cscli parsers install plague-doctor/audiobookshelf-logsA parser that will search for unauthorized access to Audiobookshelf.
Example acquisition for this collection:
---
filenames:
- /var/log/audiobookshelf/*.txt
labels:
type: audiobookshelf1onsuccess: next_stage2#debug: true3filter: "Upper(evt.Parsed.program) == 'AUDIOBOOKSHELF'"4name: plague-doctor/audiobookshelf-logs5description: "Parse Audiobookshelf logs"6pattern_syntax:7 ABS_FAILED_AUTH: '\[Auth\] Failed login attempt for username \\?"%{USERNAME:username}\\?" from ip %{IP:source_ip} \(%{DATA:reason}\)'8nodes:9 - grok:10 pattern: '\[%{TIMESTAMP_ISO8601:timestamp}\] ERROR: %{ABS_FAILED_AUTH}'11 apply_on: message12 statics:13 - meta: log_type14 value: abs_failed_auth15 - filter: 'UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "abs") in ["", nil]'16 grok:17 pattern: "%{ABS_FAILED_AUTH}"18 expression: evt.Unmarshaled.abs.message19 statics:20 - meta: log_type21 value: abs_failed_auth22statics:23 - meta: service24 value: audiobookshelf25 - meta: source_ip26 expression: "evt.Parsed.source_ip"27 - target: evt.StrTime28 expression: 'evt.Parsed.timestamp != "" ? evt.Parsed.timestamp : evt.Unmarshaled.abs.timestamp'29 ## We check if the parser parsed the timestamp or if it within the json output30 - meta: username31 expression: "evt.Parsed.username"32