caddy-logs Log Parser

Parser for caddy logs. It expects the default key values for caddy logs.

You need to specify caddy config to enable logging in a file:

:80 {
        # Set this path to your site's directory.
        root * /usr/share/caddy

        # Enable the static file server.
        file_server

        # Another common task is to set up a reverse proxy:
        # reverse_proxy localhost:8080

        # Or serve a PHP site through php-fpm:
        # php_fastcgi localhost:9000
        log {
                output file /var/log/caddy/access.log
        }
}

And then add in acquisition this :

---
filenames:
 - /var/log/caddy/access.log
labels:
  type: caddy

1filter: |

2 evt.Parsed.program startsWith 'caddy' &&

3 UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, 'caddy') in ['', nil] &&

4 (evt.Unmarshaled.caddy.logger == nil || evt.Unmarshaled.caddy.logger != 'http.handlers.waf') &&

5 evt.Unmarshaled.caddy.request != nil

6onsuccess: next_stage

7name: crowdsecurity/caddy-logs

8description: "Parse caddy logs"

9statics:

10 - meta: log_type

11 value: http_access-log

12 - target: evt.StrTime

13 expression: |

14 Sprintf("%v", evt.Unmarshaled.caddy.ts) matches '^[0-9e\\.\\+]+$' ? int(evt.Unmarshaled.caddy.ts) : evt.Unmarshaled.caddy.ts

15 - meta: service

16 value: http

17 ##Caddy now sets client_ip to the value of X-Forwarded-For if users sets trusted proxies

18 - parsed: remote_ip

19 expression: "evt.Unmarshaled.caddy.request.client_ip"

20 - parsed: http_version

21 expression: "Split(evt.Unmarshaled.caddy.request.proto, '/')[1]"

22 - meta: source_ip

23 expression: evt.Parsed.remote_ip

24 - meta: http_status

25 expression: "evt.Unmarshaled.caddy.status != nil ? int(evt.Unmarshaled.caddy.status) : nil" ## We still check if status is not nil because of downstream error

26 - meta: http_path

27 expression: "evt.Unmarshaled.caddy.request.uri"

28 - parsed: request #Add for http-logs enricher

29 expression: "evt.Unmarshaled.caddy.request.uri"

30 - parsed: verb

31 expression: "evt.Unmarshaled.caddy.request.method"

32 - meta: http_verb

33 expression: "evt.Unmarshaled.caddy.request.method"

34 - parsed: http_user_agent

35 expression: "get(evt.Unmarshaled.caddy.request.headers, 'User-Agent') != nil ? evt.Unmarshaled.caddy.request.headers['User-Agent'][0] : nil" ## We still check if useragent exists because of client may not send it

36 - meta: http_user_agent

37 expression: evt.Parsed.http_user_agent

38 - meta: target_fqdn

39 expression: "evt.Unmarshaled.caddy.request.host"

40 - meta: sub_type

41 expression: "evt.Meta.http_status == '401' && get(evt.Unmarshaled.caddy.resp_headers, 'Www-Authenticate') != nil && any(get(evt.Unmarshaled.caddy.resp_headers, 'Www-Authenticate'), { # startsWith 'Basic' }) ? 'auth_fail' : nil"

Hub configuration

« caddy-logs »
v1.1 by crowdsecurity
Log parser

Hub configuration

« caddy-logs »v1.1 by crowdsecurityLog parser

« caddy-logs »
v1.1 by crowdsecurity
Log parser