bookstack-logs Log Parser

« bookstack-logs »
v0.2 by xs539
Log parser

Parse bookstack logs

Installation

cscli parsers install xs539/bookstack-logs

Description

Parser for Bookstack logs

You will need to enable Failed Access Logging (off by default)

LOG_FAILED_LOGIN_MESSAGE="Failed login for %u"

Example acquisition config:

---
filenames:
 - /var/log/bookstack.log
labels:
  type: bookstack
---

YAML Configuration

1onsuccess: next_stage
2filter: "Lower(evt.Parsed.program) in ['bookstack']"
3name: xs539/bookstack-logs
4description: "Parse bookstack logs"
5pattern_syntax:
6  BOOKSTACK_USER: "(%{EMAILADDRESS}|%{USERNAME})"
7nodes:
8  - grok:
9      pattern: '%{NGINXERRTIME:timestamp}%{GREEDYDATA}Failed login for %{BOOKSTACK_USER:target_user}%{GREEDYDATA}client: %{IPORHOST:remote_addr}'
10      apply_on: message
11  - grok:
12      pattern: '\[%{APACHEERRORTIME:timestamp}\] \[php:%{WORD:log_level}\] \[pid %{INT:pid}\] \[client %{IPORHOST:remote_addr}(:%{INT:remote_port})?\] Failed login for %{BOOKSTACK_USER:target_user}(, referer: %{GREEDYDATA:http_referer})?'
13      apply_on: message
14statics:
15    - meta: log_type
16      value: bookstack_failed_auth
17    - meta: target_user
18      expression: evt.Parsed.target_user
19    - meta: service
20      value: bookstack
21    - target: evt.StrTime
22      expression: evt.Parsed.timestamp
23    - meta: source_ip
24      expression: evt.Parsed.remote_addr
25

Hub configuration

« bookstack-logs »v0.2 by xs539Log parser

« bookstack-logs »
v0.2 by xs539
Log parser