CyberMind-FR
32d737483b
- Change evt.Line contains -> evt.Line.Raw contains in parsers (pipeline.Line type requires .Raw accessor for string operations) - Remove invalid filter: field from acquisition configs (filter belongs in parsers, not acquisition files) Fixes CrowdSec v1.7.6 startup failures. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
39 lines
1.2 KiB
YAML
39 lines
1.2 KiB
YAML
# CrowdSec parser for Streamlit logs
|
|
# Parses Streamlit access and connection events
|
|
|
|
onsuccess: next_stage
|
|
name: secubox/streamlit-logs
|
|
description: "Parse Streamlit application logs"
|
|
filter: "evt.Line.Labels.type == 'streamlit' || evt.Line.Raw contains 'streamlit'"
|
|
grok:
|
|
pattern: '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:message}'
|
|
apply_on: message
|
|
statics:
|
|
- meta: log_type
|
|
value: streamlit
|
|
- meta: service
|
|
value: streamlit
|
|
---
|
|
# Parse Streamlit via HAProxy (401/403 auth failures)
|
|
onsuccess: next_stage
|
|
name: secubox/streamlit-auth-failure
|
|
description: "Parse Streamlit authentication failures via HAProxy"
|
|
filter: "evt.Meta.log_type == 'haproxy' && evt.Parsed.backend contains 'streamlit' && evt.Parsed.http_status in ['401', '403']"
|
|
statics:
|
|
- meta: auth_success
|
|
value: "false"
|
|
- meta: service
|
|
value: streamlit
|
|
---
|
|
# Parse Streamlit WebSocket connection failures
|
|
onsuccess: next_stage
|
|
name: secubox/streamlit-ws-failure
|
|
description: "Parse Streamlit WebSocket connection issues"
|
|
filter: "evt.Line.Raw contains 'streamlit' && evt.Line.Raw contains 'WebSocket'"
|
|
grok:
|
|
pattern: '%{IP:source_ip}.*WebSocket.*(?:failed|error|closed)'
|
|
apply_on: message
|
|
statics:
|
|
- meta: log_type
|
|
value: streamlit_ws
|