1# Synology DSM auth.log
2#debug: true
3filter: "evt.Parsed.program matches 'synoscgi_SYNO.API.Auth_[1-9]([0-9])?_login'"
4name: crowdsecurity/synology-dsm-logs
5description: "Parse Synology DSM web auth logs"
6onsuccess: next_stage
7format: 2.0
8pattern_syntax:
9  TIMESTAMP: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}+%{ISO8601_TIMEZONE}'
10# The IP grok pattern that ships with crowdsec is buggy and does not capture the last digit of an IP if it is the last thing it matches, and the last octet starts with a 2
11# https://github.com/crowdsecurity/crowdsec/issues/938
12  IPv4_WORKAROUND: '(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)'
13  IP_WORKAROUND: '(?:%{IPV6}|%{IPv4_WORKAROUND})'
14  AUTH_LOG_FAIL: 'pam_unix\(webui:auth\): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=%{IP_WORKAROUND:src_ip}'
15grok:
16  pattern: "%{AUTH_LOG_FAIL}"
17  apply_on: message
18  statics:
19    - meta: log_type
20      value: synology-dsm_failed_auth
21statics:
22  - meta: log_type
23    value: synology-dsm_failed_auth
24  - meta: service
25    value: synology-dsm
26  - meta: source_ip
27    expression: "evt.Parsed.src_ip"
28