postscreen-logs Configuration

« postscreen-logs »
v0.3 by crowdsecurity
Log parser

Parse postscreen logs

Installation

cscli parsers install crowdsecurity/postscreen-logs

YAML Configuration

1onsuccess: next_stage
2filter: "evt.Parsed.program in ['postfix/postscreen', 'haproxy/postscreen']"
3name: crowdsecurity/postscreen-logs
4pattern_syntax:
5  POSTSCREEN_PREGREET: 'PREGREET'
6  POSTSCREEN_PREGREET_TIME_ATTEMPT: '\d+(.\d+)?'
7description: "Parse postscreen logs"
8nodes:
9  - grok:
10      apply_on: message
11      pattern: '%{POSTSCREEN_PREGREET:pregreet} %{INT:count} after %{POSTSCREEN_PREGREET_TIME_ATTEMPT:time_attempt} from \[%{IP:remote_addr}\]:%{INT:port}: %{GREEDYDATA:message_attempt}'
12statics:
13    - meta: service
14      value: postscreen
15    - meta: source_ip
16      expression: "evt.Parsed.remote_addr"
17    - meta: pregreet
18      expression: "evt.Parsed.pregreet"
19
20
21

Hub configuration

« postscreen-logs »v0.3 by crowdsecurityLog parser

« postscreen-logs »
v0.3 by crowdsecurity
Log parser