1onsuccess: next_stage
2#debug: false
3name: gauth-fr/immich-logs
4description: "Parse Immich logs"
5filter: "evt.Parsed.program == 'immich'"
6pattern_syntax:
7  IMMICH_CUSTOMDATE_PM: "%{MONTHNUM2}/%{MONTHDAY}/%{YEAR}, %{TIME} (AM|PM|am|pm)"
8  IMMICH_CUSTOMDATE: "%{MONTHNUM2}/%{MONTHDAY}/%{YEAR}, %{TIME}"
9nodes:
10  - grok:
11      pattern: ".*%{IMMICH_CUSTOMDATE_PM:timestamp}.*Failed login attempt for user %{EMAILADDRESS:username} from ip address %{IP:source_ip}.*"
12      #[Nest] 7  - 08/02/2023, 7:34:03 PM    WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.211
13
14      apply_on: message
15      statics:
16        - meta: log_type
17          value: immich_failed_auth
18        - target: evt.StrTimeFormat
19          value: "01/02/2006, 3:04:05 PM"
20  - grok:
21      pattern: ".*%{IMMICH_CUSTOMDATE:timestamp}.*Failed login attempt for user %{EMAILADDRESS:username} from ip address %{IP:source_ip}.*"
22      #[Nest] 7  - 08/02/2023, 7:34:03    WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.211
23
24      apply_on: message
25      statics:
26        - meta: log_type
27          value: immich_failed_auth
28        - target: evt.StrTimeFormat
29          value: "01/02/2006, 15:04:05"
30
31statics:
32    - meta: service
33      value: immich
34    - meta: user
35      expression: "evt.Parsed.username"
36    - meta: source_ip
37      expression: "evt.Parsed.source_ip"
38    - target: evt.StrTime
39      expression: evt.Parsed.timestamp
40