CyberMind-FR
32d737483b
- Change evt.Line contains -> evt.Line.Raw contains in parsers (pipeline.Line type requires .Raw accessor for string operations) - Remove invalid filter: field from acquisition configs (filter belongs in parsers, not acquisition files) Fixes CrowdSec v1.7.6 startup failures. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
37 lines
1.3 KiB
YAML
37 lines
1.3 KiB
YAML
# CrowdSec parser for HAProxy logs
|
|
# Parses HAProxy access and error logs for auth events
|
|
|
|
onsuccess: next_stage
|
|
name: secubox/haproxy-logs
|
|
description: "Parse HAProxy access logs"
|
|
filter: "evt.Parsed.program == 'haproxy' || evt.Line.Raw contains 'haproxy'"
|
|
grok:
|
|
pattern: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE:timestamp}\] %{NOTSPACE:frontend} %{NOTSPACE:backend}/%{NOTSPACE:server} %{INT:tq}/%{INT:tw}/%{INT:tc}/%{INT:tr}/%{INT:tt} %{INT:http_status} %{INT:bytes_read}'
|
|
apply_on: message
|
|
statics:
|
|
- meta: log_type
|
|
value: haproxy
|
|
- meta: service
|
|
value: haproxy
|
|
---
|
|
# Parse HAProxy auth failures (401/403 responses)
|
|
onsuccess: next_stage
|
|
name: secubox/haproxy-auth-failure
|
|
description: "Parse HAProxy authentication failures"
|
|
filter: "evt.Meta.log_type == 'haproxy' && evt.Parsed.http_status in ['401', '403']"
|
|
statics:
|
|
- meta: auth_success
|
|
value: "false"
|
|
---
|
|
# Parse HAProxy backend connection failures
|
|
onsuccess: next_stage
|
|
name: secubox/haproxy-backend-failure
|
|
description: "Parse HAProxy backend connection failures"
|
|
filter: "evt.Line.Raw contains 'haproxy' && (evt.Line.Raw contains 'no server available' || evt.Line.Raw contains 'Connection refused')"
|
|
grok:
|
|
pattern: "%{IP:source_ip}.*%{GREEDYDATA:error_message}"
|
|
apply_on: message
|
|
statics:
|
|
- meta: log_type
|
|
value: haproxy_error
|