1onsuccess: next_stage
2name: vsftpd-logs
3description: "Parse VSFTPD logs"
4filter: "evt.Parsed.program == 'vsftpd'"
5#debug: true
6pattern_syntax:
7  # Custom grok for some versions that add an extra space before single digit monthday
8  # Not perfect because extra ,spaces are not trimmed in resulting 'timestamp' capture
9  CUSTOM_HTTPDERROR_DATE: '%{DAY} %{MONTH} (?:\s?)%{MONTHDAY} %{TIME} %{YEAR}'
10  FTP_AUTH_FAIL: '%{CUSTOM_HTTPDERROR_DATE:timestamp} \[pid %{NUMBER}\] \[%{GREEDYDATA:user}\] FAIL LOGIN: Client "(::ffff:)?%{IP:source_ip}"'
11  FTP_DENIED_USER: '%{CUSTOM_HTTPDERROR_DATE:timestamp} \[pid %{NUMBER}\] \[%{GREEDYDATA:user}\] FTP response: Client "(::ffff:)?%{IP:source_ip}", "530 Permission denied."'
12nodes:
13  - grok:
14      pattern: "%{FTP_AUTH_FAIL}"
15      apply_on: message
16  - grok:
17      pattern: "%{FTP_DENIED_USER}"
18      apply_on: message
19statics:
20    - meta: program
21      value: vsftpd
22    - meta: log_type
23      value: ftp_failed_auth
24    - meta: source_ip
25      expression: "evt.Parsed.source_ip"
26    - meta: user
27      expression: "evt.Parsed.user"
28    - target: evt.StrTime
29      expression: evt.Parsed.timestamp
30    - target: evt.StrTimeFormat
31      value: "Mon Jan _2 15:04:05 2006"
32