dovecot-logs Log Parser

« dovecot-logs »
v0.9 by crowdsecurity
Log parser

Parse dovecot logs

Installation

cscli parsers install crowdsecurity/dovecot-logs

YAML Configuration

1#contribution by @ltsich
2onsuccess: next_stage
3debug: false
4filter: "evt.Parsed.program == 'dovecot'"
5name: crowdsecurity/dovecot-logs
6description: "Parse dovecot logs"
7pattern_syntax:
8  AUTH_FUNC: '[A-Za-z0-9_]+(\(\))?'
9nodes:
10  - grok:
11      pattern: "%{WORD:protocol}-login: %{DATA:dovecot_login_message}: user=<%{DATA:dovecot_user}>.*, rip=%{IP:dovecot_remote_ip}, lip=%{IP:dovecot_local_ip}"
12      apply_on: message
13  - grok:
14      pattern: "auth-worker\\(%{INT}\\): %{WORD:dovecot_user_backend}\\(%{DATA:dovecot_user},%{IP:dovecot_remote_ip},?%{DATA}\\): (%{AUTH_FUNC:auth_func} failed: )?%{DATA:dovecot_login_message}$"
15      apply_on: message
16  - grok:
17      pattern: "auth-worker\\(%{INT}\\): (Info: )?conn unix:auth-worker \\(pid=%{INT},uid=%{INT}\\): auth-worker<%{INT}>: %{WORD:dovecot_user_backend}\\(%{DATA:dovecot_user},%{IP:dovecot_remote_ip},?%{DATA}\\): (%{AUTH_FUNC:auth_func} failed: )?%{DATA:dovecot_login_message}$"
18      apply_on: message
19  - grok:
20      pattern: "auth: passwd-file\\(%{DATA:dovecot_user},%{IP:dovecot_remote_ip}\\): (%{AUTH_FUNC:auth_func} failed: )?%{DATA:dovecot_login_message}$"
21      apply_on: message
22statics:
23    - meta: log_type
24      value: dovecot_logs
25    - meta: source_ip
26      expression: "evt.Parsed.dovecot_remote_ip"
27    - meta: dovecot_login_result
28      expression: "any(['Authentication failure', 'Password mismatch', 'password mismatch', 'auth failed', 'unknown user'], {evt.Parsed.dovecot_login_message contains #}) ? 'auth_failed' : ''"
29

Hub configuration

« dovecot-logs »v0.9 by crowdsecurityLog parser

« dovecot-logs »
v0.9 by crowdsecurity
Log parser