cscli parsers install crowdsecurity/nginx-proxy-manager-logsA generic parser for Nginx Proxy Manager, support both access and error logs.
1#2filter: "evt.Parsed.program startsWith 'nginx-proxy-manager'"3onsuccess: next_stage4name: crowdsecurity/nginx-proxy-manager-logs5description: "Parse Nginx Proxy Manager access and error logs"6nodes:7 # For Proxy hosts logs8 - grok:9 pattern: '\[%{HTTPDATE:time_local}\]( %{NUM_OR_DASH:upstream_cache_status} %{NUM_OR_DASH:upstream_status})? %{NUMBER:status} - %{WORD:verb} %{WORD:scheme} %{IPORHOST:target_fqdn} \"%{NOTDQUOTE:request}\" \[Client %{IPORHOST:remote_addr}\] \[Length %{NUMBER:body_bytes_sent}\] \[Gzip %{DATA:gzip_ratio}\]( \[Sent-to %{IPORHOST:target_server}\])? \"%{NOTDQUOTE:http_user_agent}\" \"%{NOTDQUOTE:http_referer}\"'10 apply_on: message11 statics:12 - meta: log_type13 value: http_access-log14 - target: evt.StrTime15 expression: evt.Parsed.time_local16 pattern_syntax:17 NUM_OR_DASH: '-|\d*'18 # For Default host logs19 - grok:20 pattern: '(%{IPORHOST:target_fqdn} )?%{IPORHOST:remote_addr} - (%{NGUSER:remote_user})? \[%{HTTPDATE:time_local}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:http_version}" %{NUMBER:status} %{NUMBER:body_bytes_sent} "%{NOTDQUOTE:http_referer}" "%{NOTDQUOTE:http_user_agent}"( %{NUMBER:request_length} %{NUMBER:request_time} \[%{DATA:proxy_upstream_name}\] \[%{DATA:proxy_alternative_upstream_name}\])?'21 apply_on: message22 statics:23 - meta: log_type24 value: http_access-log25 - target: evt.StrTime26 expression: evt.Parsed.time_local27 # and this one the error log28 - grok:29 pattern: '(%{IPORHOST:target_fqdn} )?%{NGINXERRTIME:time} \[%{LOGLEVEL:loglevel}\] %{NONNEGINT:pid}#%{NONNEGINT:tid}: (\*%{NONNEGINT:cid} )?%{GREEDYDATA:message}, client: %{IPORHOST:remote_addr}, server: %{IPORHOST:target_fqdn}, request: "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:http_version}", host: "%{IPORHOST}"'30 apply_on: message31 statics:32 - meta: log_type33 value: http_error-log34 - target: evt.StrTime35 expression: evt.Parsed.time36 pattern_syntax:37 NO_DOUBLE_QUOTE: '[^"]+'38 onsuccess: next_stage39 nodes:40 - filter: "evt.Parsed.message contains 'was not found in'"41 pattern_syntax:42 USER_NOT_FOUND: 'user "%{NO_DOUBLE_QUOTE:username}" was not found in "%{NO_DOUBLE_QUOTE}"'43 grok:44 pattern: '%{USER_NOT_FOUND}'45 apply_on: message46 statics:47 - meta: sub_type48 value: "auth_fail"49 - meta: username50 expression: evt.Parsed.username51 - filter: "evt.Parsed.message contains 'password mismatch'"52 pattern_syntax:53 PASSWORD_MISMATCH: 'user "%{NO_DOUBLE_QUOTE:username}": password mismatch'54 grok:55 pattern: '%{PASSWORD_MISMATCH}'56 apply_on: message57 statics:58 - meta: sub_type59 value: "auth_fail"60 - meta: username61 expression: evt.Parsed.username62# Parse malformed requests63 - grok:64 pattern: '(%{IPORHOST:target_fqdn} )?%{IPORHOST:remote_addr} - (%{NGUSER:remote_user})? \[%{HTTPDATE:time_local}\] "%{DATA:request}" %{NUMBER:status} %{NUMBER:body_bytes_sent} "%{NOTDQUOTE:http_referer}" "%{NOTDQUOTE:http_user_agent}"( %{NUMBER:request_length} %{NUMBER:request_time} \[%{DATA:proxy_upstream_name}\] \[%{DATA:proxy_alternative_upstream_name}\])?'65 apply_on: message66 statics:67 - meta: log_type68 value: http_access-log69 - target: evt.StrTime70 expression: evt.Parsed.time_local71# these ones apply for both grok patterns72statics:73 - meta: service74 value: http75 - meta: source_ip76 expression: "evt.Parsed.remote_addr"77 - meta: http_status78 expression: "evt.Parsed.status"79 - meta: http_path80 expression: "evt.Parsed.request"81 - meta: http_verb82 expression: "evt.Parsed.verb"83 - meta: http_user_agent84 expression: "evt.Parsed.http_user_agent"85 - meta: target_fqdn86 expression: "evt.Parsed.target_fqdn"87