1onsuccess: next_stage
2name: proftpd-logs
3description: "Parse proftpd logs"
4filter: "evt.Parsed.program == 'proftpd'"
5#we should use the same pattern for "normal" and plesk logs, but due to an issue in grokky handling (), we cannot :(
6pattern_syntax:
7  PROFTPD_AUTH_FAIL: '%{TIMESTAMP_ISO8601:timestamp} %{IPORHOST:hostname} proftpd\[%{DATA}\] %{IPORHOST:hostname} \(%{IPORHOST}\[%{IP:source_ip}\]\): USER %{USERNAME:username} \(Login failed\): Incorrect password'
8  PROFTPD_BAD_USER: '%{TIMESTAMP_ISO8601:timestamp} %{IPORHOST:hostname} proftpd\[%{DATA}\] %{IPORHOST:hostname} \(%{IPORHOST}\[%{IP:source_ip}\]\): USER %{USERNAME:username}( \(Login failed\))?: (n|N)o such user found( from %{IPORHOST} \[%{IPORHOST}\] to %{IPORHOST}:%{DATA:port})?'
9  PROFTPD_AUTH_FAIL_PLESK: '%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:hostname} proftpd\[%{DATA}\]: %{IPORHOST:hostname} \(%{IPORHOST}\[%{IP:source_ip}\]\) - USER %{USERNAME:username} \(Login failed\): Incorrect password'
10  PROFTPD_BAD_USER_PLESK: '%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:hostname} proftpd\[%{DATA}\]: %{IPORHOST:hostname} \(%{IPORHOST}\[%{IP:source_ip}\]\) - USER %{USERNAME:username}( \(Login failed\))?: (n|N)o such user found( from %{IPORHOST} \[%{IPORHOST}\] to %{IPORHOST}:%{DATA:port})?'
11nodes:
12  - grok:
13      pattern: "%{PROFTPD_AUTH_FAIL}"
14      apply_on: message
15  - grok:
16      pattern: "%{PROFTPD_BAD_USER}"
17      apply_on: message
18  - grok:
19      pattern: "%{PROFTPD_AUTH_FAIL_PLESK}"
20      apply_on: message
21  - grok:
22      pattern: "%{PROFTPD_BAD_USER_PLESK}"
23      apply_on: message
24statics:
25    - meta: log_type
26      value: ftp_failed_auth
27    - meta: source_ip
28      expression: "evt.Parsed.source_ip"
29    - meta: target_user
30      expression: "evt.Parsed.username"
31    - target: evt.StrTime
32      expression: evt.Parsed.timestamp