cscli parsers install crowdsecurity/proftpd-logsFTP (ProFTPD) will mostly parse authentication fail.
1onsuccess: next_stage2name: proftpd-logs3description: "Parse proftpd logs"4filter: "evt.Parsed.program == 'proftpd'"5#we should use the same pattern for "normal" and plesk logs, but due to an issue in grokky handling (), we cannot :(6pattern_syntax:7 PROFTPD_AUTH_FAIL: '%{TIMESTAMP_ISO8601:timestamp} %{IPORHOST:hostname} proftpd\[%{DATA}\] %{IPORHOST:hostname} \(%{IPORHOST}\[%{IP:source_ip}\]\): USER %{USERNAME:username} \(Login failed\): Incorrect password'8 PROFTPD_BAD_USER: '%{TIMESTAMP_ISO8601:timestamp} %{IPORHOST:hostname} proftpd\[%{DATA}\] %{IPORHOST:hostname} \(%{IPORHOST}\[%{IP:source_ip}\]\): USER %{USERNAME:username}( \(Login failed\))?: (n|N)o such user found( from %{IPORHOST} \[%{IPORHOST}\] to %{IPORHOST}:%{DATA:port})?'9 PROFTPD_AUTH_FAIL_PLESK: '%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:hostname} proftpd\[%{DATA}\]: %{IPORHOST:hostname} \(%{IPORHOST}\[%{IP:source_ip}\]\) - USER %{USERNAME:username} \(Login failed\): Incorrect password'10 PROFTPD_BAD_USER_PLESK: '%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:hostname} proftpd\[%{DATA}\]: %{IPORHOST:hostname} \(%{IPORHOST}\[%{IP:source_ip}\]\) - USER %{USERNAME:username}( \(Login failed\))?: (n|N)o such user found( from %{IPORHOST} \[%{IPORHOST}\] to %{IPORHOST}:%{DATA:port})?'11nodes:12 - grok:13 pattern: "%{PROFTPD_AUTH_FAIL}"14 apply_on: message15 - grok:16 pattern: "%{PROFTPD_BAD_USER}"17 apply_on: message18 - grok:19 pattern: "%{PROFTPD_AUTH_FAIL_PLESK}"20 apply_on: message21 - grok:22 pattern: "%{PROFTPD_BAD_USER_PLESK}"23 apply_on: message24statics:25 - meta: log_type26 value: ftp_failed_auth27 - meta: source_ip28 expression: "evt.Parsed.source_ip"29 - meta: target_user30 expression: "evt.Parsed.username"31 - target: evt.StrTime32 expression: evt.Parsed.timestamp