cscli parsers install LePresidente/authelia-logs
Parser for Authelia Logs.
---
filenames:
- /var/log/Authelia.log
labels:
type: authelia
1debug: false2name: LePresidente/authelia-logs3filter: "evt.Parsed.program == 'authelia'"4description: "Parse Authelia logs"5pattern_syntax:6 AUTHELIA_USER: '%{EMAILADDRESS}|%{USERNAME}'7nodes:8 ## Main parsing section either it key value pairs or JSON9 - filter: TrimSpace(evt.Parsed.message) not startsWith "{" && ParseKV(evt.Parsed.message, evt.Unmarshaled, "authelia") in ["", nil]10 statics:11 - meta: log_format12 value: CLF13 - filter: evt.Unmarshaled.authelia == nil && UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "authelia") in ["", nil]14 statics:15 - meta: log_format16 value: JSON1718 ## Detect msg contans authentication attempt to parse out user info19 - grok:20 pattern: "%{WORD:auth_status} (1FA|Duo|TOTP|U2F) authentication attempt (made )?by user '%{AUTHELIA_USER:user}'"21 expression: evt.Unmarshaled.authelia.msg22 statics:23 - meta: log_type24 expression: 'evt.Parsed.auth_status == "Unsuccessful" ? "auth_failed" : "auth_success"'2526 - grok:27 pattern: "Error .* getting details for user with username input '%{AUTHELIA_USER:user}'.*"28 expression: evt.Unmarshaled.authelia.msg29 statics:30 - meta: log_type31 value: auth_failed3233 ## This section is a hack to allow all authelia logs to pass to next stage, if you set onsuccess next stage at root level all successful attempts will not be passed, so we could do some impossible trave sceanrios34 - filter: evt.Unmarshaled.authelia != nil35 onsuccess: next_stage36 statics:37 - meta: service38 value: authelia39statics:40 - meta: user41 expression: evt.Parsed.user42 - target: evt.StrTime43 expression: evt.Unmarshaled.authelia.time44 - meta: source_ip45 expression: evt.Unmarshaled.authelia.remote_ip46