openvpn Log Parser

Tested with OpenVPN 2.6.3.
Parser was created for level 3. (verb 3)

1--verb n
2
3Set output verbosity to n (default 1). Each level shows all info from the previous levels. Level 3 is recommended if you want a good summary of what's happening without being swamped by output.

1filter: "evt.Line.Labels.type == 'openvpn'"

2onsuccess: next_stage

3name: pserranoa/openvpn

4description: "Parse openvpn logs"

5pattern_syntax:

6 OPENVPN_TLS_AUTH_ERROR: "%{TIMESTAMP_ISO8601:timestamp} (?:%{WORD:client}/|)%{IPV4:source_ip}:%{INT:sport} TLS Auth Error:.*"

7 OPENVPN_AUTH_FAILED: "%{TIMESTAMP_ISO8601:timestamp} (?:%{WORD:client}/|)%{IPV4:source_ip}:%{INT:sport} AUTH: Received control message: AUTH_FAILED"

8 OPENVPN_AUTH_VERIFY_ERROR: "%{TIMESTAMP_ISO8601:timestamp} (?:%{WORD:client}/|)%{IPV4:source_ip}:%{INT:source_port} VERIFY ERROR:.*"

9 OPENVPN_TLS_CRYPT: "%{TIMESTAMP_ISO8601:timestamp} (?:%{WORD:client}/|)%{IPV4:source_ip}:%{INT:sport} TLS Error: tls-crypt unwrapping failed from.*"

10 OPENVPN_TLS_PACKET: "%{TIMESTAMP_ISO8601:timestamp} (?:%{WORD:client}/|)%{IPV4:source_ip}:%{INT:sport} TLS Error: incoming packet authentication failed from.*"

11 OPENVPN_TLS_HANDSHAKE: "%{TIMESTAMP_ISO8601:timestamp} (?:%{WORD:client}/|)%{IPV4:source_ip}:%{INT:sport} TLS Error: TLS handshake failed from.*"

12 OPENVPN_TLS_CERT: "%{TIMESTAMP_ISO8601:timestamp} (?:%{WORD:client}/|)%{IPV4:source_ip}:%{INT:source_port} OpenSSL: error:%{WORD}:.*verify failed"

13nodes:

14 - grok:

15 name: "OPENVPN_TLS_AUTH_ERROR"

16 apply_on: message

17 - grok:

18 name: "OPENVPN_AUTH_FAILED"

19 apply_on: message

20 - grok:

21 name: "OPENVPN_AUTH_VERIFY_ERROR"

22 apply_on: message

23 - grok:

24 name: "OPENVPN_TLS_CRYPT"

25 apply_on: message

26 - grok:

27 name: "OPENVPN_TLS_PACKET"

28 apply_on: message

29 - grok:

30 name: "OPENVPN_TLS_HANDSHAKE"

31 apply_on: message

32 - grok:

33 name: "OPENVPN_TLS_CERT"

34 apply_on: message

35statics:

36 - meta: service

37 value: openvpn

38 - meta: source_ip

39 expression: "evt.Parsed.source_ip"

40 - meta: log_type

41 value: auth_failed

42 - target: evt.StrTime

43 expression: evt.Parsed.timestamp

Hub configuration

« openvpn »
v0.1 by pserranoa
Attack scenario

Hub configuration

« openvpn »v0.1 by pserranoaAttack scenario

« openvpn »
v0.1 by pserranoa
Attack scenario