meshcentral-logs Log Parser

« meshcentral-logs »
v0.2 by a1ad
Log parser

Parse meshcentral logs

Installation

cscli parsers install a1ad/meshcentral-logs

Description

Parser for Meshcentral Auth Logs.

You need to add the following in the Meshcentral config file before Meshcentral starts logging: "authLog": "/opt/meshcentral/meshcentral-data/auth.log"

---
filenames:
 - /opt/meshcentral/meshcentral-data/auth.log
labels:
  type: meshcentral

YAML Configuration

1
2onsuccess: next_stage
3#debug: false
4name: a1ad/meshcentral-logs
5description: "Parse meshcentral logs"
6filter: "evt.Parsed.program == 'meshcentral'"
7pattern_syntax:
8  MESHCENTRAL_CUSTOMUSER: "(%{EMAILADDRESS}|%{USERNAME})"
9  MESHCENTRAL_CUSTOMDATE: "%{MONTH} %{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}"
10nodes:
11  - grok:
12      pattern: '%{MESHCENTRAL_CUSTOMDATE:timestamp}.*Failed password for %{MESHCENTRAL_CUSTOMUSER:username} from %{IP:source_ip}.*'
13      apply_on: message
14      statics:
15        - meta: log_type
16          value: meshcentral_failed_auth
17
18statics:
19    - meta: service
20      value: meshcentral
21    - meta: user
22      expression: "evt.Parsed.username"
23    - meta: source_ip
24      expression: "evt.Parsed.source_ip"
25    - target: evt.StrTime
26      expression: evt.Parsed.timestamp
27

Hub configuration

« meshcentral-logs »v0.2 by a1adLog parser

« meshcentral-logs »
v0.2 by a1ad
Log parser