zoneminder-logs Log Parser

A parser that searches for unknown user and incorrect password logins to ZoneMinder by using web_php.log as a data source. Now supports new PHP date format; DEFAULT US/CAN format.

REQUIRED - example acquis.yaml entry - the type must be exactly as shown here or the parser will never be successful. The log path is the default path on a debian based distro, change to point towards where your ZoneMinder web_php.log is

filenames:
  - /var/log/zm/web_php.log
labels:
  type: zoneminder

❗ The type MUST be zoneminder ❗

IP is logged as evt.Parsed.source_ip and evt.Meta.source_ip
Username is logged as evt.Parsed.username and evt.Meta.username

1#filter: '1==1' # Testing

2filter: evt.Parsed.program == "zoneminder" # Production

3#debug: true

4onsuccess: next_stage

5name: baudneo/zoneminder-logs

6description: A parser for zoneminder web_php.log (Logins to DB/Web), now supports default PHP intl date format

7pattern_syntax:

8 ZM_TIME: '2[0123]|[01]?[0-9]:[0-5][0-9]:(?:[0-5]?[0-9]|60)\s?(AM|PM [A-Z]{3})?\.[0-9]{6}'

9 ZM_BADUSER: '^%{MONTHNUM:month}[/-]%{MONTHDAY:day}[/-]%{YEAR:year},?[- ]%{ZM_TIME:time} web_php\[\d+]\.[A-Z]{3} \[(%{IP:source_ip})\]\s\[Could not retrieve user %{DATA:username} details\]'

10 ZM_BADPASSWORD: '^%{MONTHNUM:month}[/-]%{MONTHDAY:day}[/-]%{YEAR:year},?[- ]%{ZM_TIME:time} web_php\[\d+]\.[A-Z]{3} \[(%{IP:source_ip})\]\s\[Login denied for user \"%{DATA:username}\"\]'

11##NEW BAD USER# 12/17/22, 10:31:29 PM MST.557710 web_php[254894].ERR [10.0.1.5] [Could not retrieve user aaaa details] at /usr/share/zoneminder/www/includes/auth.php line 395

12##NEW BAD PASS# 01/06/22, 10:31:29 PM MST.557710 web_php[688].ERR [99.1.1.1] [Login denied for user "validuser"] at /usr/share/zoneminder/www/includes/auth.php line 313

13##OLD BAD USER# 01/06/22 09:26:15.117434 web_php[258].ERR [99.1.1.1] [Could not retrieve user testuser details] at /usr/share/zoneminder/www/includes/auth.php line 313

14##OLD BAD PASS# 01/06/22 09:27:39.843338 web_php[688].ERR [99.1.1.1] [Login denied for user "validuser"] at /usr/share/zoneminder/www/includes/auth.php line 313

16nodes:

17 - grok:

18 name: "ZM_BADPASSWORD"

19 apply_on: message

20 statics:

21 - meta: log_type

22 value: zm_failed_auth

23 - meta: log_subtype

24 value: zm_bad_password

25 - meta: username

26 expression: evt.Parsed.username

27 - grok:

28 name: "ZM_BADUSER"

29 apply_on: message

30 statics:

31 - meta: log_type

32 value: zm_failed_auth

33 - meta: log_subtype

34 value: zm_bad_user

35 - meta: username

36 expression: evt.Parsed.username

38statics:

39 - meta: source_ip

40 expression: evt.Parsed.source_ip

41 - target: StrTime

42 expression: |-

43 "20" + evt.Parsed.year + "/" + evt.Parsed.month + "/" + evt.Parsed.day + " " + evt.Parsed.time

Hub configuration

« zoneminder-logs »
v0.2 by baudneo
Log parser

Hub configuration

« zoneminder-logs »v0.2 by baudneoLog parser

« zoneminder-logs »
v0.2 by baudneo
Log parser