cscli parsers install fulljackz/pureftpd-logsA simple parser for Pureftpd.
Jan 7 14:19:35 ftpcdr pure-ftpd: (?@172.21.10.2) [WARNING] Authentication failed for user [root]
Jan 7 14:19:36 ftpcdr pure-ftpd: (?@172.21.10.2) [WARNING] Authentication failed for user [root]Jan 7 14:20:06 ftpcdr pure-ftpd: (?@172.21.10.2) [INFO] user@test.com is now logged inline: Jan 7 14:20:01 ftpcdr pure-ftpd: (?@172.21.10.2) [WARNING] Authentication failed for user [root]
โ s00-raw
| โ ๐ข crowdsecurity/syslog-logs (first_parser)
โ s01-parse
| โ ๐ข fulljackz/pureftpd-logs (+6)
โ-------- parser success ๐ข
โ Scenarios
โ ๐ข fulljackz/pureftpd-bf
line: Jan 7 14:20:06 ftpcdr pure-ftpd: (?@172.21.10.2) [INFO] user@test.com is now logged in
โ s00-raw
| โ ๐ข crowdsecurity/syslog-logs (first_parser)
โ s01-parse
| โ ๐ด fulljackz/pureftpd-logs
โ-------- parser failure ๐ด
line: Jan 7 14:19:31 ftpcdr pure-ftpd: (?@172.21.10.2) [WARNING] Authentication failed for user [root]
โ s00-raw
| โ ๐ข crowdsecurity/syslog-logs (first_parser)
โ s01-parse
| โ ๐ข fulljackz/pureftpd-logs (+6)
โ-------- parser success ๐ข
โ Scenarios
โ ๐ข fulljackz/pureftpd-bf1#debug: true2name: fulljackz/pureftpd-logs3description: "Parse pureftpd logs for bruteforce attempts"4filter: "evt.Parsed.program == 'pure-ftpd'"5onsuccess: next_stage6pattern_syntax:7 PFTPD_AUTH_FAIL: '\(?@%{IP:client_ip}\) \[WARNING\] Authentication failed for user \[%{WORD:user}\]'8nodes:9 - grok:10 name: "PFTPD_AUTH_FAIL"11 apply_on: message12 statics:13 - meta: log_type14 value: pftpd_failed-auth15 - meta: source_user16 expression: "evt.Parsed.user"17statics:18 - meta: service19 value: pureftpd20 - meta: source_ip21 expression: "evt.Parsed.client_ip"22