cscli parsers install crowdsecurity/nginx-proxy-manager-logsA generic parser for Nginx Proxy Manager, support both access and error logs.
1#2filter: "evt.Parsed.program startsWith 'nginx-proxy-manager'"3onsuccess: next_stage4name: crowdsecurity/nginx-proxy-manager-logs5description: "Parse Nginx Proxy Manager access and error logs"6pattern_syntax:7 NGCACHESTATUS: 'HIT|MISS|BYPASS|EXPIRED|STALE|UPDATING|REVALIDATED|-'8 NUM_OR_DASH: '-|\d*'9 NO_DOUBLE_QUOTE: '[^"]+'10 USER_NOT_FOUND: 'user "%{NO_DOUBLE_QUOTE:username}" was not found in "%{NO_DOUBLE_QUOTE}"'11 PASSWORD_MISMATCH: 'user "%{NO_DOUBLE_QUOTE:username}": password mismatch'12nodes:13 # For Proxy hosts logs (handles both new and legacy formats with optional upstream status)14 - grok:15 pattern: '\[%{HTTPDATE:time_local}\]( %{NGCACHESTATUS:upstream_cache_status} %{NUM_OR_DASH:upstream_status})? %{NUMBER:status} - %{WORD:verb} %{WORD:scheme} %{IPORHOST:target_fqdn} \"%{NOTDQUOTE:request}\" \[Client %{IPORHOST:remote_addr}\] \[Length %{NUMBER:body_bytes_sent}\] \[Gzip %{DATA:gzip_ratio}\]( \[Sent-to %{DATA:target_server}\])? \"%{NOTDQUOTE:http_user_agent}\" \"%{NOTDQUOTE:http_referer}\"'16 apply_on: message17 statics:18 - meta: log_type19 value: http_access-log20 - target: evt.StrTime21 expression: evt.Parsed.time_local22 # For Default host logs23 - grok:24 pattern: '(%{IPORHOST:target_fqdn} )?%{IPORHOST:remote_addr} - (%{NGUSER:remote_user})? \[%{HTTPDATE:time_local}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:http_version}" %{NUMBER:status} %{NUMBER:body_bytes_sent} "%{NOTDQUOTE:http_referer}" "%{NOTDQUOTE:http_user_agent}"( %{NUMBER:request_length} %{NUMBER:request_time} \[%{DATA:proxy_upstream_name}\] \[%{DATA:proxy_alternative_upstream_name}\])?'25 apply_on: message26 statics:27 - meta: log_type28 value: http_access-log29 - target: evt.StrTime30 expression: evt.Parsed.time_local31 # and this one the error log32 - grok:33 pattern: '(%{IPORHOST:target_fqdn} )?%{NGINXERRTIME:time} \[%{LOGLEVEL:loglevel}\] %{NONNEGINT:pid}#%{NONNEGINT:tid}: (\*%{NONNEGINT:cid} )?%{GREEDYDATA:message}, client: %{IPORHOST:remote_addr}, server: %{IPORHOST:target_fqdn}, request: "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:http_version}", host: "%{IPORHOST}"'34 apply_on: message35 statics:36 - meta: log_type37 value: http_error-log38 - target: evt.StrTime39 expression: evt.Parsed.time40 onsuccess: next_stage41 nodes:42 - filter: "evt.Parsed.message contains 'was not found in'"43 grok:44 pattern: '%{USER_NOT_FOUND}'45 apply_on: message46 statics:47 - meta: sub_type48 value: "auth_fail"49 - meta: username50 expression: evt.Parsed.username51 - filter: "evt.Parsed.message contains 'password mismatch'"52 grok:53 pattern: '%{PASSWORD_MISMATCH}'54 apply_on: message55 statics:56 - meta: sub_type57 value: "auth_fail"58 - meta: username59 expression: evt.Parsed.username60# Parse malformed requests61 - grok:62 pattern: '(%{IPORHOST:target_fqdn} )?%{IPORHOST:remote_addr} - (%{NGUSER:remote_user})? \[%{HTTPDATE:time_local}\] "%{DATA:request}" %{NUMBER:status} %{NUMBER:body_bytes_sent} "%{NOTDQUOTE:http_referer}" "%{NOTDQUOTE:http_user_agent}"( %{NUMBER:request_length} %{NUMBER:request_time} \[%{DATA:proxy_upstream_name}\] \[%{DATA:proxy_alternative_upstream_name}\])?'63 apply_on: message64 statics:65 - meta: log_type66 value: http_access-log67 - target: evt.StrTime68 expression: evt.Parsed.time_local69# these ones apply for both grok patterns70statics:71 - meta: service72 value: http73 - meta: source_ip74 expression: "evt.Parsed.remote_addr"75 - meta: http_status76 expression: "evt.Parsed.status"77 - meta: http_path78 expression: "evt.Parsed.request"79 - meta: http_verb80 expression: "evt.Parsed.verb"81 - meta: http_user_agent82 expression: "evt.Parsed.http_user_agent"83 - meta: target_fqdn84 expression: "evt.Parsed.target_fqdn"85