dropbear-logs Log Parser

« dropbear-logs »
v0.3 by crowdsecurity
Log parser

Parse dropbear logs

Installation

cscli parsers install crowdsecurity/dropbear-logs

Description

Parser for dropbear SSH server.

YAML Configuration

1onsuccess: next_stage
2filter: "evt.Parsed.program == 'dropbear'"
3name: crowdsecurity/dropbear-logs
4description: "Parse dropbear logs"
5nodes:
6  - grok: 
7      pattern: "Bad PAM password attempt for '%{DATA:user}' from %{IP:source_ip}:%{INT:port}"
8      apply_on: message
9  - grok: 
10      pattern: "Login attempt for nonexistent user from %{IP:source_ip}:%{INT:port}"
11      apply_on: message
12  - grok: 
13      pattern: "Exit before auth from <%{IP:source_ip}:%{INT:port}>:"
14      apply_on: message
15statics:
16  - meta: service
17    value: dropbear
18  - meta: target_user
19    expression: evt.Parsed.user
20  - meta: source_ip
21    expression: evt.Parsed.source_ip
22  - meta: log_type
23    value: ssh_failed-auth
24

Hub configuration

« dropbear-logs »v0.3 by crowdsecurityLog parser

« dropbear-logs »
v0.3 by crowdsecurity
Log parser