mariadb-logs Log Parser

« mariadb-logs »
v0.4 by crowdsecurity
Log parser

Parse MariaDB logs

Installation

cscli parsers install crowdsecurity/mariadb-logs

Description

Mariadb authentication failure parser.

YAML Configuration

1onsuccess: next_stage
2name: crowdsecurity/mariadb-logs
3description: "Parse MariaDB logs"
4filter: "evt.Parsed.program startsWith 'mariadb'"
5pattern_syntax:
6  LONG_DATE_YMD: "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}"
7  SHORT_DATE_YMD: "%{YEAR:year}%{MONTHNUM2:month}%{MONTHDAY:day}"
8  PASSWORD_SYNTAX: " ?%{TIME:time} (%{NUMBER:thread_id} )?\\[Warning\\] Access denied for user '%{DATA:user}'@'%{IP:source_ip}' \\(using password: %{WORD:using_password}\\)"
9nodes:
10  - grok:
11      pattern: "%{LONG_DATE_YMD:date} %{PASSWORD_SYNTAX}"
12      apply_on: message
13    onsuccess: next_stage
14  - grok:
15      pattern: "%{SHORT_DATE_YMD:date} %{PASSWORD_SYNTAX}"
16      apply_on: message
17      statics:
18        - target: evt.StrTimeFormat
19          value: "060102 15:04:05"
20    onsuccess: next_stage
21statics:
22  - target: evt.StrTime
23    expression: "evt.Parsed.date + ' ' + evt.Parsed.time"
24  - meta: log_type
25    value: "mariadb_failed_auth"
26  - meta: source_ip
27    expression: "evt.Parsed.source_ip"
28  - meta: user
29    expression: "evt.Parsed.user"
30

Hub configuration

« mariadb-logs »v0.4 by crowdsecurityLog parser

« mariadb-logs »
v0.4 by crowdsecurity
Log parser