CyberMind-FR
b5567ff747
- v1.2.1: Remove timestamp generation (ucode time functions unavailable) - Use simple format: secubox-auth[1]: authentication failure for... - Update parser to use raw line parsing with custom label type - Change acquisition from type:syslog to type:secubox-auth Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
26 lines
960 B
YAML
26 lines
960 B
YAML
# CrowdSec Parser for SecuBox Auth Logger
|
|
# Parses authentication failures from LuCI/uhttpd and SSH (OpenSSH/Dropbear)
|
|
# Format: secubox-auth[pid]: authentication failure for <user> from <ip> via <service>
|
|
|
|
name: secubox/openwrt-luci-auth
|
|
description: "Parse SecuBox auth failure logs for LuCI and SSH"
|
|
filter: "evt.Line.Labels.type == 'secubox-auth'"
|
|
onsuccess: next_stage
|
|
|
|
nodes:
|
|
- grok:
|
|
# Parse the full line: secubox-auth[pid]: authentication failure for <user> from <ip> via <service>
|
|
pattern: "secubox-auth\\[%{INT:pid}\\]: (?i)authentication failure for %{USERNAME:user} from %{IP:source_ip} via %{WORD:service}"
|
|
apply_on: Line.Raw
|
|
statics:
|
|
- meta: log_type
|
|
value: auth_failure
|
|
- meta: service
|
|
expression: evt.Parsed.service
|
|
- meta: source_ip
|
|
expression: evt.Parsed.source_ip
|
|
- meta: username
|
|
expression: evt.Parsed.user
|
|
- parsed: program
|
|
value: secubox-auth
|