unam
January 4, 2022, 10:05am
1
Hi,
I’m trying to write a parser for proxmox virtual env (pve) authentication system.
It currently write to syslog something like :
Jan 3 17:42:01 dedie-h pvedaemon[2885697]: authentication failure; rhost=::ffff:1.2.3.4 user=root@pam msg=Authentication failure
Following this doc : Creating parsers | CrowdSec I am writing the parser. When I try to run it against my log file, the first part (syslog parser) is ok but it always returns false against my proxmox-logs parser.
I am pretty sure it’s a stupid mistake from my part but I 'can’t find where.
parsers/s01-parse/crowdsecurity/proxmox-logs.yaml
debug: true
name: crowdsecurity/proxmox-logs
description: "Parse syslog, searching for proxmox bruteforce patterns"
filter: "evt.Parsed.program == 'pvedaemon'"
onsuccess: next_stage
pattern_syntax:
IPv4_WORKAROUND: (?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
IP_WORKAROUND: (?:%{IPV6}|%{IPv4_WORKAROUND})
PVE_AUTH_FAIL: '%{SYSLOGTIMESTAMP} %{SYSLOGHOST} %{SYSLOGPROG}: authentication failure; rhost=%{IPV6}:%{IP_WORKAROUND:client_ip} user=%{USERNAME:source_user}@%{WORD:realm} msg=Authentication failure'
nodes:
- grok:
name: "PVE_AUTH_FAIL"
apply_on: message
statics:
- meta: log_type
value: pve_failed-auth
- meta: source_user
expression: "evt.Parsed.source_user"
statics:
- meta: service
value: pvedaemon
- meta: source_ip
expression: "evt.Parsed.client_ip"
Note : I just tried with the IPv4_WORKAROUND variable without sucess. Before that change I was using %{IPV4}
.tests/proxmox-logs/config.yaml
parsers:
- crowdsecurity/syslog-logs
- parsers/s01-parse/crowdsecurity/proxmox-logs.yaml
scenarios:
- ""
postoverflows:
- ""
log_file: proxmox-logs.log
log_type: syslog
labels: {}
ignore_parsers: false
Thanks for you reply
Hello !
At first glance, it seems that you are trying to “re” parse the syslog headers, but the syslog parser did it already, so you just have to parse the message itself (syslogtimestamp, sysloghost and syslogprog are already taken care of).
You can use cscli explain
Hope this helps,
unam
January 4, 2022, 10:42am
3
My bad, just did removing the syslog part, thank !
Here is the final result :
debug: true
name: crowdsecurity/proxmox-logs
description: "Parse syslog, searching for proxmox bruteforce patterns"
filter: "evt.Parsed.program == 'pvedaemon'"
onsuccess: next_stage
pattern_syntax:
PVE_AUTH_FAIL: 'authentication failure; rhost=%{IPV6}:%{IPV4:client_ip} user=%{USERNAME:source_user}@%{WORD:realm} msg=Authentication failure'
nodes:
- grok:
name: "PVE_AUTH_FAIL"
apply_on: message
statics:
- meta: log_type
value: pve_failed-auth
- meta: source_user
expression: "evt.Parsed.source_user"
statics:
- meta: service
value: pvedaemon
- meta: source_ip
expression: "evt.Parsed.client_ip"
With this output :
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Success == true
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Parsed["client_ip"] == "1.2.3.4"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Parsed["logsource"] == "syslog"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Parsed["message"] == "authentication failure; rhost=::ffff:1.2.3.4 user=root@pam msg=Authentication failure"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Parsed["pid"] == "2885697"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Parsed["timestamp"] == "Jan 3 17:42:01"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Parsed["program"] == "pvedaemon"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Parsed["realm"] == "pam"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Parsed["source_user"] == "root"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Meta["machine"] == "dedie-h"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Meta["service"] == "pvedaemon"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Meta["source_ip"] == "1.2.3.4"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Meta["source_user"] == "root"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Meta["datasource_path"] == "proxmox-logs.log"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Meta["datasource_type"] == "file"
results["s01-parse"]["crowdsecurity/proxmox-logs"][1].Evt.Meta["log_type"] == "pve_failed-auth"
Thanks !
Awesome Hub | CrowdSec
unam
January 4, 2022, 10:52am
5
Yep that was the idea, I was looking for a product I daily use to try writing a crowdsec parser and start contributing.
I keep reading the doc and doing some tests on my side, I also have to learn how to detect a bruteforce using this parser.
1 Like
