# CrowdSec Parser for SecuBox Auth Logger
# Parses authentication failures from LuCI/uhttpd and SSH (OpenSSH/Dropbear)
# Format: secubox-auth[pid]: authentication failure for <user> from <ip> via <service>

name: secubox/openwrt-luci-auth
description: "Parse SecuBox auth failure logs for LuCI and SSH"
filter: "evt.Line.Labels.type == 'secubox-auth'"
onsuccess: next_stage

nodes:
  - grok:
      # Parse the full line: secubox-auth[pid]: authentication failure for <user> from <ip> via <service>
      pattern: "secubox-auth\\[%{INT:pid}\\]: (?i)authentication failure for %{USERNAME:user} from %{IP:source_ip} via %{WORD:service}"
      apply_on: Line.Raw
    statics:
      - meta: log_type
        value: auth_failure
      - meta: service
        expression: evt.Parsed.service
      - meta: source_ip
        expression: evt.Parsed.source_ip
      - meta: username
        expression: evt.Parsed.user
      - parsed: program
        value: secubox-auth