cpanel-logs Log Parser

Installation

cscli parsers install crowdsecurity/cpanel-logs

Description

Parser for cpanel logs.

YAML Configuration

1onsuccess: next_stage
2filter: "evt.Parsed.program == 'cpanel'"
3name: crowdsecurity/cpanel-logs
4description: "Parse Cpanel logs"
5pattern_syntax:
6  NO_DOUBLE_QUOTE: '[^"]+'
7  CPANEL_HEADER: \[%{DATA:date} \+[0-9]+\] info \[(cpaneld|whostmgrd)\] %{IP:remote_addr} - %{NOTSPACE:username} "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:http_version}"
8nodes:
9  - grok: 
10      pattern: '%{CPANEL_HEADER} FAILED LOGIN cpaneld: brute force attempt \(user %{DATA}\) has locked out IP %{IP}'
11      apply_on: message
12      statics:
13        - meta: log_type
14          value: auth_bf_attempt
15        - target: evt.StrTime
16          expression: evt.Parsed.date
17  - grok: 
18      pattern: '%{CPANEL_HEADER} FAILED LOGIN cpaneld: brute force attempt \(user %{DATA:target_user}\) has locked out IP %{IP}'
19      apply_on: message
20      statics:
21        - meta: log_type
22          value: auth_bf_log
23        - target: evt.StrTime
24          expression: evt.Parsed.date
25  - grok: 
26      pattern: '%{CPANEL_HEADER} FAILED LOGIN cpaneld: invalid cpanel user %{DATA:target_user}'
27      apply_on: message
28      statics:
29        - meta: log_type
30          value: auth_bf_log
31        - target: evt.StrTime
32          expression: evt.Parsed.date
33  - grok: 
34      pattern: '%{CPANEL_HEADER} FAILED LOGIN cpaneld: %{DATA:target_user} login is not permitted to cpaneld'
35      apply_on: message
36      statics:
37        - meta: log_type
38          value: auth_bf_log
39        - target: evt.StrTime
40          expression: evt.Parsed.date
41  - grok: 
42      pattern: '%{CPANEL_HEADER} FAILED LOGIN whostmgrd: login attempt to whm by a non-reseller/root'
43      apply_on: message
44      statics:
45        - meta: log_type
46          value: auth_bf_log
47        - target: evt.StrTime
48          expression: evt.Parsed.date
49  - grok: 
50      pattern: '%{CPANEL_HEADER} FAILED LOGIN whostmgrd: user password incorrect'
51      apply_on: message
52      statics:
53        - meta: log_type
54          value: auth_bf_log
55        - target: evt.StrTime
56          expression: evt.Parsed.date
57  - grok: # see https://docs.cpanel.net/knowledge-base/cpanel-product/the-cpanel-log-files/
58      pattern: '%{IP:remote_addr} - %{NOTSPACE:username} \[%{DATE}:%{TIME} %{ISO8601_TIMEZONE}\] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:http_version}" %{INT:status} %{INT:request_body_length} "%{NOTSPACE:http_referer}" "%{NO_DOUBLE_QUOTE:http_user_agent}" "%{NO_DOUBLE_QUOTE:auth_method}" "%{NO_DOUBLE_QUOTE:x_forwarded_for}" %{NUMBER:server_port}'
59      apply_on: message
60      statics:
61        - meta: log_type
62          value: http_access-log
63statics:
64  - meta: service
65    value: http
66  - meta: source_ip
67    expression: "evt.Parsed.remote_addr"
68  - meta: http_path
69    expression: "evt.Parsed.request"
70  - meta: http_verb
71    expression: "evt.Parsed.verb"
72  - meta: http_user_agent
73    expression: "evt.Parsed.http_user_agent"
74  - meta: http_status
75    expression: "evt.Parsed.status"
76  - meta: username
77    expression: "evt.Parsed.username"

Hub configuration

« cpanel-logs »
v0.4 by crowdsecurity
Log parser

Hub configuration

« cpanel-logs »v0.4 by crowdsecurityLog parser

« cpanel-logs »
v0.4 by crowdsecurity
Log parser