exchange-imap-logs Configuration

« exchange-imap-logs »
v0.1 by crowdsecurity
Log parser

Parse exchange IMAP logs

Installation

cscli parsers install crowdsecurity/exchange-imap-logs

YAML Configuration

1filter: "evt.Parsed.program == 'exchange-imap'"
2onsuccess: next_stage
3#debug: true
4name: crowdsecurity/exchange-imap-logs
5description: "Parse exchange IMAP logs"
6#dateTime,sessionId,seqNumber,sIp,cIp,user,duration,rqsize,rpsize,command,parameters,context,puid
7#2022-06-16T09:41:21.094Z,000000000000004B,2,192.168.9.241:993,192.168.9.212:49016,foobar,34,31,31,authenticate,PLAIN,"R=""2 NO AUTHENTICATE failed."";Msg=""AuthFailed:LogonDenied,User: foobar"";ErrMsg=AuthFailed:LogonDenied",
8grok:
9  pattern: "%{TIMESTAMP_ISO8601:date},%{DATA:session_id},%{INT:sequence_number},%{IPORHOST:server_ip}:%{INT:server_port},%{IPORHOST:client_ip}:%{INT:client_port},%{DATA:username},%{INT:duration},%{INT:rqsize},%{INT:rpsize},%{WORD:command},%{DATA:parameters},%{DATA}AuthFailed:LogonDenied\",%{DATA:puid}?"
10  apply_on: message
11statics:
12  - target: evt.StrTime
13    expression: evt.Parsed.date
14  - meta: source_ip
15    expression: evt.Parsed.client_ip
16  - meta: service
17    value: exchange
18  - meta: log_type
19    value: imap
20  - meta: sub_type
21    value: auth_fail

Hub configuration

« exchange-imap-logs »v0.1 by crowdsecurityLog parser

« exchange-imap-logs »
v0.1 by crowdsecurity
Log parser