mssql-logs Log Parser

Installation

cscli parsers install crowdsecurity/mssql-logs

Description

Parser for MSSQL Logs via wineventlog OR MSSQL logs for Azure-Edge-Sql via docker

---
source: wineventlog
event_channel: Application
event_ids:
 - 18456
event_level: information
labels:
 type: mssql
---
source: docker
container_id:
 - <Docker Container ID> #Azure-Edge-Sql container ID
container_name_regexp:
 - .*mssql*
labels:
  type: mssql

YAML Configuration

1onsuccess: next_stage
2name: crowdsecurity/mssql-logs
3description: "Parse mssql logs"
4filter: "evt.Parsed.Channel == 'Application' && (evt.Parsed.Source == 'MSSQLSERVER' || evt.Parsed.Source startsWith 'MSSQL$') && evt.Parsed.EventID == '18456'"
5nodes:
6  - grok:
7      pattern: "Reason: Password did not match that for the login provided\\."
8      expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[2]")
9    nodes:
10      - grok:
11          pattern: "\\[CLIENT: %{IP:source_ip}\\]"
12          expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[3]")
13          statics:
14            - meta: source_ip
15              expression: evt.Parsed.source_ip
16    statics:
17      - meta: subtype
18        value: bad_password
19  - grok:
20      pattern: "Reason: Could not find a login matching the name provided\\."
21      expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[2]")
22    nodes:
23      - grok:
24          pattern: "\\[CLIENT: %{IP:source_ip}\\]"
25          expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[3]")
26          statics:
27            - meta: source_ip
28              expression: evt.Parsed.source_ip
29    statics:
30      - meta: subtype
31        value: bad_user
32statics:
33  - meta: log_type
34    value: mssql_failed_auth
35  - meta: user
36    expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[1]")
37---
38onsuccess: next_stage
39name: crowdsecurity/mssql-text-logs
40description: "Parse mssql logs"
41filter: "evt.Parsed.program == 'mssql'"
42pattern_syntax:
43  DATE_YMD: "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}"
44nodes:
45  - grok:
46      pattern: "%{DATE_YMD:date} %{TIME:time} Logon.*Login failed for user '%{NOTDQUOTE:user}'. Reason: %{GREEDYDATA:reason_message}. \\[CLIENT: %{IPORHOST:source_ip}\\]"
47      apply_on: message
48    onsuccess: next_stage
49    nodes:
50      - filter: "evt.Parsed.reason_message == 'Password did not match that for the login provided'"
51        onsuccess: next_stage
52        statics:
53          - meta: subtype
54            value: bad_password
55      - filter: "evt.Parsed.reason_message == 'Could not find a login matching the name provided'"
56        onsuccess: next_stage
57        statics:
58          - meta: subtype
59            value: bad_user
60statics:
61    - meta: service
62      value: mssql
63    - meta: log_type
64      value: mssql_failed_auth
65    - meta: source_ip
66      expression: "evt.Parsed.source_ip"
67    - target: evt.StrTime
68      expression: "evt.Parsed.date + ' ' + evt.Parsed.time"

Hub configuration

« mssql-logs »
v0.3 by crowdsecurity
Log parser

Hub configuration

« mssql-logs »v0.3 by crowdsecurityLog parser

« mssql-logs »
v0.3 by crowdsecurity
Log parser