nextcloud-logs Configuration

« nextcloud-logs »
v0.4 by crowdsecurity
Log parser

Parse nextcloud logs

Installation

cscli parsers install crowdsecurity/nextcloud-logs

Description

Parser for Nextcloud logs

If you have the default setting of logging to file, you need to add in acquisition (change filename to your log file location):

---
filenames:
 - /var/www/nextcloud/data/nextcloud.log
labels:
  type: Nextcloud

If you are sending logs to syslog or systemd and read from journald, add:

---
source: journalctl
journalctl_filter:
  - "SYSLOG_IDENTIFIER=Nextcloud"
labels:
  type: syslog

YAML Configuration

1---
2onsuccess: next_stage
3filter: "Upper(evt.Parsed.program) == 'NEXTCLOUD'"
4name: crowdsecurity/nextcloud-logs
5description: "Parse nextcloud logs"
6pattern_syntax:
7  NEXTCLOUD_USER: '[a-zA-Z0-9\.\@\-\+_%]+'
8nodes:
9  - grok:
10      pattern: 'Login failed: ''?%{NEXTCLOUD_USER:target_user}''? \(Remote IP: ''?%{IP:source_ip}''?\)'
11      expression: JsonExtract(evt.Parsed.message, "message")
12    statics:
13      - meta: target_user
14        expression: "evt.Parsed.target_user"
15      - meta: log_type
16        value: nextcloud_failed_auth
17  - grok:
18      pattern: 'Bruteforce attempt from \\?"%{IP:source_ip}\\?" detected for action \\?"%{DATA:action}\\?"'
19      expression: JsonExtract(evt.Parsed.message, "message")
20    statics:
21      - meta: action
22        expression: "evt.Parsed.action"
23      - meta: log_type
24        value: nextcloud_bruteforce_attempt
25
26#{"reqId":"dCA39mNG3NHLwbibVCFp","level":1,"time":"2023-02-14T17:28:33+00:00","remoteAddr":"172.18.0.200","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. \"172.18.0.200\" tried to access using \"kloot.ronsmans.eu\" as host.","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0","version":"25.0.3.2","data":{"app":"core"}}
27
28  - grok:
29      pattern: 'Trusted domain error. \\"%{IP:source_ip}\\".*'
30      expression: JsonExtract(evt.Parsed.message, "message")
31    statics:
32      - meta: log_type
33        value: nextcloud_domain_error
34
35statics:
36  - meta: service
37    value: nextcloud
38  - meta: source_ip
39    expression: "evt.Parsed.source_ip"
40  - target: evt.StrTime
41    expression: JsonExtract(evt.Parsed.message, "time")
42

Hub configuration

« nextcloud-logs »v0.4 by crowdsecurityLog parser

« nextcloud-logs »
v0.4 by crowdsecurity
Log parser