asterisk-logs Configuration

Installation

cscli parsers install crowdsecurity/asterisk-logs

Description

Parser for asterisk logs (parse only failed authentication logs for the moment).

YAML Configuration

1name: crowdsecurity/asterisk-logs
2description: "Parse Asterisk logs"
3filter: "evt.Parsed.program == 'asterisk'"
4onsuccess: next_stage
5nodes:
6  - grok:
7      pattern: '(\[%{DATA:timestamp}\] )?SECURITY\[%{NUMBER}\].* SecurityEvent="InvalidAccountID",EventTV="%{DATA:event_timestamp}",Severity="Error",Service="%{NOTDQUOTE:asterisk_service}",EventVersion="%{NUMBER}",AccountID="%{NOTDQUOTE:username}",SessionID="%{NOTDQUOTE:asterisk_session_id}",LocalAddress="IPV%{NUMBER}/(UDP|TCP|TLS)/%{IPORHOST:target_ip}/%{NUMBER:target_port}",RemoteAddress="IPV%{NUMBER}/(UDP|TCP|TLS)/%{IPORHOST:source_ip}/%{NUMBER:source_port}"'
8      apply_on: message
9      statics:
10        - meta: log_type
11          value: asterisk_failed_auth
12        - target: evt.StrTime
13          expression: evt.Parsed.timestamp
14        - meta: target_user
15          expression: evt.Parsed.username
16        - meta: session_id
17          expression: evt.Parsed.asterisk_session_id
18        - meta: asterisk_service
19          expression: evt.Parsed.asterisk_service
20  - grok:
21      pattern: '(\[%{DATA:timestamp}\] )?SECURITY\[%{NUMBER}\].* SecurityEvent="ChallengeResponseFailed",EventTV="%{DATA:event_timestamp}",Severity="Error",Service="%{NOTDQUOTE:asterisk_service}",EventVersion="%{NUMBER}",AccountID="%{NOTDQUOTE:username}",SessionID="%{NOTDQUOTE:asterisk_session_id}",LocalAddress="IPV%{NUMBER}/(UDP|TCP|TLS)/%{IPORHOST:target_ip}/%{NUMBER:target_port}",RemoteAddress="IPV%{NUMBER}/(UDP|TCP|TLS)/%{IPORHOST:source_ip}/%{NUMBER:source_port}"'
22      apply_on: message
23      statics:
24        - meta: log_type
25          value: asterisk_failed_auth
26        - target: evt.StrTime
27          expression: evt.Parsed.timestamp
28        - meta: target_user
29          expression: evt.Parsed.username
30        - meta: session_id
31          expression: evt.Parsed.asterisk_session_id
32        - meta: asterisk_service
33          expression: evt.Parsed.asterisk_service
34  - grok:
35      pattern: '(\[%{DATA:timestamp}\] )?SECURITY\[%{NUMBER}\].* SecurityEvent="InvalidPassword",EventTV="%{DATA:event_timestamp}",Severity="Error",Service="%{NOTDQUOTE:asterisk_service}",EventVersion="%{NUMBER}",AccountID="%{NOTDQUOTE:username}",SessionID="%{NOTDQUOTE:asterisk_session_id}",LocalAddress="IPV%{NUMBER}/(UDP|TCP|TLS)/%{IPORHOST:target_ip}/%{NUMBER:target_port}",RemoteAddress="IPV%{NUMBER}/(UDP|TCP|TLS)/%{IPORHOST:source_ip}/%{NUMBER:source_port}"'
36      apply_on: message
37      statics:
38        - meta: log_type
39          value: asterisk_failed_auth
40        - target: evt.StrTime
41          expression: evt.Parsed.timestamp
42        - meta: target_user
43          expression: evt.Parsed.username
44        - meta: session_id
45          expression: evt.Parsed.asterisk_session_id
46        - meta: asterisk_service
47          expression: evt.Parsed.asterisk_service
48statics:
49    - meta: service
50      value: asterisk
51    - meta: source_ip
52      expression: evt.Parsed.source_ip
53

Hub configuration

« asterisk-logs »
v0.5 by crowdsecurity
Log parser

Hub configuration

« asterisk-logs »v0.5 by crowdsecurityLog parser

« asterisk-logs »
v0.5 by crowdsecurity
Log parser