teamspeak3-logs Log Parser

« teamspeak3-logs »
v0.2 by crowdsecurity
Log parser

Parse teamspeak3 server logs

Installation

cscli parsers install crowdsecurity/teamspeak3-logs

Description

A parser for teamspeak3 server logs.

As teamspeak3 logging is limited, only failed logins via ssh/telnet are parsed.

YAML Configuration

1onsuccess: next_stage
2filter: "evt.Parsed.program == 'ts3'"
3name: crowdsecurity/teamspeak3-logs
4#debug: true
5description: "Parse teamspeak3 server logs"
6pattern_syntax:
7  NOPIPE: '[a-zA-Z\s]+'
8  TS3_AUTH_FAIL: '^%{TIMESTAMP_ISO8601:timestamp}\|%{NOPIPE:level}\|%{NOPIPE:service}\|%{NOPIPE:empty}\|query from %{INT:chan} \[?%{IP:src_ip}\]?:%{INT:src_port} attempted to login with account "%{DATA:login}" and failed!$'
9#2022-12-29 11:39:26.009756|INFO    |Query         |   |query from 11 127.0.0.1:48426 attempted to login with account "toto" and failed!
10#2023-01-13 00:44:27.543333|INFO    |Query         |   |query from 101 [fd00:feed:dead:beef:405f:26ff:fe06:d4b]:34232 attempted to login with account "toto" and failed!
11
12grok:
13  name: TS3_AUTH_FAIL
14  apply_on: message
15  statics:
16    - meta: service
17      value: teamspeak3
18    - meta: log_type
19      value: ts3_fail_auth
20    - meta: source_ip
21      expression: "evt.Parsed.src_ip"
22    - target: evt.StrTime
23      expression: evt.Parsed.timestamp
24

Hub configuration

« teamspeak3-logs »v0.2 by crowdsecurityLog parser

« teamspeak3-logs »
v0.2 by crowdsecurity
Log parser