From b5567ff747c036cc17b1bd1f279824370679e751 Mon Sep 17 00:00:00 2001
From: CyberMind-FR <gandalf@Gk2.net>
Date: Tue, 13 Jan 2026 15:55:30 +0100
Subject: [PATCH] fix(secubox-auth-logger): Simplify log format for CrowdSec
 parsing

- v1.2.1: Remove timestamp generation (ucode time functions unavailable)
- Use simple format: secubox-auth[1]: authentication failure for...
- Update parser to use raw line parsing with custom label type
- Change acquisition from type:syslog to type:secubox-auth

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 package/secubox/secubox-auth-logger/Makefile           |  2 +-
 .../secubox-auth-logger/files/99-secubox-auth-logger   |  5 +++--
 .../secubox-auth-logger/files/openwrt-luci-auth.yaml   | 10 ++++++----
 .../secubox-auth-logger/files/secubox-auth-acquis.yaml |  2 +-
 4 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/package/secubox/secubox-auth-logger/Makefile b/package/secubox/secubox-auth-logger/Makefile
index 616971ca..3f8802d1 100644
--- a/package/secubox/secubox-auth-logger/Makefile
+++ b/package/secubox/secubox-auth-logger/Makefile
@@ -4,7 +4,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=secubox-auth-logger
-PKG_VERSION:=1.2.0
+PKG_VERSION:=1.2.1
 PKG_RELEASE:=1
 PKG_ARCH:=all
 PKG_LICENSE:=Apache-2.0
diff --git a/package/secubox/secubox-auth-logger/files/99-secubox-auth-logger b/package/secubox/secubox-auth-logger/files/99-secubox-auth-logger
index 9151c823..65aa1c59 100644
--- a/package/secubox/secubox-auth-logger/files/99-secubox-auth-logger
+++ b/package/secubox/secubox-auth-logger/files/99-secubox-auth-logger
@@ -41,8 +41,9 @@ patch_dispatcher() {
         cp "$DISPATCHER" "${DISPATCHER}.bak"
 
         # Insert auth failure logging code after "if (!session) {"
-        # The code logs to /var/log/secubox-auth.log in syslog format
-        sed -i 's/if (!session) {/if (!session) { let _secubox_auth_log = open("\/var\/log\/secubox-auth.log", "a"); if (_secubox_auth_log) { let _h = http.getenv("HTTP_HOST") || "OpenWrt"; let _ts = time(); let _d = localtime(_ts); let _month = ["Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec"][_d.mon]; let _fmt = sprintf("%s %2d %02d:%02d:%02d", _month, _d.mday, _d.hour, _d.min, _d.sec); _secubox_auth_log.write(_fmt + " " + _h + " secubox-auth[" + getpid() + "]: authentication failure for " + (user || "root") + " from " + (http.getenv("REMOTE_ADDR") || "unknown") + " via luci\\n"); _secubox_auth_log.close(); }/' "$DISPATCHER"
+        # Simple format without timestamp - CrowdSec parser matches the message content
+        # Format: secubox-auth[pid]: authentication failure for <user> from <ip> via luci
+        sed -i 's/if (!session) {/if (!session) { let _secubox_auth_log = open("\/var\/log\/secubox-auth.log", "a"); if (_secubox_auth_log) { _secubox_auth_log.write("secubox-auth[1]: authentication failure for " + (user || "root") + " from " + (http.getenv("REMOTE_ADDR") || "unknown") + " via luci\\n"); _secubox_auth_log.close(); }/' "$DISPATCHER"
 
         echo "Dispatcher patched for auth failure logging"
         return 0
diff --git a/package/secubox/secubox-auth-logger/files/openwrt-luci-auth.yaml b/package/secubox/secubox-auth-logger/files/openwrt-luci-auth.yaml
index 3064060f..3cca7afa 100644
--- a/package/secubox/secubox-auth-logger/files/openwrt-luci-auth.yaml
+++ b/package/secubox/secubox-auth-logger/files/openwrt-luci-auth.yaml
@@ -4,14 +4,14 @@
 
 name: secubox/openwrt-luci-auth
 description: "Parse SecuBox auth failure logs for LuCI and SSH"
-filter: "evt.Parsed.program == 'secubox-auth'"
+filter: "evt.Line.Labels.type == 'secubox-auth'"
 onsuccess: next_stage
 
 nodes:
   - grok:
-      # Case-insensitive match for "authentication failure"
-      pattern: "(?i)authentication failure for %{USERNAME:user} from %{IP:source_ip} via %{WORD:service}"
-      apply_on: message
+      # Parse the full line: secubox-auth[pid]: authentication failure for <user> from <ip> via <service>
+      pattern: "secubox-auth\\[%{INT:pid}\\]: (?i)authentication failure for %{USERNAME:user} from %{IP:source_ip} via %{WORD:service}"
+      apply_on: Line.Raw
     statics:
       - meta: log_type
         value: auth_failure
@@ -21,3 +21,5 @@ nodes:
         expression: evt.Parsed.source_ip
       - meta: username
         expression: evt.Parsed.user
+      - parsed: program
+        value: secubox-auth
diff --git a/package/secubox/secubox-auth-logger/files/secubox-auth-acquis.yaml b/package/secubox/secubox-auth-logger/files/secubox-auth-acquis.yaml
index 29458611..2a33c517 100644
--- a/package/secubox/secubox-auth-logger/files/secubox-auth-acquis.yaml
+++ b/package/secubox/secubox-auth-logger/files/secubox-auth-acquis.yaml
@@ -4,4 +4,4 @@
 filenames:
   - /var/log/secubox-auth.log
 labels:
-  type: syslog
+  type: secubox-auth