Hub configuration

More info

4# Permission is hereby granted, free of charge, to any person obtaining

5# a copy of this software and associated documentation files (the

6# "Software"), to deal in the Software without restriction, including

7# without limitation the rights to use, copy, modify, merge, publish,

8# distribute, sublicense, and/or sell copies of the Software, and to

9# permit persons to whom the Software is furnished to do so, subject to

10# the following conditions:

12# The above copyright notice and this permission notice shall be

13# included in all copies or substantial portions of the Software.

15# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,

16# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF

17# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

18# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE

19# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION

20# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION

21# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

23# Some of the groks used here are from https://github.com/rgevaert/grok-patterns/blob/master/grok.d/postfix_patterns

24onsuccess: next_stage

25filter: "evt.Parsed.program endsWith '/smtpd'"

26name: crowdsecurity/postfix-logs

27pattern_syntax:

28 POSTFIX_HOSTNAME: '(%{HOSTNAME}|unknown)'

31 RELAY: '(?:%{HOSTNAME:remote_host}(?:\[%{IP:remote_addr}\](?::[0-9]+(.[0-9]+)?)?)?)'

32 SMTP_BASIC_STATUS_CODE: '[0-9]{3}' #250

33 SMTP_ENHANCED_STATUS_CODE: '[0-9.]+' #2.0.0

34 SMTP_RETURN_CODES: '%{SMTP_BASIC_STATUS_CODE:smtp_basic_status_code}( %{SMTP_ENHANCED_STATUS_CODE:smtp_enhanced_status_code})?' #250 2.0.0

35description: "Parse postfix logs"

36nodes:

37 - grok:

38 apply_on: message

39 pattern: 'lost connection after %{DATA:smtp_response} from %{RELAY}'

40 statics:

41 - meta: log_type_enh

42 value: spam-attempt

43 - grok:

44 apply_on: message

45 pattern: 'warning: %{POSTFIX_HOSTNAME:remote_host}\[%{IP:remote_addr}\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:%{GREEDYDATA:message_failure}'

46 statics:

47 - meta: log_type_enh

48 value: spam-attempt

49 - grok:

50 apply_on: message

51 pattern: 'warning: non-SMTP command from %{POSTFIX_HOSTNAME:remote_host}\[%{IP:remote_addr}\]: %{GREEDYDATA:command}'

52 statics:

53 - meta: log_type_enh

54 value: non-smtp-command

55 - grok:

56 apply_on: message

57 pattern: 'NOQUEUE: %{POSTFIX_ACTION:action}: %{DATA:command} from %{RELAY}: %{SMTP_RETURN_CODES:smtp_return_codes} %{GREEDYDATA:reason}'

58 statics:

59 - meta: action

60 expression: "evt.Parsed.action"

61 nodes:

62 ## We check if the reason is not a service unavailable if so we parser more information

63 - filter: "evt.Parsed.reason != 'Service unavailable'"

64 grok:

65 apply_on: reason

66 pattern: "<%{DATA:helo}>: %{GREEDYDATA:reason}; %{GREEDYDATA:kvItems}"

67 statics:

68 - parsed: unused

69 expression: ParseKV(evt.Parsed.kvItems, evt.Unmarshaled, "postfix")

70 - meta: reason

71 expression: "evt.Parsed.reason"

72statics:

73 - meta: service

74 value: postfix

75 - meta: source_ip

76 expression: "evt.Parsed.remote_addr"

77 - meta: source_hostname

78 expression: "evt.Parsed.remote_host"

79 - meta: log_type

80 value: postfix

Hub configuration

« postfix-logs »v0.9 by crowdsecurityLog parser

« postfix-logs »
v0.9 by crowdsecurity
Log parser