pam-logs Configuration

« pam-logs »
v0.2 by crowdsecurity
Log parser

Parse pam logs

Installation

cscli parsers install crowdsecurity/pam-logs

Description

A minimal parser for pam, supports only :

authentication failure messages
account lock (pam_tally)

YAML Configuration

1onsuccess: next_stage
2filter: "evt.Parsed.program == 'sudo'"
3name: crowdsecurity/pam-logs
4description: "Parse pam logs"
5nodes:
6  - grok: 
7      pattern: 'pam_tally2\(sudo:auth\): user %{NOTSPACE:username} \(%{NUMBER:uid}\) tally \d, deny \d'
8      apply_on: message
9      statics:
10        - meta: log_type
11          value: pam_user_lock
12  - grok:
13      pattern: 'pam_unix\(sudo:auth\): authentication failure; logname=%{NOTSPACE:logname} uid=%{NUMBER:uid} euid=%{NUMBER:euid} tty=%{NOTSPACE:tty} ruser=%{NOTSPACE:ruser} rhost=%{GREEDYDATA:rhost}  user=%{NOTSPACE:username}'
14      apply_on: message
15      statics:
16        - meta: log_type
17          value: pam_failed_auth
18statics:
19  - meta: service
20    value: pam
21  - meta: username
22    expression: "evt.Parsed.username"
23

Hub configuration

« pam-logs »v0.2 by crowdsecurityLog parser

« pam-logs »
v0.2 by crowdsecurity
Log parser