mysql-logs Log Parser

« mysql-logs »
v0.4 by crowdsecurity
Log parser

Parse MySQL logs

Installation

cscli parsers install crowdsecurity/mysql-logs

Description

Mysql authentication fail parser.

YAML Configuration

1onsuccess: next_stage
2name: crowdsecurity/mysql-logs
3description: "Parse MySQL logs"
4filter: "evt.Parsed.program == 'mysql'"
5pattern_syntax:
6  MYSQL_ACCESS_DENIED: "Access denied for user '%{DATA:user}'@'%{IP:source_ip}' \\(using password: %{WORD:using_password}\\)" 
7nodes:
8  - grok:
9      pattern: "%{TIMESTAMP_ISO8601:time} %{NUMBER} \\[Note\\]( \\[%{DATA:err_code}\\] \\[%{DATA:subsystem}\\])? %{MYSQL_ACCESS_DENIED}"
10      apply_on: message
11  - grok:
12      pattern: "%{TIMESTAMP_ISO8601:time}.*%{NUMBER} Connect.*%{MYSQL_ACCESS_DENIED}"
13      apply_on: message
14statics:
15  - meta: log_type
16    value: mysql_failed_auth
17  - meta: source_ip
18    expression: "evt.Parsed.source_ip"
19  - target: evt.StrTime
20    expression: evt.Parsed.time
21  - meta: user
22    expression: "evt.Parsed.user"
23

Hub configuration

« mysql-logs »v0.4 by crowdsecurityLog parser

« mysql-logs »
v0.4 by crowdsecurity
Log parser