1
2filter: "evt.Parsed.program == 'couchdb'"
3name: aidalinfo/couchdb-log-node
4description: "First step get IP, User, time and IP from couchdb logs"
5nodes:
6 - grok:
7 pattern: '\[notice\] %{TIMESTAMP_ISO8601:timestamp} %{GREEDYDATA} %{IP:source_ip} %{WORD:user} %{WORD:http_method} %{URIPATHPARAM:request} %{NUMBER:http_status_code}'
8 apply_on: message
9 statics:
10 - meta: stage_log
11 value: root-done
12 - meta: target_user
13 expression: "evt.Parsed.user"
14 - meta: source_ip
15 expression: "evt.Parsed.source_ip"
16 - target: evt.StrTime
17 expression: evt.Parsed.timestamp
18 - meta: path_db
19 expression: evt.Parsed.request
20---
21onsuccess: next_stage
22filter: "evt.Meta.stage_log == 'root-done'"
23name: aidalinfo/couchdb-log-subnode
24description: "Second step sort if is bruteforce or crawl"
25
26nodes:
27 - filter: "evt.Parsed.http_status_code == '401'"
28 debug: false
29 statics:
30 - meta: log_type
31 value: bf-enum-couchdb
32 - filter: "evt.Parsed.http_status_code == '404'"
33 debug: false
34 statics:
35 - meta: log_type
36 value: crawl-couchdb
