1onsuccess: next_stage
2filter: "evt.Parsed.program == 'sftpgo' && UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, 'sftpgo') in ['', nil]"
3name: Azlaroc/sftpgo-logs
4description: "Parse SFTPGo logs from JSON"
5statics:
6  - meta: service
7    value: sftpgo
8  - meta: log_level
9    expression: evt.Unmarshaled.sftpgo.level
10  - target: evt.StrTime
11    expression: evt.Unmarshaled.sftpgo.time
12nodes:
13  - filter: "evt.Unmarshaled.sftpgo.sender == 'login'"
14    statics:
15      - meta: log_type
16        value: auth_success
17      - meta: source_ip
18        expression: evt.Unmarshaled.sftpgo.ip
19      - meta: user
20        expression: evt.Unmarshaled.sftpgo.username
21      - meta: protocol
22        expression: evt.Unmarshaled.sftpgo.protocol
23      - meta: login_method
24        expression: evt.Unmarshaled.sftpgo.method
25  - filter: "evt.Unmarshaled.sftpgo.sender in ['SSH', 'FTP'] && evt.Unmarshaled.sftpgo.message != nil && evt.Unmarshaled.sftpgo.message contains 'logged in'"
26    grok:
27      expression: evt.Unmarshaled.sftpgo.message
28      pattern: 'User "%{DATA:username}" logged in.* from ip "%{IP:source_ip}"'
29    statics:
30      - meta: log_type
31        value: auth_success
32      - meta: source_ip
33        expression: evt.Parsed.source_ip
34      - meta: user
35        expression: evt.Parsed.username
36  - filter: "evt.Unmarshaled.sftpgo.sender == 'connection_failed'"
37    statics:
38      - meta: log_type
39        value: sftpgo_auth
40      - meta: source_ip
41        expression: evt.Unmarshaled.sftpgo.client_ip
42      - meta: target_user
43        expression: evt.Unmarshaled.sftpgo.username
44      - meta: protocol
45        expression: evt.Unmarshaled.sftpgo.protocol
46      - meta: login_type
47        expression: evt.Unmarshaled.sftpgo.login_type
48      - meta: error
49        expression: evt.Unmarshaled.sftpgo.error
50      - meta: is_failed_login
51        value: "true"
52