proxmox-logs Configuration

Installation

cscli parsers install fulljackz/proxmox-logs

Description

A simple parser for Proxmox VE Web interface. Proxmox VE is listening on port 8006/tcp and write ssh fails into syslog

Error

1Jan  4 17:34:08 hypervisor pvedaemon[3663339]: authentication failure; rhost=::ffff:172.21.10.2 user=toor@pam msg=no such user ('toor@pam')
2Jan  4 17:34:22 hypervisor pvedaemon[3483744]: authentication failure; rhost=::ffff:172.21.10.2 user=root@pam msg=Authentication failure

In the first string, the user does not exist. In the second user exists but auth fail.

Success

1Jan  4 17:34:27 hypervisor pvedaemon[2891825]: <root@pam> successful auth for user 'root@pam'

?

Proxmox-logs parser is used only for authentication failures.

1line: Jan  4 17:34:08 hypervisor pvedaemon[3663339]: authentication failure; rhost=::ffff:172.21.10.2 user=toor@pam msg=no such user ('toor@pam')
2	├ s00-raw
3	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
4	├ s01-parse
5	|	└ 🟢 fulljackz/proxmox-logs (+8)
6	├-------- parser success 🟢
7	├ Scenarios
8		└ 🟢 fulljackz/proxmox-bf
9
10line: Jan  4 17:34:01 hypervisor pvedaemon[3663339]: authentication failure; rhost=::ffff:172.21.10.2 user=toor@pam msg=no such user ('toor@pam')
11	├ s00-raw
12	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
13	├ s01-parse
14	|	└ 🟢 fulljackz/proxmox-logs (+8)
15	├-------- parser success 🟢
16	├ Scenarios
17		└ 🟢 fulljackz/proxmox-bf
18
19line: Jan  4 17:34:08 hypervisor pvedaemon[3663339]: authentication failure; rhost=::ffff:172.21.10.2 user=toor@pam msg=no such user ('toor@pam')
20	├ s00-raw
21	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
22	├ s01-parse
23	|	└ 🟢 fulljackz/proxmox-logs (+8)
24	├-------- parser success 🟢
25	├ Scenarios
26		└ 🟢 fulljackz/proxmox-bf
27
28line: Jan  4 17:34:07 hypervisor pvedaemon[3483744]: authentication failure; rhost=::ffff:172.21.10.2 user=root@pam msg=Authentication failure
29	├ s00-raw
30	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
31	├ s01-parse
32	|	└ 🟢 fulljackz/proxmox-logs (+8)
33	├-------- parser success 🟢
34	├ Scenarios
35		└ 🟢 fulljackz/proxmox-bf
36
37line: Jan  4 17:34:08 hypervisor pvedaemon[2891825]: <root@pam> successful auth for user 'root@pam'
38	├ s00-raw
39	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
40	├ s01-parse
41	|	└ 🔴 fulljackz/proxmox-logs
42	└-------- parser failure 🔴
43
44line: Jan  4 17:34:08 hypervisor pvedaemon[3663339]: authentication failure; rhost=::ffff:172.21.10.2 user=toor@pam msg=no such user ('toor@pam')
45	├ s00-raw
46	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
47	├ s01-parse
48	|	└ 🟢 fulljackz/proxmox-logs (+8)
49	├-------- parser success 🟢
50	├ Scenarios
51		└ 🟢 fulljackz/proxmox-bf
52
53line: Jan  4 17:34:11 hypervisor pvedaemon[2891825]: <root@pam> successful auth for user 'root@pam'
54	├ s00-raw
55	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
56	├ s01-parse
57	|	└ 🔴 fulljackz/proxmox-logs
58	└-------- parser failure 🔴
59
60line: Jan  4 17:34:12 hypervisor pvedaemon[3483744]: authentication failure; rhost=::ffff:172.21.10.2 user=root@pam msg=Authentication failure
61	├ s00-raw
62	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
63	├ s01-parse
64	|	└ 🟢 fulljackz/proxmox-logs (+8)
65	├-------- parser success 🟢
66	├ Scenarios
67		└ 🟢 fulljackz/proxmox-bf
68
69line: Jan  4 17:34:13 hypervisor pvedaemon[2891825]: <root@pam> successful auth for user 'root@pam'
70	├ s00-raw
71	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
72	├ s01-parse
73	|	└ 🔴 fulljackz/proxmox-logs
74	└-------- parser failure 🔴
75
76line: Jan  4 17:34:02 hypervisor pvedaemon[3483744]: authentication failure; rhost=::ffff:172.21.10.2 user=root@pam msg=Authentication failure
77	├ s00-raw
78	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
79	├ s01-parse
80	|	└ 🟢 fulljackz/proxmox-logs (+8)
81	├-------- parser success 🟢
82	├ Scenarios
83		└ 🟢 fulljackz/proxmox-bf
84
85line: Jan  4 17:34:03 hypervisor pvedaemon[2891825]: <root@pam> successful auth for user 'root@pam'
86	├ s00-raw
87	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
88	├ s01-parse
89	|	└ 🔴 fulljackz/proxmox-logs
90	└-------- parser failure 🔴

YAML Configuration

1#debug: true
2name: fulljackz/proxmox-logs
3description: "Parse proxmox logs for bruteforce attempts"
4filter: "evt.Parsed.program == 'pvedaemon'"
5onsuccess: next_stage
6pattern_syntax:
7  PVE_AUTH_FAIL: 'authentication failure; rhost=%{IP:client_ip} user=%{USERNAME:source_user}@%{WORD:realm} msg='
8nodes:
9  - grok:
10      name: "PVE_AUTH_FAIL"
11      apply_on: message
12      statics:
13        - meta: log_type
14          value: pve_failed-auth
15        - meta: source_user
16          expression: "evt.Parsed.source_user"
17statics:
18    - meta: service
19      value: pvedaemon
20    - meta: source_ip
21      expression: "evt.Parsed.client_ip"
22

Hub configuration

« proxmox-logs »
v0.2 by fulljackz
Log parser

Hub configuration

« proxmox-logs »v0.2 by fulljackzLog parser

« proxmox-logs »
v0.2 by fulljackz
Log parser