1#If it's syslog, we are going to extract progname from it
2filter: "evt.Line.Labels.type == 'syslog'"
3onsuccess: next_stage
4pattern_syntax:
5  RAW_SYSLOG_PREFIX: '^<%{NUMBER:stuff1}>%{NUMBER:stuff2} %{SYSLOGBASE2} %{DATA:program} %{NUMBER:pid}'
6  RAW_SYSLOG_META: '\[meta sequenceId="%{NOTDQUOTE:seq_id}"\]'
7name: crowdsecurity/syslog-logs
8nodes:
9  - grok:
10      #this is a named regular expression. grok patterns can be kept into separate files for readability
11      pattern: "^%{SYSLOGLINE}" 
12      #This is the field of the `Event` to which the regexp should be applied
13      apply_on: Line.Raw
14  - grok:
15      #a second pattern for unparsed syslog lines, as saw in opnsense
16      pattern: '%{RAW_SYSLOG_PREFIX} - %{RAW_SYSLOG_META} %{GREEDYDATA:message}'
17      apply_on: Line.Raw
18#if the node was successfull, statics will be applied.
19statics:
20  - meta: machine
21    expression: evt.Parsed.logsource
22  - parsed: "logsource"
23    value: "syslog"
24# syslog date can be in two different fields (one of hte assignment will fail)
25  - target: evt.StrTime
26    expression: evt.Parsed.timestamp
27  - target: evt.StrTime
28    expression: evt.Parsed.timestamp8601
29  - meta: datasource_path
30    expression: evt.Line.Src
31  - meta: datasource_type
32    expression: evt.Line.Module
33---
34#if it's not syslog, the type is the progname
35filter: "evt.Line.Labels.type not in ['syslog', 'unifi']"
36onsuccess: next_stage
37name: crowdsecurity/non-syslog
38#debug: true
39statics:
40  - parsed: message
41    expression: evt.Line.Raw
42  - parsed: program
43    expression: evt.Line.Labels.type
44  - meta: datasource_path
45    expression: evt.Line.Src
46  - meta: datasource_type
47    expression: evt.Line.Module
48
49