# CrowdSec parser for HAProxy logs
# Parses HAProxy access and error logs for auth events

onsuccess: next_stage
name: secubox/haproxy-logs
description: "Parse HAProxy access logs"
filter: "evt.Parsed.program == 'haproxy' || evt.Line.Raw contains 'haproxy'"
grok:
  pattern: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE:timestamp}\] %{NOTSPACE:frontend} %{NOTSPACE:backend}/%{NOTSPACE:server} %{INT:tq}/%{INT:tw}/%{INT:tc}/%{INT:tr}/%{INT:tt} %{INT:http_status} %{INT:bytes_read}'
  apply_on: message
statics:
  - meta: log_type
    value: haproxy
  - meta: service
    value: haproxy
---
# Parse HAProxy auth failures (401/403 responses)
onsuccess: next_stage
name: secubox/haproxy-auth-failure
description: "Parse HAProxy authentication failures"
filter: "evt.Meta.log_type == 'haproxy' && evt.Parsed.http_status in ['401', '403']"
statics:
  - meta: auth_success
    value: "false"
---
# Parse HAProxy backend connection failures
onsuccess: next_stage
name: secubox/haproxy-backend-failure
description: "Parse HAProxy backend connection failures"
filter: "evt.Line.Raw contains 'haproxy' && (evt.Line.Raw contains 'no server available' || evt.Line.Raw contains 'Connection refused')"
grok:
  pattern: "%{IP:source_ip}.*%{GREEDYDATA:error_message}"
  apply_on: message
statics:
  - meta: log_type
    value: haproxy_error