third-party/crowdsec/sample-configuration/parsers/james-auth.yaml - james-project - Git at Google

 onsuccess: next_stage
 debug: true
 filter: "evt.Parsed.program == 'james'"
 name: linagora/james-auth
 description: "Parser for James IMAP and SMTP authentication "

 pattern_syntax:
   IMAP_AUTH_FAIL_BAD_CREDENTIALS: 'IMAP Authentication failed%{DATA:data}because of bad credentials.'
   IMAP_AUTH_FAIL_DELEGATION_BAD_CREDENTIALS: 'IMAP Authentication with delegation failed%{DATA:data}because of bad credentials.'
   IMAP_AUTH_FAIL_NO_EXISTING_DELEGATION: 'IMAP Authentication with delegation failed%{DATA:data}because of non existing delegation.'
   SMTP_AUTH_FAIL: 'SMTP Authentication%{DATA:data}failed.'
   POP3_AUTH_FAIL: 'Bad credential supplied for %{DATA:user} with remote address %{IP:source_ip}'
 nodes:
   - grok:
       name: "IMAP_AUTH_FAIL_BAD_CREDENTIALS"
       apply_on: message
       statics:
         - meta: log_type
           value: imap-auth-fail
         - meta: timestamp
           expression: evt.Parsed.timestamp
         - meta: level
           expression: evt.Parsed.level
         - meta: source_ip
           expression: evt.Parsed.mdc_ip
         - meta: host
           expression: evt.Parsed.mdc_host
         - meta: user
           expression: evt.Parsed.user
   - grok:
       name: "IMAP_AUTH_FAIL_DELEGATION_BAD_CREDENTIALS"
       apply_on: message
       statics:
         - meta: log_type
           value: imap-auth-fail
         - meta: timestamp
           expression: evt.Parsed.timestamp
         - meta: level
           expression: evt.Parsed.level
         - meta: source_ip
           expression: evt.Parsed.mdc_ip
         - meta: host
           expression: evt.Parsed.mdc_host
         - meta: user
           expression: evt.Parsed.user
   - grok:
       name: "IMAP_AUTH_FAIL_NO_EXISTING_DELEGATION"
       apply_on: message
       statics:
         - meta: log_type
           value: imap-auth-fail
         - meta: timestamp
           expression: evt.Parsed.timestamp
         - meta: level
           expression: evt.Parsed.level
         - meta: source_ip
           expression: evt.Parsed.mdc_ip
         - meta: host
           expression: evt.Parsed.mdc_host
         - meta: user
           expression: evt.Parsed.user
   - grok:
       name: "SMTP_AUTH_FAIL"
       apply_on: message
       statics:
         - meta: log_type
           value: smtp-auth-fail
         - meta: timestamp
           expression: evt.Parsed.timestamp
         - meta: level
           expression: evt.Parsed.level
         - meta: source_ip
           expression: evt.Parsed.mdc_remoteIP
         - meta: user
           expression: evt.Parsed.mdc_username
   - grok:
       name: "POP3_AUTH_FAIL"
       apply_on: message
       statics:
         - meta: log_type
           value: pop3-auth-fail
         - meta: source_ip
           expression: evt.Parsed.source_ip
	onsuccess: next_stage
	debug: true
	filter: "evt.Parsed.program == 'james'"
	name: linagora/james-auth
	description: "Parser for James IMAP and SMTP authentication "

	pattern_syntax:
	IMAP_AUTH_FAIL_BAD_CREDENTIALS: 'IMAP Authentication failed%{DATA:data}because of bad credentials.'
	IMAP_AUTH_FAIL_DELEGATION_BAD_CREDENTIALS: 'IMAP Authentication with delegation failed%{DATA:data}because of bad credentials.'
	IMAP_AUTH_FAIL_NO_EXISTING_DELEGATION: 'IMAP Authentication with delegation failed%{DATA:data}because of non existing delegation.'
	SMTP_AUTH_FAIL: 'SMTP Authentication%{DATA:data}failed.'
	POP3_AUTH_FAIL: 'Bad credential supplied for %{DATA:user} with remote address %{IP:source_ip}'
	nodes:
	- grok:
	name: "IMAP_AUTH_FAIL_BAD_CREDENTIALS"
	apply_on: message
	statics:
	- meta: log_type
	value: imap-auth-fail
	- meta: timestamp
	expression: evt.Parsed.timestamp
	- meta: level
	expression: evt.Parsed.level
	- meta: source_ip
	expression: evt.Parsed.mdc_ip
	- meta: host
	expression: evt.Parsed.mdc_host
	- meta: user
	expression: evt.Parsed.user
	- grok:
	name: "IMAP_AUTH_FAIL_DELEGATION_BAD_CREDENTIALS"
	apply_on: message
	statics:
	- meta: log_type
	value: imap-auth-fail
	- meta: timestamp
	expression: evt.Parsed.timestamp
	- meta: level
	expression: evt.Parsed.level
	- meta: source_ip
	expression: evt.Parsed.mdc_ip
	- meta: host
	expression: evt.Parsed.mdc_host
	- meta: user
	expression: evt.Parsed.user
	- grok:
	name: "IMAP_AUTH_FAIL_NO_EXISTING_DELEGATION"
	apply_on: message
	statics:
	- meta: log_type
	value: imap-auth-fail
	- meta: timestamp
	expression: evt.Parsed.timestamp
	- meta: level
	expression: evt.Parsed.level
	- meta: source_ip
	expression: evt.Parsed.mdc_ip
	- meta: host
	expression: evt.Parsed.mdc_host
	- meta: user
	expression: evt.Parsed.user
	- grok:
	name: "SMTP_AUTH_FAIL"
	apply_on: message
	statics:
	- meta: log_type
	value: smtp-auth-fail
	- meta: timestamp
	expression: evt.Parsed.timestamp
	- meta: level
	expression: evt.Parsed.level
	- meta: source_ip
	expression: evt.Parsed.mdc_remoteIP
	- meta: user
	expression: evt.Parsed.mdc_username
	- grok:
	name: "POP3_AUTH_FAIL"
	apply_on: message
	statics:
	- meta: log_type
	value: pop3-auth-fail
	- meta: source_ip
	expression: evt.Parsed.source_ip