proxmox-logs Configuration

Installation

cscli parsers install fulljackz/proxmox-logs

Description

A simple parser for Proxmox VE Web interface. Proxmox VE is listening on port 8006/tcp and write ssh fails into syslog

Error

Jan  4 17:34:08 hypervisor pvedaemon[3663339]: authentication failure; rhost=::ffff:172.21.10.2 user=toor@pam msg=no such user ('toor@pam')
Jan  4 17:34:22 hypervisor pvedaemon[3483744]: authentication failure; rhost=::ffff:172.21.10.2 user=root@pam msg=Authentication failure

In the first string, the user does not exist. In the second user exists but auth fail.

Success

Jan  4 17:34:27 hypervisor pvedaemon[2891825]: <root@pam> successful auth for user 'root@pam'

?

Proxmox-logs parser is used only for authentication failures.

line: Jan  4 17:34:08 hypervisor pvedaemon[3663339]: authentication failure; rhost=::ffff:172.21.10.2 user=toor@pam msg=no such user ('toor@pam')
	├ s00-raw
	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
	├ s01-parse
	|	└ 🟢 fulljackz/proxmox-logs (+8)
	├-------- parser success 🟢
	├ Scenarios
		└ 🟢 fulljackz/proxmox-bf

line: Jan  4 17:34:01 hypervisor pvedaemon[3663339]: authentication failure; rhost=::ffff:172.21.10.2 user=toor@pam msg=no such user ('toor@pam')
	├ s00-raw
	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
	├ s01-parse
	|	└ 🟢 fulljackz/proxmox-logs (+8)
	├-------- parser success 🟢
	├ Scenarios
		└ 🟢 fulljackz/proxmox-bf

line: Jan  4 17:34:08 hypervisor pvedaemon[3663339]: authentication failure; rhost=::ffff:172.21.10.2 user=toor@pam msg=no such user ('toor@pam')
	├ s00-raw
	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
	├ s01-parse
	|	└ 🟢 fulljackz/proxmox-logs (+8)
	├-------- parser success 🟢
	├ Scenarios
		└ 🟢 fulljackz/proxmox-bf

line: Jan  4 17:34:07 hypervisor pvedaemon[3483744]: authentication failure; rhost=::ffff:172.21.10.2 user=root@pam msg=Authentication failure
	├ s00-raw
	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
	├ s01-parse
	|	└ 🟢 fulljackz/proxmox-logs (+8)
	├-------- parser success 🟢
	├ Scenarios
		└ 🟢 fulljackz/proxmox-bf

line: Jan  4 17:34:08 hypervisor pvedaemon[2891825]: <root@pam> successful auth for user 'root@pam'
	├ s00-raw
	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
	├ s01-parse
	|	└ 🔴 fulljackz/proxmox-logs
	└-------- parser failure 🔴

line: Jan  4 17:34:08 hypervisor pvedaemon[3663339]: authentication failure; rhost=::ffff:172.21.10.2 user=toor@pam msg=no such user ('toor@pam')
	├ s00-raw
	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
	├ s01-parse
	|	└ 🟢 fulljackz/proxmox-logs (+8)
	├-------- parser success 🟢
	├ Scenarios
		└ 🟢 fulljackz/proxmox-bf

line: Jan  4 17:34:11 hypervisor pvedaemon[2891825]: <root@pam> successful auth for user 'root@pam'
	├ s00-raw
	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
	├ s01-parse
	|	└ 🔴 fulljackz/proxmox-logs
	└-------- parser failure 🔴

line: Jan  4 17:34:12 hypervisor pvedaemon[3483744]: authentication failure; rhost=::ffff:172.21.10.2 user=root@pam msg=Authentication failure
	├ s00-raw
	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
	├ s01-parse
	|	└ 🟢 fulljackz/proxmox-logs (+8)
	├-------- parser success 🟢
	├ Scenarios
		└ 🟢 fulljackz/proxmox-bf

line: Jan  4 17:34:13 hypervisor pvedaemon[2891825]: <root@pam> successful auth for user 'root@pam'
	├ s00-raw
	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
	├ s01-parse
	|	└ 🔴 fulljackz/proxmox-logs
	└-------- parser failure 🔴

line: Jan  4 17:34:02 hypervisor pvedaemon[3483744]: authentication failure; rhost=::ffff:172.21.10.2 user=root@pam msg=Authentication failure
	├ s00-raw
	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
	├ s01-parse
	|	└ 🟢 fulljackz/proxmox-logs (+8)
	├-------- parser success 🟢
	├ Scenarios
		└ 🟢 fulljackz/proxmox-bf

line: Jan  4 17:34:03 hypervisor pvedaemon[2891825]: <root@pam> successful auth for user 'root@pam'
	├ s00-raw
	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
	├ s01-parse
	|	└ 🔴 fulljackz/proxmox-logs
	└-------- parser failure 🔴

YAML Configuration

1#debug: true
2name: fulljackz/proxmox-logs
3description: "Parse proxmox logs for bruteforce attempts"
4filter: "evt.Parsed.program == 'pvedaemon'"
5onsuccess: next_stage
6pattern_syntax:
7  PVE_AUTH_FAIL: 'authentication failure; rhost=%{IP:client_ip} user=%{USERNAME:source_user}@%{WORD:realm} msg='
8nodes:
9  - grok:
10      name: "PVE_AUTH_FAIL"
11      apply_on: message
12      statics:
13        - meta: log_type
14          value: pve_failed-auth
15        - meta: source_user
16          expression: "evt.Parsed.source_user"
17statics:
18    - meta: service
19      value: pvedaemon
20    - meta: source_ip
21      expression: "evt.Parsed.client_ip"
22

Hub configuration

« proxmox-logs »
v0.2 by fulljackz
Log parser

Hub configuration

« proxmox-logs »v0.2 by fulljackzLog parser

« proxmox-logs »
v0.2 by fulljackz
Log parser