1onsuccess: next_stage
2filter: "Upper(evt.Parsed.program) == 'GITLAB' && UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, 'gitlab') in ['', nil]"
3name: timokoessler/gitlab-logs
4description: "Parse GitLab Logs"
5nodes:
6  - filter: |
7      evt.Unmarshaled.gitlab.method == 'POST' &&
8      evt.Unmarshaled.gitlab.path in ['/users/sign_in', '/users/auth/ldapmain/callback'] &&
9      any(evt.Unmarshaled.gitlab.params, {.key == 'user' && .value.login != ''}) &&
10      (evt.Unmarshaled.gitlab.status == 0 || evt.Unmarshaled.gitlab.action == 'failure')
11    statics:
12      - meta: log_type
13        value: "gitlab_failed_password"
14      - meta: username
15        expression: filter(evt.Unmarshaled.gitlab.params, {.key == 'user' && .value.login != ''})[0]['value']['login']
16  - filter: |
17      evt.Unmarshaled.gitlab.method == 'POST' &&
18      evt.Unmarshaled.gitlab.path in ['/users/sign_in', '/users/auth/ldapmain/callback'] &&
19      any(evt.Unmarshaled.gitlab.params, {.key == 'username' && .value != ''}) &&
20      (evt.Unmarshaled.gitlab.status == 0 || evt.Unmarshaled.gitlab.action == 'failure')
21    statics:
22      - meta: log_type
23        value: "gitlab_failed_password"
24      - meta: username
25        expression: filter(evt.Unmarshaled.gitlab.params, {.key == 'username' && .value != ''})[0]['value']
26  - filter: |
27      evt.Unmarshaled.gitlab.method == 'POST' &&
28      evt.Unmarshaled.gitlab.path == '/users/sign_in' &&
29      any(evt.Unmarshaled.gitlab.params, {.key == 'user' && .value.otp_attempt != nil}) &&
30      evt.Unmarshaled.gitlab.status != 302
31    statics:
32      - meta: log_type
33        value: "gitlab_failed_totp"
34
35statics:
36  - meta: service
37    value: gitlab
38  - meta: source_ip
39    expression: evt.Unmarshaled.gitlab.remote_ip
40  - parsed: timestamp
41    expression: evt.Unmarshaled.gitlab.time
42  - target: evt.StrTime
43    expression: "evt.Parsed.timestamp"
44