# OpenWrt Dropbear SSH Acquisition
# This configuration monitors SSH authentication logs from Dropbear
#
# Dropbear logs are typically sent to syslog and can be found in:
# - /var/log/messages (if syslog is configured to write to file)
# - Via logread command (OpenWrt default)
#
# Required collections:
#   cscli collections install crowdsecurity/linux
#   cscli parsers install crowdsecurity/syslog-logs
#
# The crowdsecurity/linux collection includes SSH brute-force detection
# scenarios that work with Dropbear authentication logs.
#
# Example Dropbear log entries that will be parsed:
#   dropbear[1234]: Bad password attempt for 'root' from 192.168.1.100:54321
#   dropbear[1234]: Login attempt for nonexistent user 'admin' from 192.168.1.100:54321
#   dropbear[1234]: Pubkey auth succeeded for 'root' with ssh-ed25519 key
#   dropbear[1234]: Exit (root) from <192.168.1.100:54321>: Disconnect received
#
# Note: Since Dropbear logs go to syslog, the openwrt-syslog.yaml
# acquisition config will capture these logs. This file serves as
# documentation for Dropbear-specific detection.

# If using a dedicated auth log file:
# filenames:
#   - /var/log/auth.log
# labels:
#   type: syslog