1name: crowdsecurity/teleport-logs
2description: "Parse teleport logs"
3filter: "evt.Parsed.program == 'teleport' && UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, 'teleport') in ['', nil]"
4#debug: true
5onsuccess: next_stage
6statics:
7  - meta: service
8    value: teleport
9  - meta: sub_type
10    expression: evt.Unmarshaled.teleport.event
11  - meta: success
12    expression: "evt.Unmarshaled.teleport.success ? 'true' : 'false'"
13## Set for impossible travel scenario
14  - meta: log_type
15    expression: "evt.Unmarshaled.teleport.success ? 'auth_success' : 'auth_failed'"
16##Converting a bool with sprintf is very slow, so we use a ternary expression
17  - target: evt.StrTime
18    expression: evt.Unmarshaled.teleport.time
19  - meta: user
20    expression: evt.Unmarshaled.teleport.user
21  - meta: source_ip
22    expression: Split(evt.Unmarshaled.teleport["addr.remote"], ':')[0]
23  - meta: http_user_agent
24    expression: evt.Unmarshaled.teleport["user_agent"]