stirling-pdf-logs Log Parser

« stirling-pdf-logs »
v0.1 by crowdsecurity
Log parser

Parse Stirling PDF logs

Installation

cscli parsers install crowdsecurity/stirling-pdf-logs

Description

Currently this parser only parses authentication failure logs

Example acquisition:

filenames:
  - /path/to/logs/invalid-auths.log
  - /path/to/logs/info-*.log
labels:
  type: stirling-pdf

YAML Configuration

1onsuccess: next_stage
2debug: false
3filter: "evt.Parsed.program == 'stirling-pdf'"
4name: crowdsecurity/stirling-pdf-logs
5description: "Parse Stirling PDF logs"
6nodes:
7  - grok:
8      pattern: "%{TIMESTAMP_ISO8601:timestamp} %{WORD:log_level} .*CustomAuthenticationFailureHandler \\[.*\\] Failed login attempt from IP: \\[?%{IP:source_ip}\\]?"
9      apply_on: message
10    statics:
11      - meta: log_type
12        value: failed_authentication
13statics:
14  - meta: service
15    value: stirling-pdf
16  - meta: source_ip
17    expression: "evt.Parsed.source_ip"
18  - target: evt.StrTime
19    expression: evt.Parsed.timestamp

Hub configuration

« stirling-pdf-logs »v0.1 by crowdsecurityLog parser

« stirling-pdf-logs »
v0.1 by crowdsecurity
Log parser