gotify-logs Log Parser

A parser that will search for unauthorized (401) status code in a log file that gotify is outputting its stdout to. From testing it seems gotify returns a 401 for unknown user, bad password, and incorrect tokens. There is no way to determine which is which so this parser will only search for 401 status code.

REQUIRED - example acquis.yaml entry - The type MUST be exactly as shown here or the parser will never be successful.

1filenames:
2  - /path/to/gotify.log
3labels:
4  type: gotify

❗ The type MUST be gotify ❗

The IP is the only data grabbed from the log and is stored in evt.Parsed.source_ip and evt.Meta.source_ip

You must create your own Dockerfile and then build it. Example Dockerfile as follows.

1FROM gotify/server
2ENTRYPOINT /bin/bash -c '/app/gotify-app | tee /app/data/gotify.log'

Build the image sudo docker build -t <TAG NAME>
Example <TAG NAME> - server/gotify:logger
Now make a docker-compose file to use the image, the log file will end up in the gotify_data directory

1  gotify:
2    image: gotify/server:logger
3    container_name: gotify
4    restart: always
5    ports:
6      - 8080:80
7    volumes:
8      - "./gotify_data:/app/data"
9

1#filter: '1 == 1' # For hub tests

2filter: evt.Parsed.program == "gotify" # Production

3#debug: true

4onsuccess: next_stage

5name: baudneo/gotify-logs

6description: parser for Gotify server

7pattern_syntax:

8 GOTIFY_SEPERATOR: '%{SPACE}\|%{SPACE}'

9 GOTIFY_401: '^\[GIN\]\s*%{YEAR:year}/%{MONTHNUM:month}/%{NUMBER:day}%{SPACE}[-]%{SPACE}%{TIME:time}%{GOTIFY_SEPERATOR}401%{GOTIFY_SEPERATOR}%{DATA:request_time_took}%{GOTIFY_SEPERATOR}%{IP:source_ip}%{GOTIFY_SEPERATOR}%{WORD:request_type}%{SPACE}"%{DATA:endpoint}"'

10nodes:

11 - grok:

12 name: "GOTIFY_401"

13 apply_on: message

14 statics:

15 - target: StrTime

16 expression: |-

17 evt.Parsed.year+ "/" + evt.Parsed.month + "/" + evt.Parsed.day + " " + evt.Parsed.time

18 - grok:

19 pattern: '%{TIMESTAMP_ISO8601:timestamp}%{GOTIFY_SEPERATOR}401%{GOTIFY_SEPERATOR}%{DATA:request_time_took}%{GOTIFY_SEPERATOR}%{IP:source_ip}%{GOTIFY_SEPERATOR}%{WORD:request_type}%{SPACE}"%{DATA:endpoint}"'

20 apply_on: message

21 statics:

22 - target: StrTime

23 expression: evt.Parsed.timestamp

24statics:

25 - meta: source_ip

26 expression: evt.Parsed.source_ip

27 - meta: log_type

28 value: gotify_failed_auth

Hub configuration

« gotify-logs »
v0.2 by baudneo
Log parser

Hub configuration

« gotify-logs »v0.2 by baudneoLog parser

« gotify-logs »
v0.2 by baudneo
Log parser