haproxy-logs Log Parser

« haproxy-logs »
v0.8 by crowdsecurity
Log parser

Parse haproxy http logs

Installation

cscli parsers install crowdsecurity/haproxy-logs

YAML Configuration

1filter: "evt.Parsed.program startsWith 'haproxy'"
2onsuccess: next_stage
3name: crowdsecurity/haproxy-logs
4description: "Parse haproxy http logs"
5nodes:
6- grok:
7    pattern: '%{IP:client_ip}:%{INT:client_port} \[%{HAPROXYDATE:accept_date}\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\{%{HAPROXYCAPTUREDREQUESTHEADERS}\})?( )?(\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\})?( )?"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?"'
8    apply_on: message
9  statics:
10  - meta: log_type
11    value: http_access-log
12    
13- grok:
14    pattern: '%{IP:client_ip}:%{INT:client_port} \[%{HAPROXYDATE:accept_date}\] %{NOTSPACE:frontend_name}/%{NOTSPACE:server_name}: SSL handshake failure'
15    apply_on: message
16  statics:
17    - meta: log_type
18      value: bad_ssl_handshake
19
20statics:
21    #HAPROXYDATE format is unknown to dateparse, let convert it to a format we know to parse
22  - target: evt.StrTime
23    expression: evt.Parsed.haproxy_monthday + '/' + evt.Parsed.haproxy_month   + '/' + evt.Parsed.haproxy_year  + ':' +   evt.Parsed.haproxy_hour + ':' + evt.Parsed.haproxy_minute + ':' +  evt.Parsed.haproxy_second[0:2] + ' -0000'
24  - meta: service
25    value: http
26  - meta: source_ip
27    expression: evt.Parsed.client_ip
28  - meta: http_path
29    expression: evt.Parsed.http_request
30  - meta: http_status
31    expression: evt.Parsed.http_status_code
32  - meta: http_verb
33    expression: evt.Parsed.http_verb
34  - parsed: request
35    expression: evt.Parsed.http_request
36  - parsed: verb
37    expression: evt.Parsed.http_verb
38
39

Hub configuration

« haproxy-logs »v0.8 by crowdsecurityLog parser

« haproxy-logs »
v0.8 by crowdsecurity
Log parser