for proxmox bruteforce patterns"
filter: "evt.Parsed.program == 'pvedaemon'"
onsuccess: next_stage
pattern_syntax:
  PVE_AUTH_FAIL: 'authentication failure; rhost=%{IPV6}:%{IPV4:client_ip} user=%{USERNAME:source_user}@%{WORD:realm} msg=Authentication failure'
nodes:
  - grok:
      name: "PVE_AUTH_FAIL"
      apply_on: message
      statics:
        - meta: log_type
          value: pve_failed-auth
        - meta: source_user
          expression: "evt.Parsed.source_user"
statics:
    - meta: service
      value: pvedaemon
    - meta: source_ip
      expression: "evt.Parsed.client_ip"

With this output :

results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Success == true
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Parsed["client_ip"] == "1.2.3.4"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Parsed["logsource"] == "syslog"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Parsed["message"] == "authentication failure; rhost=::ffff:1.2.3.4 user=root@pam msg=Authentication failure"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Parsed["pid"] == "2885697"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Parsed["timestamp"] == "Jan  3 17:42:01"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Parsed["program"] == "pvedaemon"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Parsed["realm"] == "pam"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Parsed["source_user"] == "root"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Meta["machine"] == "dedie-h"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Meta["service"] == "pvedaemon"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Meta["source_ip"] == "1.2.3.4"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Meta["source_user"] == "root"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Meta["datasource_path"] == "proxmox-logs.log"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Meta["datasource_type"] == "file"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Meta["log_type"] == "pve_failed-auth"

Thanks !

thibault · January 4, 2022, 10:43am

Awesome
Would you mind contributing it to the hub ? Hub | CrowdSec

unam · January 4, 2022, 10:52am

Yep that was the idea, I was looking for a product I daily use to try writing a crowdsec parser and start contributing.

I keep reading the doc and doing some tests on my side, I also have to learn how to detect a bruteforce using this parser.
When everything will be ok, I’ll submit

Topic		Replies	Views
Create new pam parser crowdsec	1	524	July 22, 2022
Ban after number of attemps crowdsec	12	698	March 11, 2022
Apache parser failing to parse failed basic auth attempts crowdsec	0	674	January 14, 2022
Crowdsec not banning anyone crowdsec	1	740	April 25, 2022
Postfix scenrios - SASL LOGIN authentication failed crowdsec	5	820	April 11, 2023

Proxmox failed auth parser

Related Topics