cscli parsers install crowdsecurity/mssql-logs
Parser for MSSQL Logs via wineventlog OR MSSQL logs for Azure-Edge-Sql via docker
---
source: wineventlog
event_channel: Application
event_ids:
- 18456
event_level: information
labels:
type: mssql
---
source: docker
container_id:
- <Docker Container ID> #Azure-Edge-Sql container ID
container_name_regexp:
- .*mssql*
labels:
type: mssql
1onsuccess: next_stage2name: crowdsecurity/mssql-logs3description: "Parse mssql logs"4filter: "evt.Parsed.Channel == 'Application' && (evt.Parsed.Source == 'MSSQLSERVER' || evt.Parsed.Source startsWith 'MSSQL$') && evt.Parsed.EventID == '18456'"5nodes:6 - grok:7 pattern: "Reason: Password did not match that for the login provided\\."8 expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[2]")9 nodes:10 - grok:11 pattern: "\\[CLIENT: %{IP:source_ip}\\]"12 expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[3]")13 statics:14 - meta: source_ip15 expression: evt.Parsed.source_ip16 statics:17 - meta: subtype18 value: bad_password19 - grok:20 pattern: "Reason: Could not find a login matching the name provided\\."21 expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[2]")22 nodes:23 - grok:24 pattern: "\\[CLIENT: %{IP:source_ip}\\]"25 expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[3]")26 statics:27 - meta: source_ip28 expression: evt.Parsed.source_ip29 statics:30 - meta: subtype31 value: bad_user32statics:33 - meta: log_type34 value: mssql_failed_auth35 - meta: user36 expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[1]")37---38onsuccess: next_stage39name: crowdsecurity/mssql-text-logs40description: "Parse mssql logs"41filter: "evt.Parsed.program == 'mssql'"42pattern_syntax:43 DATE_YMD: "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}"44nodes:45 - grok:46 pattern: "%{DATE_YMD:date} %{TIME:time} Logon.*Login failed for user '%{NOTDQUOTE:user}'. Reason: %{GREEDYDATA:reason_message}. \\[CLIENT: %{IPORHOST:source_ip}\\]"47 apply_on: message48 onsuccess: next_stage49 nodes:50 - filter: "evt.Parsed.reason_message == 'Password did not match that for the login provided'"51 onsuccess: next_stage52 statics:53 - meta: subtype54 value: bad_password55 - filter: "evt.Parsed.reason_message == 'Could not find a login matching the name provided'"56 onsuccess: next_stage57 statics:58 - meta: subtype59 value: bad_user60statics:61 - meta: service62 value: mssql63 - meta: log_type64 value: mssql_failed_auth65 - meta: source_ip66 expression: "evt.Parsed.source_ip"67 - target: evt.StrTime68 expression: "evt.Parsed.date + ' ' + evt.Parsed.time"