endlessh-logs Log Parser

« endlessh-logs »
v0.5 by crowdsecurity
Log parser

Parse Endlessh logs

Installation

cscli parsers install crowdsecurity/endlessh-logs

YAML Configuration

1onsuccess: next_stage
2filter: "evt.Parsed.program == 'endlessh'"
3name: crowdsecurity/endlessh-logs
4description: "Parse Endlessh logs"
5pattern_syntax:
6  ENDLESSH_GO_DATE: "%{MONTHNUM2}%{DAY2} %{TIME}"
7  ENDLESSH_GO_LINE: "I%{ENDLESSH_GO_DATE:timestamp}.*\\] ACCEPT host=%{IP:source_ip} "
8  ENDLESSH_ACCEPT_V4: "%{TIMESTAMP_ISO8601:timestamp}? ACCEPT host=(::ffff:)?%{IPV4:source_ip} "
9  ENDLESSH_ACCEPT_V6: "%{TIMESTAMP_ISO8601:timestamp}? ACCEPT host=%{IPV6:source_ip} "
10nodes:
11  - grok:
12      name: "ENDLESSH_GO_LINE"
13      apply_on: Line.Raw
14      statics:
15        - meta: log_type
16          value: endlessh_accept
17        - target: evt.StrTimeFormat
18          value: "0102 15:04:05"
19  - grok:
20      name: "ENDLESSH_ACCEPT_V4"
21      apply_on: Line.Raw
22      statics:
23        - meta: log_type
24          value: endlessh_accept
25  - grok:
26      name: "ENDLESSH_ACCEPT_V6"
27      apply_on: Line.Raw
28      statics:
29        - meta: log_type
30          value: endlessh_accept
31
32statics:
33  - meta: service
34    value: endlessh
35  - target: evt.StrTime
36    expression: evt.Parsed.timestamp
37  - meta: source_ip
38    expression: "evt.Parsed.source_ip"
39

Hub configuration

« endlessh-logs »v0.5 by crowdsecurityLog parser

« endlessh-logs »
v0.5 by crowdsecurity
Log parser