cscli parsers install crowdsecurity/sabnzbd-logs
A parser for sabnzbd authentication failures. This parser will attempt to override the source_ip
with X-Forwarded-For
common separated values provided by the sabnzbd logs. If the X-Forwarded-For
is not present, the source_ip
will be set to the first IP address.
1onsuccess: next_stage2#debug: true3filter: "evt.Parsed.program == 'sabnzbd'"4name: crowdsecurity/sabnzbd-logs5description: "Parse sabnzbd authentication failures"6pattern_syntax:7 SABNZBD_TIMESTAMP: '%{SYSLOGTIMESTAMP:timestamp}'8 SABNZBD_SUFFIX: '( \(X-Forwarded-For: %{IP:first_forwarded}.*\))? \[%{GREEDYDATA:user_agent}\]'9nodes:10 - grok:11 pattern: '%{TIMESTAMP_ISO8601:timestamp}::%{DATA:log_level}::\[%{DATA}:%{INT:pid}\] %{GREEDYDATA:sabnzbd_message}'12 apply_on: message13 nodes:14 - grok:15 pattern: 'Unsuccessful login attempt from %{IP:first_ip}%{SABNZBD_SUFFIX}'16 apply_on: sabnzbd_message17 statics:18 - meta: log_type19 value: sabnzbd_failed_auth20 - grok:21 pattern: 'Fehlerhafter Login Versuch von %{IP:first_ip}%{SABNZBD_SUFFIX}'22 apply_on: sabnzbd_message23 statics:24 - meta: log_type25 value: sabnzbd_failed_auth26 - grok:27 pattern: 'Echec de la tentative de connexion de %{IP:first_ip}%{SABNZBD_SUFFIX}'28 apply_on: sabnzbd_message29 statics:30 - meta: log_type31 value: sabnzbd_failed_auth32 - grok:33 pattern: 'Mislukte login poging van %{IP:first_ip}%{SABNZBD_SUFFIX}'34 apply_on: sabnzbd_message35 statics:36 - meta: log_type37 value: sabnzbd_failed_auth3839statics:40 - meta: service41 value: sabnzbd42 - target: evt.StrTime43 expression: evt.Parsed.timestamp44 - meta: source_ip45 expression: "evt.Parsed.first_forwarded != '' ? evt.Parsed.first_forwarded : evt.Parsed.first_ip"46