cscli parsers install crowdsecurity/litespeed-logsA parser for litespeed server logs, support both access and errors (HTTP user authentication) logs.
1filter: "evt.Parsed.program == 'litespeed'"2onsuccess: next_stage3name: crowdsecurity/litespeed-logs4description: "Parse litespeed access and error logs"5nodes:6 - grok:7 #access log8 pattern: '%{IPORHOST:remote_addr} - (%{NGUSER:remote_user})? \[%{HTTPDATE:time_local}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:http_version}" %{NUMBER:status} %{NUMBER:body_bytes_sent} "%{NOTDQUOTE:http_referer}" "%{NOTDQUOTE:http_user_agent}"'9 apply_on: message10 statics:11 - meta: log_type12 value: http_access-log13 - target: evt.StrTime14 expression: evt.Parsed.time_local15 - grok:16 #user not found or bad password for HTTP auth17 pattern: "%{TIMESTAMP_ISO8601:time} \\[%{DATA:log_level}\\] \\[%{NONNEGINT:pid}\\] \\[%{IPORHOST:remote_addr}:%{DATA:misc}#%{DATA:vhost}\\] User '%{NGUSER:username}' failed to authenticate\\."18 apply_on: message19 statics:20 - meta: sub_type21 value: "auth_fail"22 - meta: username23 expression: evt.Parsed.username24 - target: evt.StrTime25 expression: evt.Parsed.time26 - grok:27 #admin UI auth fail28 pattern: "%{TIMESTAMP_ISO8601:time} \\[%{DATA:log_level}\\] \\[%{NONNEGINT:pid}\\] \\[%{IPORHOST:remote_addr}:%{DATA:misc}#%{DATA:vhost}\\] \\[%{WORD}\\] \\[%{DATA}\\] Failed Login Attempt - username:%{DATA:username} ip:%{IP:client_ip} url:%{DATA:url}"29 apply_on: message30 statics:31 - meta: sub_type32 value: "litespeed_admin_auth_fail"33 - target: evt.StrTime34 expression: evt.Parsed.time35 - meta: username36 expression: evt.Parsed.username37statics:38 - meta: service39 value: http40 - meta: source_ip41 expression: "evt.Parsed.remote_addr"42 - meta: http_status43 expression: "evt.Parsed.status"44 - meta: http_path45 expression: "evt.Parsed.request"46 - meta: http_verb47 expression: "evt.Parsed.verb"48 - meta: http_user_agent49 expression: "evt.Parsed.http_user_agent"50 - meta: target_fqdn51 expression: "evt.Parsed.target_fqdn"52