Last active
January 2, 2023 15:49
-
-
Save LaurenceJJones/3348f4c94851bf29a4822163b8441931 to your computer and use it in GitHub Desktop.
nextcloud apache2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Apache access/errors logs | |
#debug: true | |
filter: "evt.Parsed.program startsWith 'apache2'" | |
onsuccess: next_stage | |
name: crowdsecurity/apache2-logs | |
description: "Parse Apache2 access and error logs" | |
#log line can be prefixed by a target_fqdn | |
pattern_syntax: | |
NC_APACHE2: '%{IPORHOST:clientip} %{DATA:forwardedip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)' | |
nodes: | |
- grok: | |
pattern: '(%{IPORHOST:target_fqdn}(:%{INT:port})? )?%{NC_APACHE2}( "%{NOTDQUOTE:referrer}" "%{NOTDQUOTE:http_user_agent}")?' | |
apply_on: message | |
# these ones apply for both grok patterns | |
statics: | |
- meta: log_type | |
value: http_access-log | |
- target: evt.StrTime | |
expression: evt.Parsed.timestamp | |
- meta: service | |
value: http | |
- meta: source_ip | |
expression: evt.Parsed.clientip | |
- meta: http_status | |
expression: evt.Parsed.response | |
- meta: http_path | |
expression: evt.Parsed.request | |
- meta: http_verb | |
expression: "evt.Parsed.verb" | |
- meta: http_user_agent | |
expression: "evt.Parsed.http_user_agent" | |
- meta: target_fqdn | |
expression: "evt.Parsed.target_fqdn" | |
onsuccess: next_stage | |
- grok: | |
pattern: '%{HTTPD_ERRORLOG}' | |
apply_on: message | |
onsuccess: next_stage | |
pattern_syntax: | |
NOT_DOUBLE_POINT: '[^:]+' | |
NOT_DOUBLE_QUOTE: '[^"]+' | |
nodes: | |
- filter: "evt.Parsed.module == 'auth_basic'" | |
onsuccess: next_stage | |
pattern_syntax: | |
EXTRACT_USER_AND_PATH: 'user %{NOT_DOUBLE_POINT:username}: authentication failure for "%{NOT_DOUBLE_QUOTE:target_uri}": Password Mismatch' | |
EXTRACT_USER_AND_PATH2: 'user %{NOT_DOUBLE_POINT:username} not found: "?%{NOT_DOUBLE_QUOTE:target_uri}"?' | |
grok: | |
pattern: '%{EXTRACT_USER_AND_PATH}|%{EXTRACT_USER_AND_PATH2}' | |
apply_on: message | |
# these ones apply for both grok patterns | |
statics: | |
- meta: username | |
expression: evt.Parsed.username | |
- meta: http_path | |
expression: evt.Parsed.target_uri | |
- meta: sub_type | |
value: "auth_fail" | |
- filter: "evt.Parsed.module == 'core' && evt.Parsed.message contains 'Invalid URI'" | |
onsuccess: next_stage | |
pattern_syntax: | |
EXTRACT_URIVERB: 'Invalid URI in request %{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})' | |
grok: | |
pattern: '%{EXTRACT_URIVERB}' | |
apply_on: message | |
statics: | |
- meta: http_path | |
expression: evt.Parsed.request | |
- meta: sub_type | |
value: "invalid_uri" | |
- filter: "evt.Parsed.module == 'authz_core' && evt.Parsed.message contains 'client denied'" | |
onsuccess: next_stage | |
pattern_syntax: | |
EXTRACT_PATH: 'client denied by server configuration: %{GREEDYDATA:target_uri}' | |
grok: | |
pattern: '%{EXTRACT_PATH}' | |
apply_on: message | |
statics: | |
- meta: http_path | |
expression: evt.Parsed.target_uri | |
- meta: sub_type | |
value: "permission_denied" | |
statics: | |
- meta: log_type | |
value: http_error-log | |
- target: evt.StrTime | |
expression: evt.Parsed.timestamp | |
- meta: service | |
value: http | |
- meta: source_ip | |
expression: evt.Parsed.client | |
- meta: http_status | |
expression: evt.Parsed.response | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment