apache-guacamole-logs Log Parser

Installation

cscli parsers install corvese/apache-guacamole-logs

Description

A parser that will search for failed authentication attempts.

Modify the acquis.yaml configuraiton file. The type MUST be exactly as shown here or the parser will never be successful.

filenames:
  - /path/to/apache-guacamole.log
labels:
  type: apache-guacamole

❗ The type MUST be apache-guacamole ❗

The default log format used by quacamole is not supported by crowdsec as there is no date in the log line you will need to do the following to make it compatible, these are examples and should be changed to reflect your setup.

Create the following 'logback.xml' file in guacamole home dir to log with the correct Date format. STDOUT

<configuration>
    <!-- Default appender -->
    <appender name="GUAC-DEFAULT" class="ch.qos.logback.core.ConsoleAppender">
        <encoder>
            <pattern>%date{"yyyy-MM-dd'T'HH:mm:ss,SSSXXX", UTC} [%thread] %-5level %logger{36} - %msg%n</pattern>
        </encoder>
    </appender>

    <!-- Log at INFO level -->
    <root level="WARN">
        <appender-ref ref="GUAC-DEFAULT" />
    </root>

</configuration>

FILE:

<configuration>
    <!-- Default appender -->
    <appender name="GUAC-DEFAULT" class="ch.qos.logback.core.FileAppender">
        <file>/var/log/guacamole.log</file>
        <encoder>
            <pattern>%date{"yyyy-MM-dd'T'HH:mm:ss,SSSXXX", UTC} [%thread] %-5level %logger{36} - %msg%n</pattern>
        </encoder>
    </appender>

    <!-- Log at INFO level -->
    <root level="WARN">
        <appender-ref ref="GUAC-DEFAULT" />
    </root>

</configuration>

If using docker you will need to mount the following volume that links to the logback.xml file and set the GUACAMOLE_HOME variable

    volumes:
    - ./logback.xml:/home/guacamole/temp/logback.xml:ro
    environment:
      GUACAMOLE_HOME: /home/guacamole/temp/

YAML Configuration

1name: corvese/apache-guacamole-logs
2description: "Parses Apache Guacamole logs"
3filter: "evt.Parsed.program == 'apache-guacamole'"
4onsuccess: next_stage
5pattern_syntax:
6  GUAC_CUSTOMUSER: "(%{EMAILADDRESS}|%{USERNAME})"
7nodes:
8  - grok:
9      pattern: '%{TIMESTAMP_ISO8601:timestamp}.*Authentication attempt from \[?%{IP:source_ip}.*for user "%{GUAC_CUSTOMUSER:username}" failed'
10      apply_on: message
11      statics:
12        - meta: log_type
13          value: apache-guacamole_failed_auth
14        - meta: target_user
15          expression: evt.Parsed.username
16statics:
17    - meta: service
18      value: apache-guacamole
19    - meta: source_ip
20      expression: evt.Parsed.source_ip
21    - target: evt.StrTime
22      expression: evt.Parsed.timestamp
23

Hub configuration

« apache-guacamole-logs »
v0.2 by corvese
Log parser

Hub configuration

« apache-guacamole-logs »v0.2 by corveseLog parser

« apache-guacamole-logs »
v0.2 by corvese
Log parser