opnsense-gui-logs Configuration

« opnsense-gui-logs »
v0.1 by crowdsecurity
Log parser

Parse OPNSense web auth logs

Installation

cscli parsers install crowdsecurity/opnsense-gui-logs

Description

A parser for opnsense web authentication (failed) logs. Those logs are usually present in /var/log/audit/latest.log.

YAML Configuration

1onsuccess: next_stage
2filter: "evt.Parsed.program == 'audit'"
3name: crowdsecurity/opnsense-gui-logs
4description: "Parse OPNSense web auth logs"
5#/index.php: Web GUI authentication error for 'toto' from 1.2.3.4
6grok: 
7  pattern: "/index.php: Web GUI authentication error for '%{USERNAME:username}' from %{IPORHOST:source_ip}"
8  apply_on: message
9statics:
10  - meta: service
11    value: opnsense-gui
12  - meta: username
13    expression: "evt.Parsed.username"
14  - meta: source_ip
15    expression: evt.Parsed.source_ip
16  - meta: log_type
17    value: opnsense-gui-failed-auth
18

Hub configuration

« opnsense-gui-logs »v0.1 by crowdsecurityLog parser

« opnsense-gui-logs »
v0.1 by crowdsecurity
Log parser