diff --git a/.tests/CVE-2017-9841/parser.assert b/.tests/CVE-2017-9841/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/CVE-2019-18935/parser.assert b/.tests/CVE-2019-18935/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/CVE-2022-35914/parser.assert b/.tests/CVE-2022-35914/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/CVE-2022-41697/parser.assert b/.tests/CVE-2022-41697/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/CVE-2022-42889/parser.assert b/.tests/CVE-2022-42889/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/CVE-2022-44877/parser.assert b/.tests/CVE-2022-44877/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/CVE-2022-46169/parser.assert b/.tests/CVE-2022-46169/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/CVE-2023-22515/parser.assert b/.tests/CVE-2023-22515/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/CVE-2023-22518/parser.assert b/.tests/CVE-2023-22518/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/CVE-2023-4911/parser.assert b/.tests/CVE-2023-4911/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/CVE-2024-0012/parser.assert b/.tests/CVE-2024-0012/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/CVE-2024-38475/parser.assert b/.tests/CVE-2024-38475/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/CVE-2024-9474/parser.assert b/.tests/CVE-2024-9474/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/CVE-2025-0108/parser.assert b/.tests/CVE-2025-0108/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/adguardhome-bf/parser.assert b/.tests/adguardhome-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/adguardhome-bf/scenario.assert b/.tests/adguardhome-bf/scenario.assert index a2d23580c51..59b013c67e8 100644 --- a/.tests/adguardhome-bf/scenario.assert +++ b/.tests/adguardhome-bf/scenario.assert @@ -4,39 +4,39 @@ results[0].Overflow.Sources["192.168.1.3"].IP == "192.168.1.3" results[0].Overflow.Sources["192.168.1.3"].Range == "" results[0].Overflow.Sources["192.168.1.3"].GetScope() == "Ip" results[0].Overflow.Sources["192.168.1.3"].GetValue() == "192.168.1.3" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "adguardhome-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "adguardhome-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "adguardhome_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "adguardhome" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.3" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-01-26T06:43:57.223387Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "adguardhome-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "adguardhome-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "adguardhome_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "adguardhome" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.3" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-01-26T06:43:57.223387Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "adguardhome-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "adguardhome-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "adguardhome_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "adguardhome" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.3" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-01-26T06:43:57.223387Z" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "adguardhome-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "adguardhome-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "adguardhome_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "adguardhome" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.3" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-01-26T06:43:58.223387Z" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "adguardhome-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "adguardhome-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "adguardhome_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "adguardhome" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.3" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2024-01-26T06:43:58.223387Z" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "adguardhome-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "adguardhome-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "adguardhome_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "adguardhome" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.3" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2024-01-26T06:43:58.223387Z" @@ -48,42 +48,42 @@ results[1].Overflow.Sources["192.168.1.2"].IP == "192.168.1.2" results[1].Overflow.Sources["192.168.1.2"].Range == "" results[1].Overflow.Sources["192.168.1.2"].GetScope() == "Ip" results[1].Overflow.Sources["192.168.1.2"].GetValue() == "192.168.1.2" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "adguardhome-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "adguardhome-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "adguardhome_failed_auth" results[1].Overflow.Alert.Events[0].GetMeta("service") == "adguardhome" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.2" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-02-21T08:05:56.233208Z" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "adguardhome-bf.log" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "adguardhome-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "adguardhome_failed_auth" results[1].Overflow.Alert.Events[1].GetMeta("service") == "adguardhome" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.2" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-02-21T08:05:56.233208Z" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "adguardhome-bf.log" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "adguardhome-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "adguardhome_failed_auth" results[1].Overflow.Alert.Events[2].GetMeta("service") == "adguardhome" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.2" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-02-21T08:05:56.233208Z" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "adguardhome-bf.log" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "adguardhome-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "adguardhome_failed_auth" results[1].Overflow.Alert.Events[3].GetMeta("service") == "adguardhome" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.2" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-02-21T08:05:57.233208Z" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "adguardhome-bf.log" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "adguardhome-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "adguardhome_failed_auth" results[1].Overflow.Alert.Events[4].GetMeta("service") == "adguardhome" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.2" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-02-21T08:05:57.233208Z" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "adguardhome-bf.log" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "adguardhome-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "adguardhome_failed_auth" results[1].Overflow.Alert.Events[5].GetMeta("service") == "adguardhome" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.2" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-02-21T08:05:57.233208Z" results[1].Overflow.Alert.GetScenario() == "LePresidente/adguardhome-bf" results[1].Overflow.Alert.Remediation == true -results[1].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[1].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/adguardhome-logs/parser.assert b/.tests/adguardhome-logs/parser.assert index c3377a1ba41..28b641ce552 100644 --- a/.tests/adguardhome-logs/parser.assert +++ b/.tests/adguardhome-logs/parser.assert @@ -3,25 +3,25 @@ len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 4 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2023/02/21 08:05:56.233208 [error] POST 192.168.1.2 /control/login: invalid username or password" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "adguardhome" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "adguardhome-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "adguardhome-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2024/01/26 06:43:57.223387 [error] POST 192.168.1.1 /control/login: from ip 192.168.1.3: invalid username or password" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "adguardhome" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "adguardhome-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "adguardhome-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "2023/02/21 08:06:24.400712 [info] auth: user \"realuser\" successfully logged in from ip 192.168.1.2" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "adguardhome" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "adguardhome-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "adguardhome-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "2024/09/12 09:15:43.126560 [error] POST some.domain.tld /control/login: from ip 192.168.1.1: invalid username or password" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "adguardhome" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "adguardhome-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "adguardhome-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4 @@ -36,9 +36,9 @@ results["s01-parse"]["LePresidente/adguardhome-logs"][0].Evt.Parsed["message"] = results["s01-parse"]["LePresidente/adguardhome-logs"][0].Evt.Parsed["program"] == "adguardhome" results["s01-parse"]["LePresidente/adguardhome-logs"][0].Evt.Parsed["source_ip"] == "192.168.1.2" results["s01-parse"]["LePresidente/adguardhome-logs"][0].Evt.Parsed["time"] == "08:05:56.233208" -results["s01-parse"]["LePresidente/adguardhome-logs"][0].Evt.Meta["datasource_path"] == "adguardhome-logs.log" +results["s01-parse"]["LePresidente/adguardhome-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/adguardhome-logs"][0].Evt.Meta["datasource_path"]) == "adguardhome-logs.log" results["s01-parse"]["LePresidente/adguardhome-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/adguardhome-logs"][0].Evt.Meta["log_type"] == "adguardhome_failed_auth" results["s01-parse"]["LePresidente/adguardhome-logs"][0].Evt.Meta["service"] == "adguardhome" results["s01-parse"]["LePresidente/adguardhome-logs"][0].Evt.Meta["source_ip"] == "192.168.1.2" results["s01-parse"]["LePresidente/adguardhome-logs"][0].Evt.Whitelisted == false @@ -48,9 +48,9 @@ results["s01-parse"]["LePresidente/adguardhome-logs"][1].Evt.Parsed["message"] = results["s01-parse"]["LePresidente/adguardhome-logs"][1].Evt.Parsed["program"] == "adguardhome" results["s01-parse"]["LePresidente/adguardhome-logs"][1].Evt.Parsed["source_ip"] == "192.168.1.3" results["s01-parse"]["LePresidente/adguardhome-logs"][1].Evt.Parsed["time"] == "06:43:57.223387" -results["s01-parse"]["LePresidente/adguardhome-logs"][1].Evt.Meta["datasource_path"] == "adguardhome-logs.log" +results["s01-parse"]["LePresidente/adguardhome-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/adguardhome-logs"][1].Evt.Meta["datasource_path"]) == "adguardhome-logs.log" results["s01-parse"]["LePresidente/adguardhome-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/adguardhome-logs"][1].Evt.Meta["log_type"] == "adguardhome_failed_auth" results["s01-parse"]["LePresidente/adguardhome-logs"][1].Evt.Meta["service"] == "adguardhome" results["s01-parse"]["LePresidente/adguardhome-logs"][1].Evt.Meta["source_ip"] == "192.168.1.3" results["s01-parse"]["LePresidente/adguardhome-logs"][1].Evt.Whitelisted == false @@ -61,9 +61,9 @@ results["s01-parse"]["LePresidente/adguardhome-logs"][3].Evt.Parsed["message"] = results["s01-parse"]["LePresidente/adguardhome-logs"][3].Evt.Parsed["program"] == "adguardhome" results["s01-parse"]["LePresidente/adguardhome-logs"][3].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["LePresidente/adguardhome-logs"][3].Evt.Parsed["time"] == "09:15:43.126560" -results["s01-parse"]["LePresidente/adguardhome-logs"][3].Evt.Meta["datasource_path"] == "adguardhome-logs.log" +results["s01-parse"]["LePresidente/adguardhome-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/adguardhome-logs"][3].Evt.Meta["datasource_path"]) == "adguardhome-logs.log" results["s01-parse"]["LePresidente/adguardhome-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/adguardhome-logs"][3].Evt.Meta["log_type"] == "adguardhome_failed_auth" results["s01-parse"]["LePresidente/adguardhome-logs"][3].Evt.Meta["service"] == "adguardhome" results["s01-parse"]["LePresidente/adguardhome-logs"][3].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["LePresidente/adguardhome-logs"][3].Evt.Whitelisted == false @@ -74,9 +74,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "adguardhome" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "192.168.1.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time"] == "08:05:56.233208" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "adguardhome-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "adguardhome-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "adguardhome_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "adguardhome" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.1.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-02-21T08:05:56.233208Z" @@ -88,9 +88,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "adguardhome" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "192.168.1.3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["time"] == "06:43:57.223387" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "adguardhome-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "adguardhome-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "adguardhome_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "adguardhome" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.1.3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2024-01-26T06:43:57.223387Z" @@ -102,9 +102,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "adguardhome" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["time"] == "09:15:43.126560" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "adguardhome-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "adguardhome-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "adguardhome_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "adguardhome" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2024-09-12T09:15:43.12656Z" diff --git a/.tests/adguardhome-logs/scenario.assert b/.tests/adguardhome-logs/scenario.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/apache-guacamole-logs/apache-guacamole-logs.log b/.tests/apache-guacamole-logs/apache-guacamole-logs.log index d22d79176e4..4cfc69427f0 100644 --- a/.tests/apache-guacamole-logs/apache-guacamole-logs.log +++ b/.tests/apache-guacamole-logs/apache-guacamole-logs.log @@ -1,3 +1,4 @@ 28-Mar-2022 07:01:48.459 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"] 2023-04-06T09:05:54,991Z [http-nio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [127.0.0.1, 127.0.0.2] for user "test" failed. -2023-04-06T09:06:01,059Z [http-nio-8080-exec-10] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [127.0.0.1, 127.0.0.2] for user "test@example.com" failed. \ No newline at end of file +2023-04-06T09:06:01,059Z [http-nio-8080-exec-10] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [127.0.0.1, 127.0.0.2] for user "test@example.com" failed. +2023-04-06T09:07:00,000Z [http-nio-8080-exec-11] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [127.0.0.1, 127.0.0.2] for user "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" failed. \ No newline at end of file diff --git a/.tests/apache-guacamole-logs/parser.assert b/.tests/apache-guacamole-logs/parser.assert index aba491815aa..4506eec1e70 100644 --- a/.tests/apache-guacamole-logs/parser.assert +++ b/.tests/apache-guacamole-logs/parser.assert @@ -1,25 +1,35 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 3 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 4 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "28-Mar-2022 07:01:48.459 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [\"http-nio-8080\"]" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "apache-guacamole" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "apache-guacamole-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "apache-guacamole-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2023-04-06T09:05:54,991Z [http-nio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [127.0.0.1, 127.0.0.2] for user \"test\" failed." results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "apache-guacamole" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "apache-guacamole-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "apache-guacamole-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "2023-04-06T09:06:01,059Z [http-nio-8080-exec-10] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [127.0.0.1, 127.0.0.2] for user \"test@example.com\" failed." results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "apache-guacamole" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "apache-guacamole-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "apache-guacamole-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 3 +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "2023-04-06T09:07:00,000Z [http-nio-8080-exec-11] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [127.0.0.1, 127.0.0.2] for user \"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\" failed." +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "apache-guacamole" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "apache-guacamole-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false -len(results["s01-parse"]["corvese/apache-guacamole-logs"]) == 3 +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false +len(results["s01-parse"]["corvese/apache-guacamole-logs"]) == 4 results["s01-parse"]["corvese/apache-guacamole-logs"][0].Success == false results["s01-parse"]["corvese/apache-guacamole-logs"][1].Success == true results["s01-parse"]["corvese/apache-guacamole-logs"][1].Evt.Parsed["message"] == "2023-04-06T09:05:54,991Z [http-nio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [127.0.0.1, 127.0.0.2] for user \"test\" failed." @@ -27,51 +37,83 @@ results["s01-parse"]["corvese/apache-guacamole-logs"][1].Evt.Parsed["program"] = results["s01-parse"]["corvese/apache-guacamole-logs"][1].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["corvese/apache-guacamole-logs"][1].Evt.Parsed["timestamp"] == "2023-04-06T09:05:54,991Z" results["s01-parse"]["corvese/apache-guacamole-logs"][1].Evt.Parsed["username"] == "test" -results["s01-parse"]["corvese/apache-guacamole-logs"][1].Evt.Meta["log_type"] == "apache-guacamole_failed_auth" +results["s01-parse"]["corvese/apache-guacamole-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["corvese/apache-guacamole-logs"][1].Evt.Meta["datasource_path"]) == "apache-guacamole-logs.log" +results["s01-parse"]["corvese/apache-guacamole-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["corvese/apache-guacamole-logs"][1].Evt.Meta["service"] == "apache-guacamole" results["s01-parse"]["corvese/apache-guacamole-logs"][1].Evt.Meta["source_ip"] == "127.0.0.1" results["s01-parse"]["corvese/apache-guacamole-logs"][1].Evt.Meta["target_user"] == "test" -results["s01-parse"]["corvese/apache-guacamole-logs"][1].Evt.Meta["datasource_path"] == "apache-guacamole-logs.log" -results["s01-parse"]["corvese/apache-guacamole-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["corvese/apache-guacamole-logs"][1].Evt.Whitelisted == false results["s01-parse"]["corvese/apache-guacamole-logs"][2].Success == true results["s01-parse"]["corvese/apache-guacamole-logs"][2].Evt.Parsed["message"] == "2023-04-06T09:06:01,059Z [http-nio-8080-exec-10] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [127.0.0.1, 127.0.0.2] for user \"test@example.com\" failed." results["s01-parse"]["corvese/apache-guacamole-logs"][2].Evt.Parsed["program"] == "apache-guacamole" results["s01-parse"]["corvese/apache-guacamole-logs"][2].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["corvese/apache-guacamole-logs"][2].Evt.Parsed["timestamp"] == "2023-04-06T09:06:01,059Z" results["s01-parse"]["corvese/apache-guacamole-logs"][2].Evt.Parsed["username"] == "test@example.com" -results["s01-parse"]["corvese/apache-guacamole-logs"][2].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["corvese/apache-guacamole-logs"][2].Evt.Meta["target_user"] == "test@example.com" -results["s01-parse"]["corvese/apache-guacamole-logs"][2].Evt.Meta["datasource_path"] == "apache-guacamole-logs.log" +results["s01-parse"]["corvese/apache-guacamole-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["corvese/apache-guacamole-logs"][2].Evt.Meta["datasource_path"]) == "apache-guacamole-logs.log" results["s01-parse"]["corvese/apache-guacamole-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["corvese/apache-guacamole-logs"][2].Evt.Meta["log_type"] == "apache-guacamole_failed_auth" results["s01-parse"]["corvese/apache-guacamole-logs"][2].Evt.Meta["service"] == "apache-guacamole" -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 +results["s01-parse"]["corvese/apache-guacamole-logs"][2].Evt.Meta["source_ip"] == "127.0.0.1" +results["s01-parse"]["corvese/apache-guacamole-logs"][2].Evt.Meta["target_user"] == "test@example.com" +results["s01-parse"]["corvese/apache-guacamole-logs"][2].Evt.Whitelisted == false +results["s01-parse"]["corvese/apache-guacamole-logs"][3].Success == true +results["s01-parse"]["corvese/apache-guacamole-logs"][3].Evt.Parsed["message"] == "2023-04-06T09:07:00,000Z [http-nio-8080-exec-11] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [127.0.0.1, 127.0.0.2] for user \"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\" failed." +results["s01-parse"]["corvese/apache-guacamole-logs"][3].Evt.Parsed["program"] == "apache-guacamole" +results["s01-parse"]["corvese/apache-guacamole-logs"][3].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s01-parse"]["corvese/apache-guacamole-logs"][3].Evt.Parsed["timestamp"] == "2023-04-06T09:07:00,000Z" +results["s01-parse"]["corvese/apache-guacamole-logs"][3].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["corvese/apache-guacamole-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["corvese/apache-guacamole-logs"][3].Evt.Meta["datasource_path"]) == "apache-guacamole-logs.log" +results["s01-parse"]["corvese/apache-guacamole-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["corvese/apache-guacamole-logs"][3].Evt.Meta["service"] == "apache-guacamole" +results["s01-parse"]["corvese/apache-guacamole-logs"][3].Evt.Meta["source_ip"] == "127.0.0.1" +results["s01-parse"]["corvese/apache-guacamole-logs"][3].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["corvese/apache-guacamole-logs"][3].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 3 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2023-04-06T09:05:54,991Z [http-nio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [127.0.0.1, 127.0.0.2] for user \"test\" failed." results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "apache-guacamole" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2023-04-06T09:05:54,991Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "test" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "apache-guacamole-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "apache-guacamole_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "apache-guacamole" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "test" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-04-06T09:05:54.991Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "apache-guacamole-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-04-06T09:05:54.991Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "2023-04-06T09:06:01,059Z [http-nio-8080-exec-10] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [127.0.0.1, 127.0.0.2] for user \"test@example.com\" failed." results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "apache-guacamole" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2023-04-06T09:06:01,059Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "test@example.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "apache-guacamole_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "apache-guacamole-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "apache-guacamole" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-04-06T09:06:01.059Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "apache-guacamole-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-04-06T09:06:01.059Z" -len(results["success"][""]) == 0 \ No newline at end of file +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "2023-04-06T09:07:00,000Z [http-nio-8080-exec-11] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [127.0.0.1, 127.0.0.2] for user \"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\" failed." +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "apache-guacamole" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "2023-04-06T09:07:00,000Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "apache-guacamole-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "apache-guacamole" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-04-06T09:07:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2023-04-06T09:07:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/apache-guacamole_bf/parser.assert b/.tests/apache-guacamole_bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/apache-guacamole_bf/scenario.assert b/.tests/apache-guacamole_bf/scenario.assert index a3c58af2a78..adf70535141 100644 --- a/.tests/apache-guacamole_bf/scenario.assert +++ b/.tests/apache-guacamole_bf/scenario.assert @@ -4,48 +4,48 @@ results[0].Overflow.Sources["127.0.0.1"].IP == "127.0.0.1" results[0].Overflow.Sources["127.0.0.1"].Range == "" results[0].Overflow.Sources["127.0.0.1"].GetScope() == "Ip" results[0].Overflow.Sources["127.0.0.1"].GetValue() == "127.0.0.1" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "apache-guacamole_bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "apache-guacamole_bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "apache-guacamole_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "apache-guacamole" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "test" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-04-06T09:13:48.557Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "apache-guacamole_bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "apache-guacamole_bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "apache-guacamole_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "apache-guacamole" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "test" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-04-06T09:13:50.772Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "apache-guacamole_bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "apache-guacamole_bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "apache-guacamole_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "apache-guacamole" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "test@example.com" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-04-06T09:14:10.979Z" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "apache-guacamole_bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "apache-guacamole_bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "apache-guacamole_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "apache-guacamole" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "test@example.com" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-04-06T09:14:13.381Z" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "apache-guacamole_bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "apache-guacamole_bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "apache-guacamole_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "apache-guacamole" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "test@example.com" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-04-06T09:14:15.526Z" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "apache-guacamole_bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "apache-guacamole_bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "apache-guacamole_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "apache-guacamole" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "test@example.com" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-04-06T09:14:17.235Z" results[0].Overflow.Alert.GetScenario() == "corvese/apache-guacamole_bf" results[0].Overflow.Alert.Remediation == true -results[0].Overflow.Alert.GetEventsCount() == 10 \ No newline at end of file +results[0].Overflow.Alert.GetEventsCount() == 10 diff --git a/.tests/apache-guacamole_user_enum/parser.assert b/.tests/apache-guacamole_user_enum/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/apache-guacamole_user_enum/scenario.assert b/.tests/apache-guacamole_user_enum/scenario.assert index 0bae758fc83..859913a6a08 100644 --- a/.tests/apache-guacamole_user_enum/scenario.assert +++ b/.tests/apache-guacamole_user_enum/scenario.assert @@ -4,48 +4,48 @@ results[0].Overflow.Sources["127.0.0.1"].IP == "127.0.0.1" results[0].Overflow.Sources["127.0.0.1"].Range == "" results[0].Overflow.Sources["127.0.0.1"].GetScope() == "Ip" results[0].Overflow.Sources["127.0.0.1"].GetValue() == "127.0.0.1" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "apache-guacamole_user_enum.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "apache-guacamole_user_enum.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "apache-guacamole_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "apache-guacamole" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "test5" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-04-06T09:13:48.557Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "apache-guacamole_user_enum.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "apache-guacamole_user_enum.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "apache-guacamole_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "apache-guacamole" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "test6" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-04-06T09:13:50.772Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "apache-guacamole_user_enum.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "apache-guacamole_user_enum.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "apache-guacamole_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "apache-guacamole" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "test1@example.com" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-04-06T09:14:10.979Z" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "apache-guacamole_user_enum.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "apache-guacamole_user_enum.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "apache-guacamole_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "apache-guacamole" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "test2@example.com" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-04-06T09:14:13.381Z" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "apache-guacamole_user_enum.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "apache-guacamole_user_enum.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "apache-guacamole_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "apache-guacamole" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "test3@example.com" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-04-06T09:14:15.526Z" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "apache-guacamole_user_enum.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "apache-guacamole_user_enum.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "apache-guacamole_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "apache-guacamole" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "test4@example.com" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-04-06T09:14:17.235Z" results[0].Overflow.Alert.GetScenario() == "corvese/apache-guacamole_user_enum" results[0].Overflow.Alert.Remediation == true -results[0].Overflow.Alert.GetEventsCount() == 10 \ No newline at end of file +results[0].Overflow.Alert.GetEventsCount() == 10 diff --git a/.tests/apache-http-probing/parser.assert b/.tests/apache-http-probing/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/apache2-http-sensitive-files/parser.assert b/.tests/apache2-http-sensitive-files/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/apache_log4j2_cve-2021-44228/parser.assert b/.tests/apache_log4j2_cve-2021-44228/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/apereo-cas-audit-logs/parser.assert b/.tests/apereo-cas-audit-logs/parser.assert index 6fd7355223c..bb391e091b6 100644 --- a/.tests/apereo-cas-audit-logs/parser.assert +++ b/.tests/apereo-cas-audit-logs/parser.assert @@ -1,40 +1,37 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 1 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "cas" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2021-10-11 09:01:35,116 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Oct 11 09:01:35 CEST 2021|CAS|Supplied credentials: [UsernamePasswordCredential(username=john.doe, source=null, customFields={})]|AUTHENTICATION_FAILED|john.doe|1.1.1.1|2.2.2.2" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "apereo-cas-audit-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "cas" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 1 +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false -len(results["s01-parse"]["jusabatier/apereo-cas-audit-logs"]) == 1 results["s01-parse"]["jusabatier/apereo-cas-audit-logs"][0].Success == true -results["s01-parse"]["jusabatier/apereo-cas-audit-logs"][0].Evt.Parsed["time"] == "2021-10-11 09:01:35" results["s01-parse"]["jusabatier/apereo-cas-audit-logs"][0].Evt.Parsed["cas_client_ip"] == "1.1.1.1" results["s01-parse"]["jusabatier/apereo-cas-audit-logs"][0].Evt.Parsed["cas_invalid_user"] == "john.doe" results["s01-parse"]["jusabatier/apereo-cas-audit-logs"][0].Evt.Parsed["loglevel"] == "INFO" results["s01-parse"]["jusabatier/apereo-cas-audit-logs"][0].Evt.Parsed["message"] == "2021-10-11 09:01:35,116 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Oct 11 09:01:35 CEST 2021|CAS|Supplied credentials: [UsernamePasswordCredential(username=john.doe, source=null, customFields={})]|AUTHENTICATION_FAILED|john.doe|1.1.1.1|2.2.2.2" results["s01-parse"]["jusabatier/apereo-cas-audit-logs"][0].Evt.Parsed["program"] == "cas" results["s01-parse"]["jusabatier/apereo-cas-audit-logs"][0].Evt.Parsed["threadname"] == "org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager" +results["s01-parse"]["jusabatier/apereo-cas-audit-logs"][0].Evt.Parsed["time"] == "2021-10-11 09:01:35" +results["s01-parse"]["jusabatier/apereo-cas-audit-logs"][0].Evt.Meta["auth_status"] == "failed" +results["s01-parse"]["jusabatier/apereo-cas-audit-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["jusabatier/apereo-cas-audit-logs"][0].Evt.Meta["service"] == "cas" results["s01-parse"]["jusabatier/apereo-cas-audit-logs"][0].Evt.Meta["source_ip"] == "1.1.1.1" results["s01-parse"]["jusabatier/apereo-cas-audit-logs"][0].Evt.Meta["target_user"] == "john.doe" -results["s01-parse"]["jusabatier/apereo-cas-audit-logs"][0].Evt.Meta["datasource_path"] == "apereo-cas-audit-logs.log" -results["s01-parse"]["jusabatier/apereo-cas-audit-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["jusabatier/apereo-cas-audit-logs"][0].Evt.Meta["log_type"] == "cas_failed-auth" -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 1 +results["s01-parse"]["jusabatier/apereo-cas-audit-logs"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["cas_client_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["cas_invalid_user"] == "john.doe" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["loglevel"] == "INFO" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2021-10-11 09:01:35,116 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Oct 11 09:01:35 CEST 2021|CAS|Supplied credentials: [UsernamePasswordCredential(username=john.doe, source=null, customFields={})]|AUTHENTICATION_FAILED|john.doe|1.1.1.1|2.2.2.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "cas" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["threadname"] == "org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time"] == "2021-10-11 09:01:35" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["cas_client_ip"] == "1.1.1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["cas_invalid_user"] == "john.doe" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["loglevel"] == "INFO" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "cas_failed-auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "cas" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.1.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "john.doe" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "apereo-cas-audit-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2021-10-11T09:01:35Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2021-10-11T09:01:35Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false diff --git a/.tests/apereo-cas-bf/parser.assert b/.tests/apereo-cas-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/apereo-cas-bf/scenario.assert b/.tests/apereo-cas-bf/scenario.assert index b0b4fea2f9a..2979155305f 100644 --- a/.tests/apereo-cas-bf/scenario.assert +++ b/.tests/apereo-cas-bf/scenario.assert @@ -4,42 +4,48 @@ results[0].Overflow.Sources["1.1.1.2"].IP == "1.1.1.2" results[0].Overflow.Sources["1.1.1.2"].Range == "" results[0].Overflow.Sources["1.1.1.2"].GetScope() == "Ip" results[0].Overflow.Sources["1.1.1.2"].GetValue() == "1.1.1.2" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "apereo-cas-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "apereo-cas-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "cas_failed-auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "cas" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.2" results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "john.doe1" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "apereo-cas-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2021-10-11T09:01:35Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "apereo-cas-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "cas_failed-auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "cas" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.2" results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "john.doe2" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "apereo-cas-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2021-10-11T09:01:35Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "apereo-cas-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "cas_failed-auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "cas" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.2" results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "john.doe3" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "apereo-cas-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2021-10-11T09:01:35Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "apereo-cas-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "cas_failed-auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "cas" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.2" results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "john.doe4" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "apereo-cas-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2021-10-11T09:01:35Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "apereo-cas-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "cas_failed-auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "cas" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.1.1.2" results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "john.doe5" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "apereo-cas-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2021-10-11T09:01:35Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "apereo-cas-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "cas_failed-auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "cas" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.1.1.2" results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "john.doe6" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2021-10-11T09:01:35Z" results[0].Overflow.Alert.GetScenario() == "jusabatier/apereo-cas-bf_user-enum" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 @@ -48,42 +54,48 @@ results[1].Overflow.Sources["1.1.1.2"].IP == "1.1.1.2" results[1].Overflow.Sources["1.1.1.2"].Range == "" results[1].Overflow.Sources["1.1.1.2"].GetScope() == "Ip" results[1].Overflow.Sources["1.1.1.2"].GetValue() == "1.1.1.2" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "apereo-cas-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "apereo-cas-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "cas_failed-auth" results[1].Overflow.Alert.Events[0].GetMeta("service") == "cas" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.2" results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "john.doe1" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "apereo-cas-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2021-10-11T09:01:35Z" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "apereo-cas-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "cas_failed-auth" results[1].Overflow.Alert.Events[1].GetMeta("service") == "cas" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.2" results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "john.doe2" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "apereo-cas-bf.log" +results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2021-10-11T09:01:35Z" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "apereo-cas-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "cas_failed-auth" results[1].Overflow.Alert.Events[2].GetMeta("service") == "cas" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.2" results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "john.doe3" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "apereo-cas-bf.log" +results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2021-10-11T09:01:35Z" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "apereo-cas-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "cas_failed-auth" results[1].Overflow.Alert.Events[3].GetMeta("service") == "cas" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.2" results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "john.doe4" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "apereo-cas-bf.log" +results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2021-10-11T09:01:35Z" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "apereo-cas-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "cas_failed-auth" results[1].Overflow.Alert.Events[4].GetMeta("service") == "cas" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.1.1.2" results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "john.doe5" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "apereo-cas-bf.log" +results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2021-10-11T09:01:35Z" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "apereo-cas-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "cas_failed-auth" results[1].Overflow.Alert.Events[5].GetMeta("service") == "cas" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.1.1.2" results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "john.doe6" +results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2021-10-11T09:01:35Z" results[1].Overflow.Alert.GetScenario() == "jusabatier/apereo-cas-bf" results[1].Overflow.Alert.Remediation == true results[1].Overflow.Alert.GetEventsCount() == 6 @@ -92,42 +104,48 @@ results[2].Overflow.Sources["1.1.1.1"].IP == "1.1.1.1" results[2].Overflow.Sources["1.1.1.1"].Range == "" results[2].Overflow.Sources["1.1.1.1"].GetScope() == "Ip" results[2].Overflow.Sources["1.1.1.1"].GetValue() == "1.1.1.1" -results[2].Overflow.Alert.Events[0].GetMeta("datasource_path") == "apereo-cas-bf.log" +results[2].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "apereo-cas-bf.log" results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[0].GetMeta("log_type") == "cas_failed-auth" results[2].Overflow.Alert.Events[0].GetMeta("service") == "cas" results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.1" results[2].Overflow.Alert.Events[0].GetMeta("target_user") == "john.doe" -results[2].Overflow.Alert.Events[1].GetMeta("datasource_path") == "apereo-cas-bf.log" +results[2].Overflow.Alert.Events[0].GetMeta("timestamp") == "2021-10-11T09:01:35Z" +results[2].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "apereo-cas-bf.log" results[2].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[1].GetMeta("log_type") == "cas_failed-auth" results[2].Overflow.Alert.Events[1].GetMeta("service") == "cas" results[2].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.1" results[2].Overflow.Alert.Events[1].GetMeta("target_user") == "john.doe" -results[2].Overflow.Alert.Events[2].GetMeta("datasource_path") == "apereo-cas-bf.log" +results[2].Overflow.Alert.Events[1].GetMeta("timestamp") == "2021-10-11T09:01:35Z" +results[2].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "apereo-cas-bf.log" results[2].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[2].GetMeta("log_type") == "cas_failed-auth" results[2].Overflow.Alert.Events[2].GetMeta("service") == "cas" results[2].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.1" results[2].Overflow.Alert.Events[2].GetMeta("target_user") == "john.doe" -results[2].Overflow.Alert.Events[3].GetMeta("datasource_path") == "apereo-cas-bf.log" +results[2].Overflow.Alert.Events[2].GetMeta("timestamp") == "2021-10-11T09:01:35Z" +results[2].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "apereo-cas-bf.log" results[2].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[3].GetMeta("log_type") == "cas_failed-auth" results[2].Overflow.Alert.Events[3].GetMeta("service") == "cas" results[2].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.1" results[2].Overflow.Alert.Events[3].GetMeta("target_user") == "john.doe" -results[2].Overflow.Alert.Events[4].GetMeta("datasource_path") == "apereo-cas-bf.log" +results[2].Overflow.Alert.Events[3].GetMeta("timestamp") == "2021-10-11T09:01:35Z" +results[2].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "apereo-cas-bf.log" results[2].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[4].GetMeta("log_type") == "cas_failed-auth" results[2].Overflow.Alert.Events[4].GetMeta("service") == "cas" results[2].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.1.1.1" results[2].Overflow.Alert.Events[4].GetMeta("target_user") == "john.doe" -results[2].Overflow.Alert.Events[5].GetMeta("datasource_path") == "apereo-cas-bf.log" +results[2].Overflow.Alert.Events[4].GetMeta("timestamp") == "2021-10-11T09:01:35Z" +results[2].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "apereo-cas-bf.log" results[2].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[5].GetMeta("log_type") == "cas_failed-auth" results[2].Overflow.Alert.Events[5].GetMeta("service") == "cas" results[2].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.1.1.1" results[2].Overflow.Alert.Events[5].GetMeta("target_user") == "john.doe" +results[2].Overflow.Alert.Events[5].GetMeta("timestamp") == "2021-10-11T09:01:35Z" results[2].Overflow.Alert.GetScenario() == "jusabatier/apereo-cas-bf" results[2].Overflow.Alert.Remediation == true results[2].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/apereo-cas-slow-bf/parser.assert b/.tests/apereo-cas-slow-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/apereo-cas-slow-bf/scenario.assert b/.tests/apereo-cas-slow-bf/scenario.assert index 31c830a550a..ae6568a9f73 100644 --- a/.tests/apereo-cas-slow-bf/scenario.assert +++ b/.tests/apereo-cas-slow-bf/scenario.assert @@ -4,72 +4,83 @@ results[0].Overflow.Sources["1.1.1.2"].IP == "1.1.1.2" results[0].Overflow.Sources["1.1.1.2"].Range == "" results[0].Overflow.Sources["1.1.1.2"].GetScope() == "Ip" results[0].Overflow.Sources["1.1.1.2"].GetValue() == "1.1.1.2" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "cas_failed-auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "cas" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.2" results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "john.doe1" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2021-10-11T09:01:35Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "cas_failed-auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "cas" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.2" results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "john.doe2" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2021-10-11T09:01:40Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "cas_failed-auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "cas" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.2" results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "john.doe3" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2021-10-11T09:01:45Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "cas_failed-auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "cas" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.2" results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "john.doe4" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2021-10-11T09:01:50Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "cas_failed-auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "cas" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.1.1.2" results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "john.doe5" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2021-10-11T09:01:55Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "cas_failed-auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "cas" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.1.1.2" results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "john.doe6" -results[0].Overflow.Alert.Events[6].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2021-10-11T09:02:00Z" +results[0].Overflow.Alert.Events[6].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[6].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[0].Overflow.Alert.Events[6].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[6].GetMeta("log_type") == "cas_failed-auth" results[0].Overflow.Alert.Events[6].GetMeta("service") == "cas" results[0].Overflow.Alert.Events[6].GetMeta("source_ip") == "1.1.1.2" results[0].Overflow.Alert.Events[6].GetMeta("target_user") == "john.doe7" -results[0].Overflow.Alert.Events[7].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[0].Overflow.Alert.Events[6].GetMeta("timestamp") == "2021-10-11T09:02:05Z" +results[0].Overflow.Alert.Events[7].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[7].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[0].Overflow.Alert.Events[7].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[7].GetMeta("log_type") == "cas_failed-auth" results[0].Overflow.Alert.Events[7].GetMeta("service") == "cas" results[0].Overflow.Alert.Events[7].GetMeta("source_ip") == "1.1.1.2" results[0].Overflow.Alert.Events[7].GetMeta("target_user") == "john.doe8" -results[0].Overflow.Alert.Events[8].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[0].Overflow.Alert.Events[7].GetMeta("timestamp") == "2021-10-11T09:02:10Z" +results[0].Overflow.Alert.Events[8].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[8].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[0].Overflow.Alert.Events[8].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[8].GetMeta("log_type") == "cas_failed-auth" results[0].Overflow.Alert.Events[8].GetMeta("service") == "cas" results[0].Overflow.Alert.Events[8].GetMeta("source_ip") == "1.1.1.2" results[0].Overflow.Alert.Events[8].GetMeta("target_user") == "john.doe9" -results[0].Overflow.Alert.Events[9].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[0].Overflow.Alert.Events[8].GetMeta("timestamp") == "2021-10-11T09:02:15Z" +results[0].Overflow.Alert.Events[9].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[9].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[0].Overflow.Alert.Events[9].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[9].GetMeta("log_type") == "cas_failed-auth" results[0].Overflow.Alert.Events[9].GetMeta("service") == "cas" results[0].Overflow.Alert.Events[9].GetMeta("source_ip") == "1.1.1.2" results[0].Overflow.Alert.Events[9].GetMeta("target_user") == "john.doe10" -results[0].Overflow.Alert.Events[10].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[0].Overflow.Alert.Events[9].GetMeta("timestamp") == "2021-10-11T09:02:20Z" +results[0].Overflow.Alert.Events[10].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[10].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[0].Overflow.Alert.Events[10].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[10].GetMeta("log_type") == "cas_failed-auth" results[0].Overflow.Alert.Events[10].GetMeta("service") == "cas" results[0].Overflow.Alert.Events[10].GetMeta("source_ip") == "1.1.1.2" results[0].Overflow.Alert.Events[10].GetMeta("target_user") == "john.doe11" +results[0].Overflow.Alert.Events[10].GetMeta("timestamp") == "2021-10-11T09:02:25Z" results[0].Overflow.Alert.GetScenario() == "jusabatier/cas-slow-bf_user-enum" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 11 @@ -78,72 +89,83 @@ results[1].Overflow.Sources["1.1.1.2"].IP == "1.1.1.2" results[1].Overflow.Sources["1.1.1.2"].Range == "" results[1].Overflow.Sources["1.1.1.2"].GetScope() == "Ip" results[1].Overflow.Sources["1.1.1.2"].GetValue() == "1.1.1.2" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "cas_failed-auth" results[1].Overflow.Alert.Events[0].GetMeta("service") == "cas" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.2" results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "john.doe1" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2021-10-11T09:01:35Z" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "cas_failed-auth" results[1].Overflow.Alert.Events[1].GetMeta("service") == "cas" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.2" results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "john.doe2" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2021-10-11T09:01:40Z" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "cas_failed-auth" results[1].Overflow.Alert.Events[2].GetMeta("service") == "cas" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.2" results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "john.doe3" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2021-10-11T09:01:45Z" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "cas_failed-auth" results[1].Overflow.Alert.Events[3].GetMeta("service") == "cas" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.2" results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "john.doe4" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2021-10-11T09:01:50Z" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "cas_failed-auth" results[1].Overflow.Alert.Events[4].GetMeta("service") == "cas" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.1.1.2" results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "john.doe5" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2021-10-11T09:01:55Z" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "cas_failed-auth" results[1].Overflow.Alert.Events[5].GetMeta("service") == "cas" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.1.1.2" results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "john.doe6" -results[1].Overflow.Alert.Events[6].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2021-10-11T09:02:00Z" +results[1].Overflow.Alert.Events[6].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[6].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[1].Overflow.Alert.Events[6].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[6].GetMeta("log_type") == "cas_failed-auth" results[1].Overflow.Alert.Events[6].GetMeta("service") == "cas" results[1].Overflow.Alert.Events[6].GetMeta("source_ip") == "1.1.1.2" results[1].Overflow.Alert.Events[6].GetMeta("target_user") == "john.doe7" -results[1].Overflow.Alert.Events[7].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[1].Overflow.Alert.Events[6].GetMeta("timestamp") == "2021-10-11T09:02:05Z" +results[1].Overflow.Alert.Events[7].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[7].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[1].Overflow.Alert.Events[7].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[7].GetMeta("log_type") == "cas_failed-auth" results[1].Overflow.Alert.Events[7].GetMeta("service") == "cas" results[1].Overflow.Alert.Events[7].GetMeta("source_ip") == "1.1.1.2" results[1].Overflow.Alert.Events[7].GetMeta("target_user") == "john.doe8" -results[1].Overflow.Alert.Events[8].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[1].Overflow.Alert.Events[7].GetMeta("timestamp") == "2021-10-11T09:02:10Z" +results[1].Overflow.Alert.Events[8].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[8].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[1].Overflow.Alert.Events[8].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[8].GetMeta("log_type") == "cas_failed-auth" results[1].Overflow.Alert.Events[8].GetMeta("service") == "cas" results[1].Overflow.Alert.Events[8].GetMeta("source_ip") == "1.1.1.2" results[1].Overflow.Alert.Events[8].GetMeta("target_user") == "john.doe9" -results[1].Overflow.Alert.Events[9].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[1].Overflow.Alert.Events[8].GetMeta("timestamp") == "2021-10-11T09:02:15Z" +results[1].Overflow.Alert.Events[9].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[9].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[1].Overflow.Alert.Events[9].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[9].GetMeta("log_type") == "cas_failed-auth" results[1].Overflow.Alert.Events[9].GetMeta("service") == "cas" results[1].Overflow.Alert.Events[9].GetMeta("source_ip") == "1.1.1.2" results[1].Overflow.Alert.Events[9].GetMeta("target_user") == "john.doe10" -results[1].Overflow.Alert.Events[10].GetMeta("datasource_path") == "apereo-cas-slow-bf.log" +results[1].Overflow.Alert.Events[9].GetMeta("timestamp") == "2021-10-11T09:02:20Z" +results[1].Overflow.Alert.Events[10].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[10].GetMeta("datasource_path")) == "apereo-cas-slow-bf.log" results[1].Overflow.Alert.Events[10].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[10].GetMeta("log_type") == "cas_failed-auth" results[1].Overflow.Alert.Events[10].GetMeta("service") == "cas" results[1].Overflow.Alert.Events[10].GetMeta("source_ip") == "1.1.1.2" results[1].Overflow.Alert.Events[10].GetMeta("target_user") == "john.doe11" +results[1].Overflow.Alert.Events[10].GetMeta("timestamp") == "2021-10-11T09:02:25Z" results[1].Overflow.Alert.GetScenario() == "jusabatier/cas-slow-bf" results[1].Overflow.Alert.Remediation == true results[1].Overflow.Alert.GetEventsCount() == 11 diff --git a/.tests/apiscp-bf/parser.assert b/.tests/apiscp-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/asterisk-bf/parser.assert b/.tests/asterisk-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/asterisk-bf/scenario.assert b/.tests/asterisk-bf/scenario.assert index 0467fc67967..1e474801ef7 100644 --- a/.tests/asterisk-bf/scenario.assert +++ b/.tests/asterisk-bf/scenario.assert @@ -7,7 +7,7 @@ results[0].Overflow.Sources["172.17.0.1"].GetValue() == "172.17.0.1" results[0].Overflow.Alert.Events[0].GetMeta("asterisk_service") == "PJSIP" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "asterisk-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "asterisk_failed_auth" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[0].GetMeta("service") == "asterisk" results[0].Overflow.Alert.Events[0].GetMeta("session_id") == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.17.0.1" @@ -15,7 +15,7 @@ results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "6001" results[0].Overflow.Alert.Events[1].GetMeta("asterisk_service") == "PJSIP" results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "asterisk-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "asterisk_failed_auth" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[1].GetMeta("service") == "asterisk" results[0].Overflow.Alert.Events[1].GetMeta("session_id") == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "172.17.0.1" @@ -23,7 +23,7 @@ results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "6001" results[0].Overflow.Alert.Events[2].GetMeta("asterisk_service") == "PJSIP" results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "asterisk-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "asterisk_failed_auth" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[2].GetMeta("service") == "asterisk" results[0].Overflow.Alert.Events[2].GetMeta("session_id") == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "172.17.0.1" @@ -31,7 +31,7 @@ results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "6001" results[0].Overflow.Alert.Events[3].GetMeta("asterisk_service") == "PJSIP" results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "asterisk-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "asterisk_failed_auth" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[3].GetMeta("service") == "asterisk" results[0].Overflow.Alert.Events[3].GetMeta("session_id") == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "172.17.0.1" @@ -39,7 +39,7 @@ results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "6001" results[0].Overflow.Alert.Events[4].GetMeta("asterisk_service") == "PJSIP" results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "asterisk-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "asterisk_failed_auth" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[4].GetMeta("service") == "asterisk" results[0].Overflow.Alert.Events[4].GetMeta("session_id") == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "172.17.0.1" @@ -47,7 +47,7 @@ results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "6001" results[0].Overflow.Alert.Events[5].GetMeta("asterisk_service") == "PJSIP" results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "asterisk-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "asterisk_failed_auth" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[5].GetMeta("service") == "asterisk" results[0].Overflow.Alert.Events[5].GetMeta("session_id") == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "172.17.0.1" diff --git a/.tests/asterisk-logs/parser.assert b/.tests/asterisk-logs/parser.assert index 476d0e0bfda..3c22e0397f5 100644 --- a/.tests/asterisk-logs/parser.assert +++ b/.tests/asterisk-logs/parser.assert @@ -1,147 +1,193 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 4 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "[Dec 21 12:56:59] SECURITY[77]: res_security_log.c:114 security_event_stasis_cb: SecurityEvent=\"InvalidAccountID\",EventTV=\"2021-12-21T12:56:59.192+0000\",Severity=\"Error\",Service=\"PJSIP\",EventVersion=\"1\",AccountID=\"6001\",SessionID=\"2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX\",LocalAddress=\"IPV4/UDP/172.17.0.2/5060\",RemoteAddress=\"IPV4/UDP/172.17.0.1/55287\"" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "asterisk" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "asterisk-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "[Dec 21 12:57:00] SECURITY[77]: res_security_log.c:114 security_event_stasis_cb: SecurityEvent=\"ChallengeResponseFailed\",EventTV=\"2021-12-21T12:57:00.209+0000\",Severity=\"Error\",Service=\"PJSIP\",EventVersion=\"1\",AccountID=\"6001\",SessionID=\"2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX\",LocalAddress=\"IPV4/UDP/172.17.0.2/5060\",RemoteAddress=\"IPV4/UDP/172.17.0.1/54784\",Challenge=\"1640091422/edc27724b23967f2cb58e348c4e578eb\",Response=\"3b0bbeda2ac7623e8f39fd45cacd9ca0\",ExpectedResponse=\"\"" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "asterisk" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "asterisk-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == '[Mar 6 08:44:27] SECURITY[1310] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="2022-03-06T08:44:27.151+1100",Severity="Error",Service="SIP",EventVersion="2",AccountID="6001",SessionID="0x7fa52803a000",LocalAddress="IPV4/UDP/172.17.0.2/5060",RemoteAddress="IPV4/UDP/172.17.0.1/56433",Challenge="62790d2c",ReceivedChallenge="62790d2c",ReceivedHash="c3b9d05b8f36265eb89edee60aad693a"' +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "[Mar 6 08:44:27] SECURITY[1310] res_security_log.c: SecurityEvent=\"InvalidPassword\",EventTV=\"2022-03-06T08:44:27.151+1100\",Severity=\"Error\",Service=\"SIP\",EventVersion=\"2\",AccountID=\"6001\",SessionID=\"0x7fa52803a000\",LocalAddress=\"IPV4/UDP/172.17.0.2/5060\",RemoteAddress=\"IPV4/UDP/172.17.0.1/56433\",Challenge=\"62790d2c\",ReceivedChallenge=\"62790d2c\",ReceivedHash=\"c3b9d05b8f36265eb89edee60aad693a\"" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "asterisk" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "asterisk-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4 +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "[Mar 6 08:44:25] SECURITY[1310] res_security_log.c: SecurityEvent=\"InvalidPassword\",EventTV=\"2022-03-06T08:44:25.151+1100\",Severity=\"Error\",Service=\"SIP\",EventVersion=\"2\",AccountID=\"6001\",SessionID=\"0x7fa52803a000\",LocalAddress=\"IPV4/TLS/172.17.0.2/5061\",RemoteAddress=\"IPV4/TLS/172.17.0.1/56433\",Challenge=\"62790d2c\",ReceivedChallenge=\"62790d2c\",ReceivedHash=\"c3b9d05b8f36265eb89edee60aad693a\"" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "asterisk" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false -len(results["s01-parse"]["crowdsecurity/asterisk-logs"]) == 4 +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Success == true +results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Parsed["asterisk_service"] == "PJSIP" +results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Parsed["asterisk_session_id"] == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" +results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Parsed["event_timestamp"] == "2021-12-21T12:56:59.192+0000" results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Parsed["message"] == "[Dec 21 12:56:59] SECURITY[77]: res_security_log.c:114 security_event_stasis_cb: SecurityEvent=\"InvalidAccountID\",EventTV=\"2021-12-21T12:56:59.192+0000\",Severity=\"Error\",Service=\"PJSIP\",EventVersion=\"1\",AccountID=\"6001\",SessionID=\"2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX\",LocalAddress=\"IPV4/UDP/172.17.0.2/5060\",RemoteAddress=\"IPV4/UDP/172.17.0.1/55287\"" -results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Parsed["source_ip"] == "172.17.0.1" -results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Parsed["target_ip"] == "172.17.0.2" results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Parsed["program"] == "asterisk" +results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Parsed["source_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Parsed["source_port"] == "55287" +results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Parsed["target_ip"] == "172.17.0.2" results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Parsed["target_port"] == "5060" results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Parsed["timestamp"] == "Dec 21 12:56:59" results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Parsed["username"] == "6001" -results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Parsed["asterisk_service"] == "PJSIP" -results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Parsed["asterisk_session_id"] == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" -results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Parsed["event_timestamp"][4:] == "-12-21T12:56:59.192+0000" -results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["source_ip"] == "172.17.0.1" -results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["target_user"] == "6001" results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["asterisk_service"] == "PJSIP" -results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["datasource_path"] == "asterisk-logs.log" +results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["log_type"] == "asterisk_failed_auth" results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["service"] == "asterisk" results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["session_id"] == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" +results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["source_ip"] == "172.17.0.1" +results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["target_user"] == "6001" +results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Success == true -results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Parsed["username"] == "6001" +results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Parsed["asterisk_service"] == "PJSIP" results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Parsed["asterisk_session_id"] == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" +results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Parsed["event_timestamp"] == "2021-12-21T12:57:00.209+0000" +results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Parsed["message"] == "[Dec 21 12:57:00] SECURITY[77]: res_security_log.c:114 security_event_stasis_cb: SecurityEvent=\"ChallengeResponseFailed\",EventTV=\"2021-12-21T12:57:00.209+0000\",Severity=\"Error\",Service=\"PJSIP\",EventVersion=\"1\",AccountID=\"6001\",SessionID=\"2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX\",LocalAddress=\"IPV4/UDP/172.17.0.2/5060\",RemoteAddress=\"IPV4/UDP/172.17.0.1/54784\",Challenge=\"1640091422/edc27724b23967f2cb58e348c4e578eb\",Response=\"3b0bbeda2ac7623e8f39fd45cacd9ca0\",ExpectedResponse=\"\"" results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Parsed["program"] == "asterisk" -results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Parsed["timestamp"] == "Dec 21 12:57:00" results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Parsed["source_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Parsed["source_port"] == "54784" results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Parsed["target_ip"] == "172.17.0.2" results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Parsed["target_port"] == "5060" -results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Parsed["asterisk_service"] == "PJSIP" -results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Parsed["event_timestamp"][4:] == "-12-21T12:57:00.209+0000" -results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Parsed["message"] == "[Dec 21 12:57:00] SECURITY[77]: res_security_log.c:114 security_event_stasis_cb: SecurityEvent=\"ChallengeResponseFailed\",EventTV=\"2021-12-21T12:57:00.209+0000\",Severity=\"Error\",Service=\"PJSIP\",EventVersion=\"1\",AccountID=\"6001\",SessionID=\"2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX\",LocalAddress=\"IPV4/UDP/172.17.0.2/5060\",RemoteAddress=\"IPV4/UDP/172.17.0.1/54784\",Challenge=\"1640091422/edc27724b23967f2cb58e348c4e578eb\",Response=\"3b0bbeda2ac7623e8f39fd45cacd9ca0\",ExpectedResponse=\"\"" -results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["source_ip"] == "172.17.0.1" -results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["target_user"] == "6001" +results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Parsed["timestamp"] == "Dec 21 12:57:00" +results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Parsed["username"] == "6001" results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["asterisk_service"] == "PJSIP" -results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["datasource_path"] == "asterisk-logs.log" +results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["log_type"] == "asterisk_failed_auth" results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["service"] == "asterisk" results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["session_id"] == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" +results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["source_ip"] == "172.17.0.1" +results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["target_user"] == "6001" +results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Success == true -results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Parsed["username"] == "6001" +results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Parsed["asterisk_service"] == "SIP" results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Parsed["asterisk_session_id"] == "0x7fa52803a000" +results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Parsed["event_timestamp"] == "2022-03-06T08:44:27.151+1100" +results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Parsed["message"] == "[Mar 6 08:44:27] SECURITY[1310] res_security_log.c: SecurityEvent=\"InvalidPassword\",EventTV=\"2022-03-06T08:44:27.151+1100\",Severity=\"Error\",Service=\"SIP\",EventVersion=\"2\",AccountID=\"6001\",SessionID=\"0x7fa52803a000\",LocalAddress=\"IPV4/UDP/172.17.0.2/5060\",RemoteAddress=\"IPV4/UDP/172.17.0.1/56433\",Challenge=\"62790d2c\",ReceivedChallenge=\"62790d2c\",ReceivedHash=\"c3b9d05b8f36265eb89edee60aad693a\"" results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Parsed["program"] == "asterisk" -results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Parsed["timestamp"] == "Mar 6 08:44:27" results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Parsed["source_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Parsed["source_port"] == "56433" results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Parsed["target_ip"] == "172.17.0.2" results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Parsed["target_port"] == "5060" -results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Parsed["asterisk_service"] == "SIP" -results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Parsed["event_timestamp"][4:] == "-03-06T08:44:27.151+1100" -results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Parsed["message"] == '[Mar 6 08:44:27] SECURITY[1310] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="2022-03-06T08:44:27.151+1100",Severity="Error",Service="SIP",EventVersion="2",AccountID="6001",SessionID="0x7fa52803a000",LocalAddress="IPV4/UDP/172.17.0.2/5060",RemoteAddress="IPV4/UDP/172.17.0.1/56433",Challenge="62790d2c",ReceivedChallenge="62790d2c",ReceivedHash="c3b9d05b8f36265eb89edee60aad693a"' -results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Meta["source_ip"] == "172.17.0.1" -results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Meta["target_user"] == "6001" +results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Parsed["timestamp"] == "Mar 6 08:44:27" +results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Parsed["username"] == "6001" results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Meta["asterisk_service"] == "SIP" -results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Meta["datasource_path"] == "asterisk-logs.log" +results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Meta["log_type"] == "asterisk_failed_auth" results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Meta["service"] == "asterisk" results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Meta["session_id"] == "0x7fa52803a000" -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 4 +results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Meta["source_ip"] == "172.17.0.1" +results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Meta["target_user"] == "6001" +results["s01-parse"]["crowdsecurity/asterisk-logs"][2].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Success == true +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Parsed["asterisk_service"] == "SIP" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Parsed["asterisk_session_id"] == "0x7fa52803a000" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Parsed["event_timestamp"] == "2022-03-06T08:44:25.151+1100" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Parsed["message"] == "[Mar 6 08:44:25] SECURITY[1310] res_security_log.c: SecurityEvent=\"InvalidPassword\",EventTV=\"2022-03-06T08:44:25.151+1100\",Severity=\"Error\",Service=\"SIP\",EventVersion=\"2\",AccountID=\"6001\",SessionID=\"0x7fa52803a000\",LocalAddress=\"IPV4/TLS/172.17.0.2/5061\",RemoteAddress=\"IPV4/TLS/172.17.0.1/56433\",Challenge=\"62790d2c\",ReceivedChallenge=\"62790d2c\",ReceivedHash=\"c3b9d05b8f36265eb89edee60aad693a\"" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Parsed["program"] == "asterisk" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Parsed["source_ip"] == "172.17.0.1" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Parsed["source_port"] == "56433" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Parsed["target_ip"] == "172.17.0.2" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Parsed["target_port"] == "5061" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Parsed["timestamp"] == "Mar 6 08:44:25" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Parsed["username"] == "6001" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Meta["asterisk_service"] == "SIP" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Meta["auth_status"] == "failed" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Meta["service"] == "asterisk" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Meta["session_id"] == "0x7fa52803a000" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Meta["source_ip"] == "172.17.0.1" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Meta["target_user"] == "6001" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_port"] == "55287" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["target_ip"] == "172.17.0.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "6001" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["asterisk_service"] == "PJSIP" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["asterisk_session_id"] == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["event_timestamp"][4:] == "-12-21T12:56:59.192+0000" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "asterisk" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["event_timestamp"] == "2021-12-21T12:56:59.192+0000" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "[Dec 21 12:56:59] SECURITY[77]: res_security_log.c:114 security_event_stasis_cb: SecurityEvent=\"InvalidAccountID\",EventTV=\"2021-12-21T12:56:59.192+0000\",Severity=\"Error\",Service=\"PJSIP\",EventVersion=\"1\",AccountID=\"6001\",SessionID=\"2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX\",LocalAddress=\"IPV4/UDP/172.17.0.2/5060\",RemoteAddress=\"IPV4/UDP/172.17.0.1/55287\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "asterisk" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "172.17.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_port"] == "55287" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["target_ip"] == "172.17.0.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["target_port"] == "5060" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Dec 21 12:56:59" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["session_id"] == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "172.17.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "6001" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "6001" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["asterisk_service"] == "PJSIP" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "asterisk-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "asterisk_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "asterisk" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"][4:] == "-12-21T12:56:59Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["session_id"] == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "172.17.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "6001" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-12-21T12:56:59Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-12-21T12:56:59Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "[Dec 21 12:57:00] SECURITY[77]: res_security_log.c:114 security_event_stasis_cb: SecurityEvent=\"ChallengeResponseFailed\",EventTV=\"2021-12-21T12:57:00.209+0000\",Severity=\"Error\",Service=\"PJSIP\",EventVersion=\"1\",AccountID=\"6001\",SessionID=\"2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX\",LocalAddress=\"IPV4/UDP/172.17.0.2/5060\",RemoteAddress=\"IPV4/UDP/172.17.0.1/54784\",Challenge=\"1640091422/edc27724b23967f2cb58e348c4e578eb\",Response=\"3b0bbeda2ac7623e8f39fd45cacd9ca0\",ExpectedResponse=\"\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["target_port"] == "5060" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["asterisk_service"] == "PJSIP" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["event_timestamp"][4:] == "-12-21T12:57:00.209+0000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["asterisk_session_id"] == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["event_timestamp"] == "2021-12-21T12:57:00.209+0000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "[Dec 21 12:57:00] SECURITY[77]: res_security_log.c:114 security_event_stasis_cb: SecurityEvent=\"ChallengeResponseFailed\",EventTV=\"2021-12-21T12:57:00.209+0000\",Severity=\"Error\",Service=\"PJSIP\",EventVersion=\"1\",AccountID=\"6001\",SessionID=\"2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX\",LocalAddress=\"IPV4/UDP/172.17.0.2/5060\",RemoteAddress=\"IPV4/UDP/172.17.0.1/54784\",Challenge=\"1640091422/edc27724b23967f2cb58e348c4e578eb\",Response=\"3b0bbeda2ac7623e8f39fd45cacd9ca0\",ExpectedResponse=\"\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "asterisk" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_port"] == "54784" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["target_ip"] == "172.17.0.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["target_port"] == "5060" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Dec 21 12:57:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "6001" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["asterisk_session_id"] == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["asterisk_service"] == "PJSIP" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "asterisk" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["session_id"] == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "6001" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["asterisk_service"] == "PJSIP" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "asterisk-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "asterisk_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"][4:] == "-12-21T12:57:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-12-21T12:57:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-12-21T12:57:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == '[Mar 6 08:44:27] SECURITY[1310] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="2022-03-06T08:44:27.151+1100",Severity="Error",Service="SIP",EventVersion="2",AccountID="6001",SessionID="0x7fa52803a000",LocalAddress="IPV4/UDP/172.17.0.2/5060",RemoteAddress="IPV4/UDP/172.17.0.1/56433",Challenge="62790d2c",ReceivedChallenge="62790d2c",ReceivedHash="c3b9d05b8f36265eb89edee60aad693a"' -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["target_port"] == "5060" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["asterisk_service"] == "SIP" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["event_timestamp"][4:] == "-03-06T08:44:27.151+1100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["asterisk_session_id"] == "0x7fa52803a000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["event_timestamp"] == "2022-03-06T08:44:27.151+1100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "[Mar 6 08:44:27] SECURITY[1310] res_security_log.c: SecurityEvent=\"InvalidPassword\",EventTV=\"2022-03-06T08:44:27.151+1100\",Severity=\"Error\",Service=\"SIP\",EventVersion=\"2\",AccountID=\"6001\",SessionID=\"0x7fa52803a000\",LocalAddress=\"IPV4/UDP/172.17.0.2/5060\",RemoteAddress=\"IPV4/UDP/172.17.0.1/56433\",Challenge=\"62790d2c\",ReceivedChallenge=\"62790d2c\",ReceivedHash=\"c3b9d05b8f36265eb89edee60aad693a\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "asterisk" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_port"] == "56433" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["target_ip"] == "172.17.0.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["target_port"] == "5060" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Mar 6 08:44:27" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "6001" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["asterisk_session_id"] == "0x7fa52803a000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["asterisk_service"] == "SIP" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "asterisk" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["session_id"] == "0x7fa52803a000" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "6001" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["asterisk_service"] == "SIP" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "asterisk-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "asterisk_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"][4:] == "-03-06T08:44:27Z" - +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-03-06T08:44:27Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2025-03-06T08:44:27Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["asterisk_service"] == "SIP" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["asterisk_session_id"] == "0x7fa52803a000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["event_timestamp"] == "2022-03-06T08:44:25.151+1100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "[Mar 6 08:44:25] SECURITY[1310] res_security_log.c: SecurityEvent=\"InvalidPassword\",EventTV=\"2022-03-06T08:44:25.151+1100\",Severity=\"Error\",Service=\"SIP\",EventVersion=\"2\",AccountID=\"6001\",SessionID=\"0x7fa52803a000\",LocalAddress=\"IPV4/TLS/172.17.0.2/5061\",RemoteAddress=\"IPV4/TLS/172.17.0.1/56433\",Challenge=\"62790d2c\",ReceivedChallenge=\"62790d2c\",ReceivedHash=\"c3b9d05b8f36265eb89edee60aad693a\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "asterisk" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "172.17.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_port"] == "56433" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["target_ip"] == "172.17.0.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["target_port"] == "5061" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Mar 6 08:44:25" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "6001" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["asterisk_service"] == "SIP" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "asterisk" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["session_id"] == "0x7fa52803a000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "172.17.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "6001" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2025-03-06T08:44:25Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2025-03-06T08:44:25Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false diff --git a/.tests/asterisk-syslogs/parser.assert b/.tests/asterisk-syslogs/parser.assert index 03d47b93180..a521df5a901 100644 --- a/.tests/asterisk-syslogs/parser.assert +++ b/.tests/asterisk-syslogs/parser.assert @@ -77,7 +77,7 @@ results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Parsed["username"] == results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["asterisk_service"] == "PJSIP" results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["datasource_path"] == "asterisk-logs.log" results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["log_type"] == "asterisk_failed_auth" +results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["machine"] == "alba" results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["service"] == "asterisk" results["s01-parse"]["crowdsecurity/asterisk-logs"][0].Evt.Meta["session_id"] == "9860f048-8b50-4c84-bd5e-4312b96b4e87" @@ -100,7 +100,7 @@ results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Parsed["username"] == results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["asterisk_service"] == "PJSIP" results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["datasource_path"] == "asterisk-logs.log" results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["log_type"] == "asterisk_failed_auth" +results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["machine"] == "alba" results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["service"] == "asterisk" results["s01-parse"]["crowdsecurity/asterisk-logs"][1].Evt.Meta["session_id"] == "a79da57d-7fc3-440c-aca8-72afcdb600b8" @@ -124,7 +124,7 @@ results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Parsed["username"] == results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Meta["asterisk_service"] == "PJSIP" results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Meta["datasource_path"] == "asterisk-logs.log" results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Meta["log_type"] == "asterisk_failed_auth" +results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Meta["machine"] == "alba" results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Meta["service"] == "asterisk" results["s01-parse"]["crowdsecurity/asterisk-logs"][3].Evt.Meta["session_id"] == "a79da57d-7fc3-440c-aca8-72afcdb600b8" @@ -147,7 +147,7 @@ results["s01-parse"]["crowdsecurity/asterisk-logs"][4].Evt.Parsed["username"] == results["s01-parse"]["crowdsecurity/asterisk-logs"][4].Evt.Meta["asterisk_service"] == "PJSIP" results["s01-parse"]["crowdsecurity/asterisk-logs"][4].Evt.Meta["datasource_path"] == "asterisk-logs.log" results["s01-parse"]["crowdsecurity/asterisk-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/asterisk-logs"][4].Evt.Meta["log_type"] == "asterisk_failed_auth" +results["s01-parse"]["crowdsecurity/asterisk-logs"][4].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/asterisk-logs"][4].Evt.Meta["machine"] == "alba" results["s01-parse"]["crowdsecurity/asterisk-logs"][4].Evt.Meta["service"] == "asterisk" results["s01-parse"]["crowdsecurity/asterisk-logs"][4].Evt.Meta["session_id"] == "a79da57d-7fc3-440c-aca8-72afcdb600b8" @@ -170,7 +170,7 @@ results["s01-parse"]["crowdsecurity/asterisk-logs"][5].Evt.Parsed["username"] == results["s01-parse"]["crowdsecurity/asterisk-logs"][5].Evt.Meta["asterisk_service"] == "PJSIP" results["s01-parse"]["crowdsecurity/asterisk-logs"][5].Evt.Meta["datasource_path"] == "asterisk-logs.log" results["s01-parse"]["crowdsecurity/asterisk-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/asterisk-logs"][5].Evt.Meta["log_type"] == "asterisk_failed_auth" +results["s01-parse"]["crowdsecurity/asterisk-logs"][5].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/asterisk-logs"][5].Evt.Meta["machine"] == "alba" results["s01-parse"]["crowdsecurity/asterisk-logs"][5].Evt.Meta["service"] == "asterisk" results["s01-parse"]["crowdsecurity/asterisk-logs"][5].Evt.Meta["session_id"] == "a79da57d-7fc3-440c-aca8-72afcdb600b8" @@ -194,7 +194,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["asterisk_service"] == "PJSIP" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "asterisk-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "asterisk_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "alba" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "asterisk" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["session_id"] == "9860f048-8b50-4c84-bd5e-4312b96b4e87" @@ -219,7 +219,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["asterisk_service"] == "PJSIP" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "asterisk-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "asterisk_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "alba" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "asterisk" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["session_id"] == "a79da57d-7fc3-440c-aca8-72afcdb600b8" @@ -244,7 +244,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["asterisk_service"] == "PJSIP" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "asterisk-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "asterisk_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "alba" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "asterisk" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["session_id"] == "a79da57d-7fc3-440c-aca8-72afcdb600b8" @@ -269,7 +269,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["asterisk_service"] == "PJSIP" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "asterisk-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "asterisk_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "alba" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "asterisk" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["session_id"] == "a79da57d-7fc3-440c-aca8-72afcdb600b8" @@ -294,7 +294,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["asterisk_service"] == "PJSIP" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "asterisk-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "asterisk_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "alba" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "asterisk" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["session_id"] == "a79da57d-7fc3-440c-aca8-72afcdb600b8" diff --git a/.tests/asterisk-user-enum/parser.assert b/.tests/asterisk-user-enum/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/asterisk-user-enum/scenario.assert b/.tests/asterisk-user-enum/scenario.assert index a40ec5c42c4..a1053933bcb 100644 --- a/.tests/asterisk-user-enum/scenario.assert +++ b/.tests/asterisk-user-enum/scenario.assert @@ -7,7 +7,7 @@ results[0].Overflow.Sources["172.17.0.1"].GetValue() == "172.17.0.1" results[0].Overflow.Alert.Events[0].GetMeta("asterisk_service") == "PJSIP" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "asterisk-user-enum.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "asterisk_failed_auth" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[0].GetMeta("service") == "asterisk" results[0].Overflow.Alert.Events[0].GetMeta("session_id") == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.17.0.1" @@ -15,7 +15,7 @@ results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "netadmin" results[0].Overflow.Alert.Events[1].GetMeta("asterisk_service") == "PJSIP" results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "asterisk-user-enum.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "asterisk_failed_auth" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[1].GetMeta("service") == "asterisk" results[0].Overflow.Alert.Events[1].GetMeta("session_id") == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "172.17.0.1" @@ -23,7 +23,7 @@ results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "admin" results[0].Overflow.Alert.Events[2].GetMeta("asterisk_service") == "PJSIP" results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "asterisk-user-enum.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "asterisk_failed_auth" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[2].GetMeta("service") == "asterisk" results[0].Overflow.Alert.Events[2].GetMeta("session_id") == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "172.17.0.1" @@ -31,7 +31,7 @@ results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "toto" results[0].Overflow.Alert.Events[3].GetMeta("asterisk_service") == "PJSIP" results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "asterisk-user-enum.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "asterisk_failed_auth" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[3].GetMeta("service") == "asterisk" results[0].Overflow.Alert.Events[3].GetMeta("session_id") == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "172.17.0.1" @@ -39,7 +39,7 @@ results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "tata" results[0].Overflow.Alert.Events[4].GetMeta("asterisk_service") == "PJSIP" results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "asterisk-user-enum.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "asterisk_failed_auth" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[4].GetMeta("service") == "asterisk" results[0].Overflow.Alert.Events[4].GetMeta("session_id") == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "172.17.0.1" @@ -47,7 +47,7 @@ results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "tutu" results[0].Overflow.Alert.Events[5].GetMeta("asterisk_service") == "PJSIP" results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "asterisk-user-enum.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "asterisk_failed_auth" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[5].GetMeta("service") == "asterisk" results[0].Overflow.Alert.Events[5].GetMeta("session_id") == "2kOigHiNhyip1cGGyzdgMkqKV9a0F_G7kVfGdCUA12qsTwyHlQox1T7LSWAX" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "172.17.0.1" diff --git a/.tests/audiobookshelf-bf/parser.assert b/.tests/audiobookshelf-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/audiobookshelf-bf/scenario.assert b/.tests/audiobookshelf-bf/scenario.assert index 224f284c11f..e012fb47ee1 100644 --- a/.tests/audiobookshelf-bf/scenario.assert +++ b/.tests/audiobookshelf-bf/scenario.assert @@ -4,34 +4,34 @@ results[0].Overflow.Sources["192.168.1.1"].IP == "192.168.1.1" results[0].Overflow.Sources["192.168.1.1"].Range == "" results[0].Overflow.Sources["192.168.1.1"].GetScope() == "Ip" results[0].Overflow.Sources["192.168.1.1"].GetValue() == "192.168.1.1" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "audiobookshelf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "audiobookshelf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "abs_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "audiobookshelf" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.1" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "test" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-11-13T09:07:04.784Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "test" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "audiobookshelf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "audiobookshelf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "abs_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "audiobookshelf" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.1" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "Hfhh" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-11-13T09:07:05.896Z" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "Hfhh" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "audiobookshelf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "audiobookshelf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "abs_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "audiobookshelf" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.1" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "Hfhh" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-11-13T09:07:07.896Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "Hfhh" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "audiobookshelf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "audiobookshelf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "abs_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "audiobookshelf" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.1" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "test" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-11-13T09:07:10.784Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "test" results[0].Overflow.Alert.GetScenario() == "plague-doctor/audiobookshelf-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 4 diff --git a/.tests/audiobookshelf-logs/parser.assert b/.tests/audiobookshelf-logs/parser.assert index fb18b43d00e..7a2ac8a5e19 100644 --- a/.tests/audiobookshelf-logs/parser.assert +++ b/.tests/audiobookshelf-logs/parser.assert @@ -3,43 +3,43 @@ len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 7 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 11:03:31.784\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] Failed login attempt for username \\\"test\\\" from ip 192.168.1.1 (Invalid password)\",\"levelName\":\"ERROR\",\"level\":4}" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "audiobookshelf" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "audiobookshelf.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "audiobookshelf.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 09:07:05.896\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] Failed login attempt for username \\\"Hfhh\\\" from ip 192.168.1.1 (User not found)\",\"levelName\":\"ERROR\",\"level\":4}" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "audiobookshelf" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "audiobookshelf.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "audiobookshelf.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 09:07:17.741\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] Failed login attempt for username \\\"Hfhh\\\" from ip 192.168.1.1 (User not found)\",\"levelName\":\"ERROR\",\"level\":4}" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "audiobookshelf" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "audiobookshelf.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "audiobookshelf.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 11:03:31.784\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] Failed login attempt for username \\\"test\\\" from ip 192.168.1.1 (Invalid password)\",\"levelName\":\"ERROR\",\"level\":4}" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "audiobookshelf" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "audiobookshelf.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "audiobookshelf.log" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "[2024-11-13 09:54:35.882] ERROR: [Auth] Failed login attempt for username \"fooobar\" from ip ::1 (User not found) (Auth.js:888)" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "audiobookshelf" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "audiobookshelf.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"]) == "audiobookshelf.log" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "[2024-10-20 17:48:07.192] INFO: [Auth] User \"test\" logged in from ip 192.168.1.1" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "audiobookshelf" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"] == "audiobookshelf.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"]) == "audiobookshelf.log" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][6].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 11:03:31.784\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] User \\\"test\\\" logged in from ip 192.168.1.1\",\"levelName\":\"INFO\",\"level\":1}" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "audiobookshelf" -results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"] == "audiobookshelf.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"]) == "audiobookshelf.log" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Whitelisted == false len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 7 @@ -57,17 +57,17 @@ results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Parsed["program results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Parsed["reason"] == "Invalid password" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Parsed["username"] == "test" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Meta["datasource_path"] == "audiobookshelf.log" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Meta["datasource_path"]) == "audiobookshelf.log" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Meta["log_type"] == "abs_failed_auth" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Meta["service"] == "audiobookshelf" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Meta["username"] == "test" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Meta["target_user"] == "test" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Unmarshaled["abs"]["level"] == 4 results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Unmarshaled["abs"]["levelName"] == "ERROR" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Unmarshaled["abs"]["message"] == "[Auth] Failed login attempt for username \"test\" from ip 192.168.1.1 (Invalid password)" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Unmarshaled["abs"]["source"] == "Auth.js:888" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Unmarshaled["abs"]["timestamp"] == "2024-11-13 11:03:31.784" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Unmarshaled["abs"]["level"] == 4 results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Whitelisted == false results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Success == true results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 09:07:05.896\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] Failed login attempt for username \\\"Hfhh\\\" from ip 192.168.1.1 (User not found)\",\"levelName\":\"ERROR\",\"level\":4}" @@ -75,12 +75,12 @@ results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Parsed["program results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Parsed["reason"] == "User not found" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Parsed["username"] == "Hfhh" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Meta["datasource_path"] == "audiobookshelf.log" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Meta["datasource_path"]) == "audiobookshelf.log" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Meta["log_type"] == "abs_failed_auth" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Meta["service"] == "audiobookshelf" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Meta["username"] == "Hfhh" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Meta["target_user"] == "Hfhh" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Unmarshaled["abs"]["level"] == 4 results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Unmarshaled["abs"]["levelName"] == "ERROR" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Unmarshaled["abs"]["message"] == "[Auth] Failed login attempt for username \"Hfhh\" from ip 192.168.1.1 (User not found)" @@ -93,17 +93,17 @@ results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Parsed["program results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Parsed["reason"] == "User not found" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Parsed["username"] == "Hfhh" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Meta["datasource_path"] == "audiobookshelf.log" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Meta["datasource_path"]) == "audiobookshelf.log" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Meta["log_type"] == "abs_failed_auth" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Meta["service"] == "audiobookshelf" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Meta["username"] == "Hfhh" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Unmarshaled["abs"]["source"] == "Auth.js:888" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Meta["target_user"] == "Hfhh" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Unmarshaled["abs"]["timestamp"] == "2024-11-13 09:07:17.741" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Unmarshaled["abs"]["level"] == 4 results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Unmarshaled["abs"]["levelName"] == "ERROR" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Unmarshaled["abs"]["message"] == "[Auth] Failed login attempt for username \"Hfhh\" from ip 192.168.1.1 (User not found)" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Unmarshaled["abs"]["source"] == "Auth.js:888" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Whitelisted == false results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Success == true results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 11:03:31.784\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] Failed login attempt for username \\\"test\\\" from ip 192.168.1.1 (Invalid password)\",\"levelName\":\"ERROR\",\"level\":4}" @@ -111,17 +111,17 @@ results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Parsed["program results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Parsed["reason"] == "Invalid password" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Parsed["username"] == "test" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Meta["datasource_path"] == "audiobookshelf.log" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Meta["datasource_path"]) == "audiobookshelf.log" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Meta["log_type"] == "abs_failed_auth" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Meta["service"] == "audiobookshelf" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Meta["username"] == "test" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Unmarshaled["abs"]["source"] == "Auth.js:888" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Unmarshaled["abs"]["timestamp"] == "2024-11-13 11:03:31.784" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Meta["target_user"] == "test" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Unmarshaled["abs"]["level"] == 4 results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Unmarshaled["abs"]["levelName"] == "ERROR" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Unmarshaled["abs"]["message"] == "[Auth] Failed login attempt for username \"test\" from ip 192.168.1.1 (Invalid password)" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Unmarshaled["abs"]["source"] == "Auth.js:888" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Unmarshaled["abs"]["timestamp"] == "2024-11-13 11:03:31.784" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Whitelisted == false results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Success == true results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Parsed["message"] == "[2024-11-13 09:54:35.882] ERROR: [Auth] Failed login attempt for username \"fooobar\" from ip ::1 (User not found) (Auth.js:888)" @@ -130,12 +130,12 @@ results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Parsed["reason" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Parsed["timestamp"] == "2024-11-13 09:54:35.882" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Parsed["username"] == "fooobar" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Meta["datasource_path"] == "audiobookshelf.log" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Meta["datasource_path"]) == "audiobookshelf.log" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Meta["log_type"] == "abs_failed_auth" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Meta["service"] == "audiobookshelf" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Meta["source_ip"] == "::1" -results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Meta["username"] == "fooobar" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Meta["target_user"] == "fooobar" results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Whitelisted == false results["s01-parse"]["plague-doctor/audiobookshelf-logs"][5].Success == false results["s01-parse"]["plague-doctor/audiobookshelf-logs"][6].Success == false @@ -146,13 +146,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["reason"] == "Invalid password" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "test" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "audiobookshelf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "audiobookshelf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "abs_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "audiobookshelf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "test" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2024-11-13T11:03:31.784Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "test" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2024-11-13T11:03:31.784Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["abs"]["level"] == 4 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["abs"]["levelName"] == "ERROR" @@ -166,19 +166,19 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["reason"] == "User not found" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "Hfhh" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "audiobookshelf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "audiobookshelf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "abs_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "audiobookshelf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "Hfhh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2024-11-13T09:07:05.896Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "Hfhh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2024-11-13T09:07:05.896Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["abs"]["source"] == "Auth.js:888" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["abs"]["timestamp"] == "2024-11-13 09:07:05.896" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["abs"]["level"] == 4 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["abs"]["levelName"] == "ERROR" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["abs"]["message"] == "[Auth] Failed login attempt for username \"Hfhh\" from ip 192.168.1.1 (User not found)" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["abs"]["source"] == "Auth.js:888" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["abs"]["timestamp"] == "2024-11-13 09:07:05.896" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 09:07:17.741\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] Failed login attempt for username \\\"Hfhh\\\" from ip 192.168.1.1 (User not found)\",\"levelName\":\"ERROR\",\"level\":4}" @@ -186,19 +186,19 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["reason"] == "User not found" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "Hfhh" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "audiobookshelf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "audiobookshelf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "abs_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "audiobookshelf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "Hfhh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2024-11-13T09:07:17.741Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["username"] == "Hfhh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2024-11-13T09:07:17.741Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["abs"]["level"] == 4 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["abs"]["levelName"] == "ERROR" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["abs"]["message"] == "[Auth] Failed login attempt for username \"Hfhh\" from ip 192.168.1.1 (User not found)" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["abs"]["source"] == "Auth.js:888" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["abs"]["timestamp"] == "2024-11-13 09:07:17.741" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["abs"]["level"] == 4 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 11:03:31.784\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] Failed login attempt for username \\\"test\\\" from ip 192.168.1.1 (Invalid password)\",\"levelName\":\"ERROR\",\"level\":4}" @@ -206,19 +206,19 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["reason"] == "Invalid password" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "test" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "audiobookshelf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "audiobookshelf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "abs_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "audiobookshelf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "test" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2024-11-13T11:03:31.784Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["username"] == "test" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2024-11-13T11:03:31.784Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["abs"]["level"] == 4 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["abs"]["levelName"] == "ERROR" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["abs"]["message"] == "[Auth] Failed login attempt for username \"test\" from ip 192.168.1.1 (Invalid password)" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["abs"]["source"] == "Auth.js:888" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["abs"]["timestamp"] == "2024-11-13 11:03:31.784" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["abs"]["level"] == 4 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "[2024-11-13 09:54:35.882] ERROR: [Auth] Failed login attempt for username \"fooobar\" from ip ::1 (User not found) (Auth.js:888)" @@ -227,13 +227,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["reason"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "2024-11-13 09:54:35.882" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username"] == "fooobar" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "audiobookshelf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "audiobookshelf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "abs_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "audiobookshelf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "::1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_user"] == "fooobar" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2024-11-13T09:54:35.882Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["username"] == "fooobar" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2024-11-13T09:54:35.882Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/auditd-base64-exec/parser.assert b/.tests/auditd-base64-exec/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/auditd-postexploit-exec-from-net/parser.assert b/.tests/auditd-postexploit-exec-from-net/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/auditd-postexploit-rm/parser.assert b/.tests/auditd-postexploit-rm/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/auditd-suid-crash/parser.assert b/.tests/auditd-suid-crash/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/auth-generic-test/auth-generic-test.log b/.tests/auth-generic-test/auth-generic-test.log new file mode 100644 index 00000000000..e9bf9a23e70 --- /dev/null +++ b/.tests/auth-generic-test/auth-generic-test.log @@ -0,0 +1,4 @@ +Jun 12 16:20:12 leto authentik: {"action": "login_failed", "auth_via": "unauthenticated", "client_ip": "1.2.3.4", "context": {"geo": {"city": "Washington", "continent": "NA", "country": "US", "lat": 38.8894, "long": -77.0353}, "http_request": {"args": {"next": "/application/o/authorize/"}, "method": "POST", "path": "/api/v3/flows/executor/default-authentication-flow/"}, "password": "********************", "stage": {"app": "authentik_stages_password", "model_name": "passwordstage", "name": "default-authentication-password", "pk": "abc"}, "username": "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl"}, "event": "Created Event", "host": "foo.mywebsite.com", "level": "info", "logger": "authentik.events.models", "pid": 290146, "request_id": "test123456789012345678901234567890", "timestamp": "2023-10-17T17:40:00.000000", "user": {"email": "", "pk": 2, "username": "AnonymousUser"}} +Jun 12 16:20:13 leto gitea: 2025/04/29 12:36:00 ...ers/web/auth/auth.go:217:SignInPost() [W] Failed authentication attempt for crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl from 1.1.1.1:48861: user does not exist [uid: 0, name: crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl] +Jun 12 16:20:14 leto jellyfin: [2023-10-17 17:40:00.000 +00:00] [INF] Authentication request for "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" has been denied (IP: "1.2.3.4"). Reason: Invalid username or password entered. + diff --git a/.tests/auth-generic-test/config.yaml b/.tests/auth-generic-test/config.yaml new file mode 100644 index 00000000000..eb43a921803 --- /dev/null +++ b/.tests/auth-generic-test/config.yaml @@ -0,0 +1,16 @@ +parsers: +- crowdsecurity/syslog-logs +- crowdsecurity/dateparse-enrich +- ./parsers/s01-parse/firix/authentik-logs.yaml +- ./parsers/s01-parse/LePresidente/gitea-logs.yaml +- ./parsers/s01-parse/LePresidente/jellyfin-logs.yaml +scenarios: +- ./scenarios/crowdsecurity/auth-generic-test.yaml +postoverflows: +- "" +log_file: auth-generic-test.log +log_type: syslog +labels: {} +ignore_parsers: true +override_statics: [] + diff --git a/.tests/auth-generic-test/scenario.assert b/.tests/auth-generic-test/scenario.assert new file mode 100644 index 00000000000..ac5ad5ed271 --- /dev/null +++ b/.tests/auth-generic-test/scenario.assert @@ -0,0 +1,48 @@ +results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" +results[0].Overflow.Sources["1.2.3.4"].Range == "" +results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" +results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "auth-generic-test.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("machine") == "leto" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "authentik" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-10-17T17:40:00Z" +results[0].Overflow.Alert.GetScenario() == "crowdsecurity/auth-generic-test" +results[0].Overflow.Alert.Remediation == false +results[0].Overflow.Alert.GetEventsCount() == 1 +"1.2.3.4" in results[1].Overflow.GetSources() +results[1].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" +results[1].Overflow.Sources["1.2.3.4"].Range == "" +results[1].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" +results[1].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "auth-generic-test.log" +results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[0].GetMeta("machine") == "leto" +results[1].Overflow.Alert.Events[0].GetMeta("service") == "jellyfin" +results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-10-17T17:40:00Z" +results[1].Overflow.Alert.GetScenario() == "crowdsecurity/auth-generic-test" +results[1].Overflow.Alert.Remediation == false +results[1].Overflow.Alert.GetEventsCount() == 1 +"1.1.1.1" in results[2].Overflow.GetSources() +results[2].Overflow.Sources["1.1.1.1"].IP == "1.1.1.1" +results[2].Overflow.Sources["1.1.1.1"].Range == "" +results[2].Overflow.Sources["1.1.1.1"].GetScope() == "Ip" +results[2].Overflow.Sources["1.1.1.1"].GetValue() == "1.1.1.1" +results[2].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "auth-generic-test.log" +results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[2].Overflow.Alert.Events[0].GetMeta("machine") == "leto" +results[2].Overflow.Alert.Events[0].GetMeta("service") == "gitea" +results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.1" +results[2].Overflow.Alert.Events[0].GetMeta("target_user") == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results[2].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-04-29T12:36:00Z" +results[2].Overflow.Alert.GetScenario() == "crowdsecurity/auth-generic-test" +results[2].Overflow.Alert.Remediation == false +results[2].Overflow.Alert.GetEventsCount() == 1 + diff --git a/.tests/authelia-bf/parser.assert b/.tests/authelia-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/authelia-bf/scenario.assert b/.tests/authelia-bf/scenario.assert index 11e82928258..848ba094e1f 100644 --- a/.tests/authelia-bf/scenario.assert +++ b/.tests/authelia-bf/scenario.assert @@ -4,54 +4,54 @@ results[0].Overflow.Sources["5.5.5.6"].IP == "5.5.5.6" results[0].Overflow.Sources["5.5.5.6"].Range == "" results[0].Overflow.Sources["5.5.5.6"].GetScope() == "Ip" results[0].Overflow.Sources["5.5.5.6"].GetValue() == "5.5.5.6" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("log_format") == "JSON" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[0].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "5.5.5.6" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser1@example.com" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser1@example.com" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("log_format") == "JSON" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[0].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "5.5.5.6" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "fakeuser2@example.com" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "fakeuser2@example.com" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("log_format") == "JSON" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[0].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "5.5.5.6" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "fakeuser3@example.com" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "fakeuser3@example.com" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("log_format") == "JSON" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[0].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "5.5.5.6" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "fakeuser4@example.com" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "fakeuser4@example.com" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[4].GetMeta("log_format") == "JSON" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[0].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "5.5.5.6" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "fakeuser5@example.com" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "fakeuser5@example.com" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[5].GetMeta("log_format") == "JSON" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[0].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "5.5.5.6" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "fakeuser6@example.com" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser6@example.com" results[0].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf_user-enum" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 @@ -60,54 +60,54 @@ results[1].Overflow.Sources["5.5.5.5"].IP == "5.5.5.5" results[1].Overflow.Sources["5.5.5.5"].Range == "" results[1].Overflow.Sources["5.5.5.5"].GetScope() == "Ip" results[1].Overflow.Sources["5.5.5.5"].GetValue() == "5.5.5.5" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[0].GetMeta("log_format") == "JSON" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[1].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "5.5.5.5" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser1" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[1].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser1" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[1].GetMeta("log_format") == "JSON" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[1].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "5.5.5.5" +results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "fakeuser2" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[1].Overflow.Alert.Events[1].GetMeta("user") == "fakeuser2" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[2].GetMeta("log_format") == "JSON" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[1].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "5.5.5.5" +results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "fakeuser3" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[1].Overflow.Alert.Events[2].GetMeta("user") == "fakeuser3" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[3].GetMeta("log_format") == "JSON" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[1].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "5.5.5.5" +results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "fakeuser4" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[1].Overflow.Alert.Events[3].GetMeta("user") == "fakeuser4" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[4].GetMeta("log_format") == "JSON" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[1].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "5.5.5.5" +results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "fakeuser5" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[1].Overflow.Alert.Events[4].GetMeta("user") == "fakeuser5" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[5].GetMeta("log_format") == "JSON" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[1].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "5.5.5.5" +results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "fakeuser6" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[1].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser6" results[1].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf_user-enum" results[1].Overflow.Alert.Remediation == true results[1].Overflow.Alert.GetEventsCount() == 6 @@ -116,54 +116,54 @@ results[2].Overflow.Sources["1.1.1.2"].IP == "1.1.1.2" results[2].Overflow.Sources["1.1.1.2"].Range == "" results[2].Overflow.Sources["1.1.1.2"].GetScope() == "Ip" results[2].Overflow.Sources["1.1.1.2"].GetValue() == "1.1.1.2" +results[2].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[2].Overflow.Alert.Events[0].GetMeta("log_format") == "CLF" -results[2].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[2].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.2" +results[2].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser1@example.com" results[2].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[2].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser1@example.com" +results[2].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[2].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[2].Overflow.Alert.Events[1].GetMeta("log_format") == "CLF" -results[2].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[2].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[2].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.2" +results[2].Overflow.Alert.Events[1].GetMeta("target_user") == "fakeuser2@example.com" results[2].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[2].Overflow.Alert.Events[1].GetMeta("user") == "fakeuser2@example.com" +results[2].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[2].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[2].Overflow.Alert.Events[2].GetMeta("log_format") == "CLF" -results[2].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[2].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[2].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.2" +results[2].Overflow.Alert.Events[2].GetMeta("target_user") == "fakeuser3@example.com" results[2].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[2].Overflow.Alert.Events[2].GetMeta("user") == "fakeuser3@example.com" +results[2].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[2].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[2].Overflow.Alert.Events[3].GetMeta("log_format") == "CLF" -results[2].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[2].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[2].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.2" +results[2].Overflow.Alert.Events[3].GetMeta("target_user") == "fakeuser4@example.com" results[2].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[2].Overflow.Alert.Events[3].GetMeta("user") == "fakeuser4@example.com" +results[2].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[2].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[2].Overflow.Alert.Events[4].GetMeta("log_format") == "CLF" -results[2].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[2].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[2].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.1.1.2" +results[2].Overflow.Alert.Events[4].GetMeta("target_user") == "fakeuser5@example.com" results[2].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[2].Overflow.Alert.Events[4].GetMeta("user") == "fakeuser5@example.com" +results[2].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[2].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[2].Overflow.Alert.Events[5].GetMeta("log_format") == "CLF" -results[2].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[2].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[2].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.1.1.2" +results[2].Overflow.Alert.Events[5].GetMeta("target_user") == "fakeuser6@example.com" results[2].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[2].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser6@example.com" results[2].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf_user-enum" results[2].Overflow.Alert.Remediation == true results[2].Overflow.Alert.GetEventsCount() == 6 @@ -172,54 +172,54 @@ results[3].Overflow.Sources["1.1.1.1"].IP == "1.1.1.1" results[3].Overflow.Sources["1.1.1.1"].Range == "" results[3].Overflow.Sources["1.1.1.1"].GetScope() == "Ip" results[3].Overflow.Sources["1.1.1.1"].GetValue() == "1.1.1.1" +results[3].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[3].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[3].Overflow.Alert.Events[0].GetMeta("log_format") == "CLF" -results[3].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[3].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[3].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.1" +results[3].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser1" results[3].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[3].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser1" +results[3].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[3].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[3].Overflow.Alert.Events[1].GetMeta("log_format") == "CLF" -results[3].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[3].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[3].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.1" +results[3].Overflow.Alert.Events[1].GetMeta("target_user") == "fakeuser2" results[3].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[3].Overflow.Alert.Events[1].GetMeta("user") == "fakeuser2" +results[3].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[3].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[3].Overflow.Alert.Events[2].GetMeta("log_format") == "CLF" -results[3].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[3].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[3].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.1" +results[3].Overflow.Alert.Events[2].GetMeta("target_user") == "fakeuser3" results[3].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[3].Overflow.Alert.Events[2].GetMeta("user") == "fakeuser3" +results[3].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[3].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[3].Overflow.Alert.Events[3].GetMeta("log_format") == "CLF" -results[3].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[3].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[3].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.1" +results[3].Overflow.Alert.Events[3].GetMeta("target_user") == "fakeuser4" results[3].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[3].Overflow.Alert.Events[3].GetMeta("user") == "fakeuser4" +results[3].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[3].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[3].Overflow.Alert.Events[4].GetMeta("log_format") == "CLF" -results[3].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[3].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[3].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.1.1.1" +results[3].Overflow.Alert.Events[4].GetMeta("target_user") == "fakeuser5" results[3].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[3].Overflow.Alert.Events[4].GetMeta("user") == "fakeuser5" +results[3].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[3].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[3].Overflow.Alert.Events[5].GetMeta("log_format") == "CLF" -results[3].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[3].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[3].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.1.1.1" +results[3].Overflow.Alert.Events[5].GetMeta("target_user") == "fakeuser6" results[3].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[3].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser6" results[3].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf_user-enum" results[3].Overflow.Alert.Remediation == true results[3].Overflow.Alert.GetEventsCount() == 6 @@ -228,54 +228,54 @@ results[4].Overflow.Sources["8.8.8.9"].IP == "8.8.8.9" results[4].Overflow.Sources["8.8.8.9"].Range == "" results[4].Overflow.Sources["8.8.8.9"].GetScope() == "Ip" results[4].Overflow.Sources["8.8.8.9"].GetValue() == "8.8.8.9" +results[4].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[4].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[4].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[4].Overflow.Alert.Events[0].GetMeta("log_format") == "JSON" -results[4].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[4].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[4].Overflow.Alert.Events[0].GetMeta("source_ip") == "8.8.8.9" +results[4].Overflow.Alert.Events[0].GetMeta("target_user") == "realuser@example.com" results[4].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-16T12:32:54+02:00" -results[4].Overflow.Alert.Events[0].GetMeta("user") == "realuser@example.com" +results[4].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[4].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[4].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[4].Overflow.Alert.Events[1].GetMeta("log_format") == "JSON" -results[4].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[4].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[4].Overflow.Alert.Events[1].GetMeta("source_ip") == "8.8.8.9" +results[4].Overflow.Alert.Events[1].GetMeta("target_user") == "realuser@example.com" results[4].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-16T12:32:54+02:00" -results[4].Overflow.Alert.Events[1].GetMeta("user") == "realuser@example.com" +results[4].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[4].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[4].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[4].Overflow.Alert.Events[2].GetMeta("log_format") == "JSON" -results[4].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[4].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[4].Overflow.Alert.Events[2].GetMeta("source_ip") == "8.8.8.9" +results[4].Overflow.Alert.Events[2].GetMeta("target_user") == "realuser@example.com" results[4].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-16T12:32:54+02:00" -results[4].Overflow.Alert.Events[2].GetMeta("user") == "realuser@example.com" +results[4].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[4].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[4].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[4].Overflow.Alert.Events[3].GetMeta("log_format") == "JSON" -results[4].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[4].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[4].Overflow.Alert.Events[3].GetMeta("source_ip") == "8.8.8.9" +results[4].Overflow.Alert.Events[3].GetMeta("target_user") == "realuser@example.com" results[4].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-16T12:32:54+02:00" -results[4].Overflow.Alert.Events[3].GetMeta("user") == "realuser@example.com" +results[4].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[4].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[4].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[4].Overflow.Alert.Events[4].GetMeta("log_format") == "JSON" -results[4].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[4].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[4].Overflow.Alert.Events[4].GetMeta("source_ip") == "8.8.8.9" +results[4].Overflow.Alert.Events[4].GetMeta("target_user") == "realuser@example.com" results[4].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-16T12:32:54+02:00" -results[4].Overflow.Alert.Events[4].GetMeta("user") == "realuser@example.com" +results[4].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[4].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[4].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[4].Overflow.Alert.Events[5].GetMeta("log_format") == "JSON" -results[4].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[4].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[4].Overflow.Alert.Events[5].GetMeta("source_ip") == "8.8.8.9" +results[4].Overflow.Alert.Events[5].GetMeta("target_user") == "realuser@example.com" results[4].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-16T12:32:54+02:00" -results[4].Overflow.Alert.Events[5].GetMeta("user") == "realuser@example.com" results[4].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[4].Overflow.Alert.Remediation == true results[4].Overflow.Alert.GetEventsCount() == 6 @@ -284,54 +284,54 @@ results[5].Overflow.Sources["8.8.8.8"].IP == "8.8.8.8" results[5].Overflow.Sources["8.8.8.8"].Range == "" results[5].Overflow.Sources["8.8.8.8"].GetScope() == "Ip" results[5].Overflow.Sources["8.8.8.8"].GetValue() == "8.8.8.8" +results[5].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[5].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[5].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[5].Overflow.Alert.Events[0].GetMeta("log_format") == "JSON" -results[5].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[5].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[5].Overflow.Alert.Events[0].GetMeta("source_ip") == "8.8.8.8" +results[5].Overflow.Alert.Events[0].GetMeta("target_user") == "realuser" results[5].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-16T12:32:54+02:00" -results[5].Overflow.Alert.Events[0].GetMeta("user") == "realuser" +results[5].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[5].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[5].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[5].Overflow.Alert.Events[1].GetMeta("log_format") == "JSON" -results[5].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[5].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[5].Overflow.Alert.Events[1].GetMeta("source_ip") == "8.8.8.8" +results[5].Overflow.Alert.Events[1].GetMeta("target_user") == "realuser" results[5].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-16T12:32:54+02:00" -results[5].Overflow.Alert.Events[1].GetMeta("user") == "realuser" +results[5].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[5].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[5].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[5].Overflow.Alert.Events[2].GetMeta("log_format") == "JSON" -results[5].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[5].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[5].Overflow.Alert.Events[2].GetMeta("source_ip") == "8.8.8.8" +results[5].Overflow.Alert.Events[2].GetMeta("target_user") == "realuser" results[5].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-16T12:32:54+02:00" -results[5].Overflow.Alert.Events[2].GetMeta("user") == "realuser" +results[5].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[5].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[5].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[5].Overflow.Alert.Events[3].GetMeta("log_format") == "JSON" -results[5].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[5].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[5].Overflow.Alert.Events[3].GetMeta("source_ip") == "8.8.8.8" +results[5].Overflow.Alert.Events[3].GetMeta("target_user") == "realuser" results[5].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-16T12:32:54+02:00" -results[5].Overflow.Alert.Events[3].GetMeta("user") == "realuser" +results[5].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[5].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[5].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[5].Overflow.Alert.Events[4].GetMeta("log_format") == "JSON" -results[5].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[5].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[5].Overflow.Alert.Events[4].GetMeta("source_ip") == "8.8.8.8" +results[5].Overflow.Alert.Events[4].GetMeta("target_user") == "realuser" results[5].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-16T12:32:54+02:00" -results[5].Overflow.Alert.Events[4].GetMeta("user") == "realuser" +results[5].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[5].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[5].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[5].Overflow.Alert.Events[5].GetMeta("log_format") == "JSON" -results[5].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[5].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[5].Overflow.Alert.Events[5].GetMeta("source_ip") == "8.8.8.8" +results[5].Overflow.Alert.Events[5].GetMeta("target_user") == "realuser" results[5].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-16T12:32:54+02:00" -results[5].Overflow.Alert.Events[5].GetMeta("user") == "realuser" results[5].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[5].Overflow.Alert.Remediation == true results[5].Overflow.Alert.GetEventsCount() == 6 @@ -340,54 +340,54 @@ results[6].Overflow.Sources["7.7.7.8"].IP == "7.7.7.8" results[6].Overflow.Sources["7.7.7.8"].Range == "" results[6].Overflow.Sources["7.7.7.8"].GetScope() == "Ip" results[6].Overflow.Sources["7.7.7.8"].GetValue() == "7.7.7.8" +results[6].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[6].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[6].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[6].Overflow.Alert.Events[0].GetMeta("log_format") == "JSON" -results[6].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[6].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[6].Overflow.Alert.Events[0].GetMeta("source_ip") == "7.7.7.8" +results[6].Overflow.Alert.Events[0].GetMeta("target_user") == "realuser@example.com" results[6].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-16T12:32:13+02:00" -results[6].Overflow.Alert.Events[0].GetMeta("user") == "realuser@example.com" +results[6].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[6].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[6].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[6].Overflow.Alert.Events[1].GetMeta("log_format") == "JSON" -results[6].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[6].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[6].Overflow.Alert.Events[1].GetMeta("source_ip") == "7.7.7.8" +results[6].Overflow.Alert.Events[1].GetMeta("target_user") == "realuser@example.com" results[6].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-16T12:32:13+02:00" -results[6].Overflow.Alert.Events[1].GetMeta("user") == "realuser@example.com" +results[6].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[6].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[6].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[6].Overflow.Alert.Events[2].GetMeta("log_format") == "JSON" -results[6].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[6].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[6].Overflow.Alert.Events[2].GetMeta("source_ip") == "7.7.7.8" +results[6].Overflow.Alert.Events[2].GetMeta("target_user") == "realuser@example.com" results[6].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-16T12:32:13+02:00" -results[6].Overflow.Alert.Events[2].GetMeta("user") == "realuser@example.com" +results[6].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[6].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[6].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[6].Overflow.Alert.Events[3].GetMeta("log_format") == "JSON" -results[6].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[6].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[6].Overflow.Alert.Events[3].GetMeta("source_ip") == "7.7.7.8" +results[6].Overflow.Alert.Events[3].GetMeta("target_user") == "realuser@example.com" results[6].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-16T12:32:13+02:00" -results[6].Overflow.Alert.Events[3].GetMeta("user") == "realuser@example.com" +results[6].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[6].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[6].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[6].Overflow.Alert.Events[4].GetMeta("log_format") == "JSON" -results[6].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[6].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[6].Overflow.Alert.Events[4].GetMeta("source_ip") == "7.7.7.8" +results[6].Overflow.Alert.Events[4].GetMeta("target_user") == "realuser@example.com" results[6].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-16T12:32:13+02:00" -results[6].Overflow.Alert.Events[4].GetMeta("user") == "realuser@example.com" +results[6].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[6].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[6].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[6].Overflow.Alert.Events[5].GetMeta("log_format") == "JSON" -results[6].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[6].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[6].Overflow.Alert.Events[5].GetMeta("source_ip") == "7.7.7.8" +results[6].Overflow.Alert.Events[5].GetMeta("target_user") == "realuser@example.com" results[6].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-16T12:32:13+02:00" -results[6].Overflow.Alert.Events[5].GetMeta("user") == "realuser@example.com" results[6].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[6].Overflow.Alert.Remediation == true results[6].Overflow.Alert.GetEventsCount() == 6 @@ -396,54 +396,54 @@ results[7].Overflow.Sources["7.7.7.7"].IP == "7.7.7.7" results[7].Overflow.Sources["7.7.7.7"].Range == "" results[7].Overflow.Sources["7.7.7.7"].GetScope() == "Ip" results[7].Overflow.Sources["7.7.7.7"].GetValue() == "7.7.7.7" +results[7].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[7].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[7].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[7].Overflow.Alert.Events[0].GetMeta("log_format") == "JSON" -results[7].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[7].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[7].Overflow.Alert.Events[0].GetMeta("source_ip") == "7.7.7.7" +results[7].Overflow.Alert.Events[0].GetMeta("target_user") == "realuser" results[7].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-16T12:32:13+02:00" -results[7].Overflow.Alert.Events[0].GetMeta("user") == "realuser" +results[7].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[7].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[7].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[7].Overflow.Alert.Events[1].GetMeta("log_format") == "JSON" -results[7].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[7].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[7].Overflow.Alert.Events[1].GetMeta("source_ip") == "7.7.7.7" +results[7].Overflow.Alert.Events[1].GetMeta("target_user") == "realuser" results[7].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-16T12:32:13+02:00" -results[7].Overflow.Alert.Events[1].GetMeta("user") == "realuser" +results[7].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[7].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[7].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[7].Overflow.Alert.Events[2].GetMeta("log_format") == "JSON" -results[7].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[7].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[7].Overflow.Alert.Events[2].GetMeta("source_ip") == "7.7.7.7" +results[7].Overflow.Alert.Events[2].GetMeta("target_user") == "realuser" results[7].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-16T12:32:13+02:00" -results[7].Overflow.Alert.Events[2].GetMeta("user") == "realuser" +results[7].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[7].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[7].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[7].Overflow.Alert.Events[3].GetMeta("log_format") == "JSON" -results[7].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[7].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[7].Overflow.Alert.Events[3].GetMeta("source_ip") == "7.7.7.7" +results[7].Overflow.Alert.Events[3].GetMeta("target_user") == "realuser" results[7].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-16T12:32:13+02:00" -results[7].Overflow.Alert.Events[3].GetMeta("user") == "realuser" +results[7].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[7].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[7].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[7].Overflow.Alert.Events[4].GetMeta("log_format") == "JSON" -results[7].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[7].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[7].Overflow.Alert.Events[4].GetMeta("source_ip") == "7.7.7.7" +results[7].Overflow.Alert.Events[4].GetMeta("target_user") == "realuser" results[7].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-16T12:32:13+02:00" -results[7].Overflow.Alert.Events[4].GetMeta("user") == "realuser" +results[7].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[7].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[7].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[7].Overflow.Alert.Events[5].GetMeta("log_format") == "JSON" -results[7].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[7].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[7].Overflow.Alert.Events[5].GetMeta("source_ip") == "7.7.7.7" +results[7].Overflow.Alert.Events[5].GetMeta("target_user") == "realuser" results[7].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-16T12:32:13+02:00" -results[7].Overflow.Alert.Events[5].GetMeta("user") == "realuser" results[7].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[7].Overflow.Alert.Remediation == true results[7].Overflow.Alert.GetEventsCount() == 6 @@ -452,54 +452,54 @@ results[8].Overflow.Sources["6.6.6.7"].IP == "6.6.6.7" results[8].Overflow.Sources["6.6.6.7"].Range == "" results[8].Overflow.Sources["6.6.6.7"].GetScope() == "Ip" results[8].Overflow.Sources["6.6.6.7"].GetValue() == "6.6.6.7" +results[8].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[8].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[8].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[8].Overflow.Alert.Events[0].GetMeta("log_format") == "JSON" -results[8].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[8].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[8].Overflow.Alert.Events[0].GetMeta("source_ip") == "6.6.6.7" +results[8].Overflow.Alert.Events[0].GetMeta("target_user") == "realuser@example.com" results[8].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-16T12:31:58+02:00" -results[8].Overflow.Alert.Events[0].GetMeta("user") == "realuser@example.com" +results[8].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[8].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[8].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[8].Overflow.Alert.Events[1].GetMeta("log_format") == "JSON" -results[8].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[8].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[8].Overflow.Alert.Events[1].GetMeta("source_ip") == "6.6.6.7" +results[8].Overflow.Alert.Events[1].GetMeta("target_user") == "realuser@example.com" results[8].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-16T12:31:58+02:00" -results[8].Overflow.Alert.Events[1].GetMeta("user") == "realuser@example.com" +results[8].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[8].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[8].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[8].Overflow.Alert.Events[2].GetMeta("log_format") == "JSON" -results[8].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[8].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[8].Overflow.Alert.Events[2].GetMeta("source_ip") == "6.6.6.7" +results[8].Overflow.Alert.Events[2].GetMeta("target_user") == "realuser@example.com" results[8].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-16T12:31:58+02:00" -results[8].Overflow.Alert.Events[2].GetMeta("user") == "realuser@example.com" +results[8].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[8].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[8].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[8].Overflow.Alert.Events[3].GetMeta("log_format") == "JSON" -results[8].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[8].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[8].Overflow.Alert.Events[3].GetMeta("source_ip") == "6.6.6.7" +results[8].Overflow.Alert.Events[3].GetMeta("target_user") == "realuser@example.com" results[8].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-16T12:31:58+02:00" -results[8].Overflow.Alert.Events[3].GetMeta("user") == "realuser@example.com" +results[8].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[8].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[8].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[8].Overflow.Alert.Events[4].GetMeta("log_format") == "JSON" -results[8].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[8].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[8].Overflow.Alert.Events[4].GetMeta("source_ip") == "6.6.6.7" +results[8].Overflow.Alert.Events[4].GetMeta("target_user") == "realuser@example.com" results[8].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-16T12:31:58+02:00" -results[8].Overflow.Alert.Events[4].GetMeta("user") == "realuser@example.com" +results[8].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[8].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[8].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[8].Overflow.Alert.Events[5].GetMeta("log_format") == "JSON" -results[8].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[8].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[8].Overflow.Alert.Events[5].GetMeta("source_ip") == "6.6.6.7" +results[8].Overflow.Alert.Events[5].GetMeta("target_user") == "realuser@example.com" results[8].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-16T12:31:58+02:00" -results[8].Overflow.Alert.Events[5].GetMeta("user") == "realuser@example.com" results[8].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[8].Overflow.Alert.Remediation == true results[8].Overflow.Alert.GetEventsCount() == 6 @@ -508,54 +508,54 @@ results[9].Overflow.Sources["6.6.6.6"].IP == "6.6.6.6" results[9].Overflow.Sources["6.6.6.6"].Range == "" results[9].Overflow.Sources["6.6.6.6"].GetScope() == "Ip" results[9].Overflow.Sources["6.6.6.6"].GetValue() == "6.6.6.6" +results[9].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[9].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[9].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[9].Overflow.Alert.Events[0].GetMeta("log_format") == "JSON" -results[9].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[9].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[9].Overflow.Alert.Events[0].GetMeta("source_ip") == "6.6.6.6" +results[9].Overflow.Alert.Events[0].GetMeta("target_user") == "realuser" results[9].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-16T12:31:58+02:00" -results[9].Overflow.Alert.Events[0].GetMeta("user") == "realuser" +results[9].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[9].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[9].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[9].Overflow.Alert.Events[1].GetMeta("log_format") == "JSON" -results[9].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[9].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[9].Overflow.Alert.Events[1].GetMeta("source_ip") == "6.6.6.6" +results[9].Overflow.Alert.Events[1].GetMeta("target_user") == "realuser" results[9].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-16T12:31:58+02:00" -results[9].Overflow.Alert.Events[1].GetMeta("user") == "realuser" +results[9].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[9].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[9].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[9].Overflow.Alert.Events[2].GetMeta("log_format") == "JSON" -results[9].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[9].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[9].Overflow.Alert.Events[2].GetMeta("source_ip") == "6.6.6.6" +results[9].Overflow.Alert.Events[2].GetMeta("target_user") == "realuser" results[9].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-16T12:31:58+02:00" -results[9].Overflow.Alert.Events[2].GetMeta("user") == "realuser" +results[9].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[9].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[9].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[9].Overflow.Alert.Events[3].GetMeta("log_format") == "JSON" -results[9].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[9].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[9].Overflow.Alert.Events[3].GetMeta("source_ip") == "6.6.6.6" +results[9].Overflow.Alert.Events[3].GetMeta("target_user") == "realuser" results[9].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-16T12:31:58+02:00" -results[9].Overflow.Alert.Events[3].GetMeta("user") == "realuser" +results[9].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[9].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[9].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[9].Overflow.Alert.Events[4].GetMeta("log_format") == "JSON" -results[9].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[9].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[9].Overflow.Alert.Events[4].GetMeta("source_ip") == "6.6.6.6" +results[9].Overflow.Alert.Events[4].GetMeta("target_user") == "realuser" results[9].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-16T12:31:58+02:00" -results[9].Overflow.Alert.Events[4].GetMeta("user") == "realuser" +results[9].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[9].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[9].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[9].Overflow.Alert.Events[5].GetMeta("log_format") == "JSON" -results[9].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[9].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[9].Overflow.Alert.Events[5].GetMeta("source_ip") == "6.6.6.6" +results[9].Overflow.Alert.Events[5].GetMeta("target_user") == "realuser" results[9].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-16T12:31:58+02:00" -results[9].Overflow.Alert.Events[5].GetMeta("user") == "realuser" results[9].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[9].Overflow.Alert.Remediation == true results[9].Overflow.Alert.GetEventsCount() == 6 @@ -564,54 +564,54 @@ results[10].Overflow.Sources["5.5.5.6"].IP == "5.5.5.6" results[10].Overflow.Sources["5.5.5.6"].Range == "" results[10].Overflow.Sources["5.5.5.6"].GetScope() == "Ip" results[10].Overflow.Sources["5.5.5.6"].GetValue() == "5.5.5.6" +results[10].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[10].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[10].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[10].Overflow.Alert.Events[0].GetMeta("log_format") == "JSON" -results[10].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[10].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[10].Overflow.Alert.Events[0].GetMeta("source_ip") == "5.5.5.6" +results[10].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser1@example.com" results[10].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[10].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser1@example.com" +results[10].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[10].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[10].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[10].Overflow.Alert.Events[1].GetMeta("log_format") == "JSON" -results[10].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[10].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[10].Overflow.Alert.Events[1].GetMeta("source_ip") == "5.5.5.6" +results[10].Overflow.Alert.Events[1].GetMeta("target_user") == "fakeuser2@example.com" results[10].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[10].Overflow.Alert.Events[1].GetMeta("user") == "fakeuser2@example.com" +results[10].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[10].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[10].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[10].Overflow.Alert.Events[2].GetMeta("log_format") == "JSON" -results[10].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[10].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[10].Overflow.Alert.Events[2].GetMeta("source_ip") == "5.5.5.6" +results[10].Overflow.Alert.Events[2].GetMeta("target_user") == "fakeuser3@example.com" results[10].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[10].Overflow.Alert.Events[2].GetMeta("user") == "fakeuser3@example.com" +results[10].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[10].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[10].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[10].Overflow.Alert.Events[3].GetMeta("log_format") == "JSON" -results[10].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[10].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[10].Overflow.Alert.Events[3].GetMeta("source_ip") == "5.5.5.6" +results[10].Overflow.Alert.Events[3].GetMeta("target_user") == "fakeuser4@example.com" results[10].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[10].Overflow.Alert.Events[3].GetMeta("user") == "fakeuser4@example.com" +results[10].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[10].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[10].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[10].Overflow.Alert.Events[4].GetMeta("log_format") == "JSON" -results[10].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[10].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[10].Overflow.Alert.Events[4].GetMeta("source_ip") == "5.5.5.6" +results[10].Overflow.Alert.Events[4].GetMeta("target_user") == "fakeuser5@example.com" results[10].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[10].Overflow.Alert.Events[4].GetMeta("user") == "fakeuser5@example.com" +results[10].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[10].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[10].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[10].Overflow.Alert.Events[5].GetMeta("log_format") == "JSON" -results[10].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[10].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[10].Overflow.Alert.Events[5].GetMeta("source_ip") == "5.5.5.6" +results[10].Overflow.Alert.Events[5].GetMeta("target_user") == "fakeuser6@example.com" results[10].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[10].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser6@example.com" results[10].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[10].Overflow.Alert.Remediation == true results[10].Overflow.Alert.GetEventsCount() == 6 @@ -620,54 +620,54 @@ results[11].Overflow.Sources["5.5.5.5"].IP == "5.5.5.5" results[11].Overflow.Sources["5.5.5.5"].Range == "" results[11].Overflow.Sources["5.5.5.5"].GetScope() == "Ip" results[11].Overflow.Sources["5.5.5.5"].GetValue() == "5.5.5.5" +results[11].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[11].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[11].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[11].Overflow.Alert.Events[0].GetMeta("log_format") == "JSON" -results[11].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[11].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[11].Overflow.Alert.Events[0].GetMeta("source_ip") == "5.5.5.5" +results[11].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser1" results[11].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[11].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser1" +results[11].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[11].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[11].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[11].Overflow.Alert.Events[1].GetMeta("log_format") == "JSON" -results[11].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[11].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[11].Overflow.Alert.Events[1].GetMeta("source_ip") == "5.5.5.5" +results[11].Overflow.Alert.Events[1].GetMeta("target_user") == "fakeuser2" results[11].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[11].Overflow.Alert.Events[1].GetMeta("user") == "fakeuser2" +results[11].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[11].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[11].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[11].Overflow.Alert.Events[2].GetMeta("log_format") == "JSON" -results[11].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[11].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[11].Overflow.Alert.Events[2].GetMeta("source_ip") == "5.5.5.5" +results[11].Overflow.Alert.Events[2].GetMeta("target_user") == "fakeuser3" results[11].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[11].Overflow.Alert.Events[2].GetMeta("user") == "fakeuser3" +results[11].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[11].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[11].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[11].Overflow.Alert.Events[3].GetMeta("log_format") == "JSON" -results[11].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[11].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[11].Overflow.Alert.Events[3].GetMeta("source_ip") == "5.5.5.5" +results[11].Overflow.Alert.Events[3].GetMeta("target_user") == "fakeuser4" results[11].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[11].Overflow.Alert.Events[3].GetMeta("user") == "fakeuser4" +results[11].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[11].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[11].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[11].Overflow.Alert.Events[4].GetMeta("log_format") == "JSON" -results[11].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[11].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[11].Overflow.Alert.Events[4].GetMeta("source_ip") == "5.5.5.5" +results[11].Overflow.Alert.Events[4].GetMeta("target_user") == "fakeuser5" results[11].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[11].Overflow.Alert.Events[4].GetMeta("user") == "fakeuser5" +results[11].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[11].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[11].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[11].Overflow.Alert.Events[5].GetMeta("log_format") == "JSON" -results[11].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[11].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[11].Overflow.Alert.Events[5].GetMeta("source_ip") == "5.5.5.5" +results[11].Overflow.Alert.Events[5].GetMeta("target_user") == "fakeuser6" results[11].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" -results[11].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser6" results[11].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[11].Overflow.Alert.Remediation == true results[11].Overflow.Alert.GetEventsCount() == 6 @@ -676,54 +676,54 @@ results[12].Overflow.Sources["4.4.4.5"].IP == "4.4.4.5" results[12].Overflow.Sources["4.4.4.5"].Range == "" results[12].Overflow.Sources["4.4.4.5"].GetScope() == "Ip" results[12].Overflow.Sources["4.4.4.5"].GetValue() == "4.4.4.5" +results[12].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[12].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[12].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[12].Overflow.Alert.Events[0].GetMeta("log_format") == "CLF" -results[12].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[12].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[12].Overflow.Alert.Events[0].GetMeta("source_ip") == "4.4.4.5" +results[12].Overflow.Alert.Events[0].GetMeta("target_user") == "realuser@example.com" results[12].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-02-16T12:24:19+02:00" -results[12].Overflow.Alert.Events[0].GetMeta("user") == "realuser@example.com" +results[12].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[12].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[12].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[12].Overflow.Alert.Events[1].GetMeta("log_format") == "CLF" -results[12].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[12].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[12].Overflow.Alert.Events[1].GetMeta("source_ip") == "4.4.4.5" +results[12].Overflow.Alert.Events[1].GetMeta("target_user") == "realuser@example.com" results[12].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-02-16T12:24:19+02:00" -results[12].Overflow.Alert.Events[1].GetMeta("user") == "realuser@example.com" +results[12].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[12].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[12].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[12].Overflow.Alert.Events[2].GetMeta("log_format") == "CLF" -results[12].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[12].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[12].Overflow.Alert.Events[2].GetMeta("source_ip") == "4.4.4.5" +results[12].Overflow.Alert.Events[2].GetMeta("target_user") == "realuser@example.com" results[12].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-02-16T12:24:19+02:00" -results[12].Overflow.Alert.Events[2].GetMeta("user") == "realuser@example.com" +results[12].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[12].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[12].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[12].Overflow.Alert.Events[3].GetMeta("log_format") == "CLF" -results[12].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[12].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[12].Overflow.Alert.Events[3].GetMeta("source_ip") == "4.4.4.5" +results[12].Overflow.Alert.Events[3].GetMeta("target_user") == "realuser@example.com" results[12].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-02-16T12:24:19+02:00" -results[12].Overflow.Alert.Events[3].GetMeta("user") == "realuser@example.com" +results[12].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[12].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[12].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[12].Overflow.Alert.Events[4].GetMeta("log_format") == "CLF" -results[12].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[12].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[12].Overflow.Alert.Events[4].GetMeta("source_ip") == "4.4.4.5" +results[12].Overflow.Alert.Events[4].GetMeta("target_user") == "realuser@example.com" results[12].Overflow.Alert.Events[4].GetMeta("timestamp") == "2024-02-16T12:24:19+02:00" -results[12].Overflow.Alert.Events[4].GetMeta("user") == "realuser@example.com" +results[12].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[12].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[12].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[12].Overflow.Alert.Events[5].GetMeta("log_format") == "CLF" -results[12].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[12].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[12].Overflow.Alert.Events[5].GetMeta("source_ip") == "4.4.4.5" +results[12].Overflow.Alert.Events[5].GetMeta("target_user") == "realuser@example.com" results[12].Overflow.Alert.Events[5].GetMeta("timestamp") == "2024-02-16T12:24:19+02:00" -results[12].Overflow.Alert.Events[5].GetMeta("user") == "realuser@example.com" results[12].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[12].Overflow.Alert.Remediation == true results[12].Overflow.Alert.GetEventsCount() == 6 @@ -732,54 +732,54 @@ results[13].Overflow.Sources["4.4.4.5"].IP == "4.4.4.5" results[13].Overflow.Sources["4.4.4.5"].Range == "" results[13].Overflow.Sources["4.4.4.5"].GetScope() == "Ip" results[13].Overflow.Sources["4.4.4.5"].GetValue() == "4.4.4.5" +results[13].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[13].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[13].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[13].Overflow.Alert.Events[0].GetMeta("log_format") == "CLF" -results[13].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[13].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[13].Overflow.Alert.Events[0].GetMeta("source_ip") == "4.4.4.5" +results[13].Overflow.Alert.Events[0].GetMeta("target_user") == "realuser@example.com" results[13].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-16T12:24:19+02:00" -results[13].Overflow.Alert.Events[0].GetMeta("user") == "realuser@example.com" +results[13].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[13].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[13].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[13].Overflow.Alert.Events[1].GetMeta("log_format") == "CLF" -results[13].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[13].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[13].Overflow.Alert.Events[1].GetMeta("source_ip") == "4.4.4.5" +results[13].Overflow.Alert.Events[1].GetMeta("target_user") == "realuser@example.com" results[13].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-16T12:24:19+02:00" -results[13].Overflow.Alert.Events[1].GetMeta("user") == "realuser@example.com" +results[13].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[13].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[13].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[13].Overflow.Alert.Events[2].GetMeta("log_format") == "CLF" -results[13].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[13].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[13].Overflow.Alert.Events[2].GetMeta("source_ip") == "4.4.4.5" +results[13].Overflow.Alert.Events[2].GetMeta("target_user") == "realuser@example.com" results[13].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-16T12:24:19+02:00" -results[13].Overflow.Alert.Events[2].GetMeta("user") == "realuser@example.com" +results[13].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[13].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[13].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[13].Overflow.Alert.Events[3].GetMeta("log_format") == "CLF" -results[13].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[13].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[13].Overflow.Alert.Events[3].GetMeta("source_ip") == "4.4.4.5" +results[13].Overflow.Alert.Events[3].GetMeta("target_user") == "realuser@example.com" results[13].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-16T12:24:19+02:00" -results[13].Overflow.Alert.Events[3].GetMeta("user") == "realuser@example.com" +results[13].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[13].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[13].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[13].Overflow.Alert.Events[4].GetMeta("log_format") == "CLF" -results[13].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[13].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[13].Overflow.Alert.Events[4].GetMeta("source_ip") == "4.4.4.5" +results[13].Overflow.Alert.Events[4].GetMeta("target_user") == "realuser@example.com" results[13].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-16T12:24:19+02:00" -results[13].Overflow.Alert.Events[4].GetMeta("user") == "realuser@example.com" +results[13].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[13].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[13].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[13].Overflow.Alert.Events[5].GetMeta("log_format") == "CLF" -results[13].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[13].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[13].Overflow.Alert.Events[5].GetMeta("source_ip") == "4.4.4.5" +results[13].Overflow.Alert.Events[5].GetMeta("target_user") == "realuser@example.com" results[13].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-16T12:24:19+02:00" -results[13].Overflow.Alert.Events[5].GetMeta("user") == "realuser@example.com" results[13].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[13].Overflow.Alert.Remediation == true results[13].Overflow.Alert.GetEventsCount() == 6 @@ -788,54 +788,54 @@ results[14].Overflow.Sources["4.4.4.4"].IP == "4.4.4.4" results[14].Overflow.Sources["4.4.4.4"].Range == "" results[14].Overflow.Sources["4.4.4.4"].GetScope() == "Ip" results[14].Overflow.Sources["4.4.4.4"].GetValue() == "4.4.4.4" +results[14].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[14].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[14].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[14].Overflow.Alert.Events[0].GetMeta("log_format") == "CLF" -results[14].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[14].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[14].Overflow.Alert.Events[0].GetMeta("source_ip") == "4.4.4.4" +results[14].Overflow.Alert.Events[0].GetMeta("target_user") == "realuser" results[14].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-02-16T12:24:19+02:00" -results[14].Overflow.Alert.Events[0].GetMeta("user") == "realuser" +results[14].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[14].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[14].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[14].Overflow.Alert.Events[1].GetMeta("log_format") == "CLF" -results[14].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[14].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[14].Overflow.Alert.Events[1].GetMeta("source_ip") == "4.4.4.4" +results[14].Overflow.Alert.Events[1].GetMeta("target_user") == "realuser" results[14].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-02-16T12:24:19+02:00" -results[14].Overflow.Alert.Events[1].GetMeta("user") == "realuser" +results[14].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[14].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[14].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[14].Overflow.Alert.Events[2].GetMeta("log_format") == "CLF" -results[14].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[14].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[14].Overflow.Alert.Events[2].GetMeta("source_ip") == "4.4.4.4" +results[14].Overflow.Alert.Events[2].GetMeta("target_user") == "realuser" results[14].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-02-16T12:24:19+02:00" -results[14].Overflow.Alert.Events[2].GetMeta("user") == "realuser" +results[14].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[14].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[14].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[14].Overflow.Alert.Events[3].GetMeta("log_format") == "CLF" -results[14].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[14].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[14].Overflow.Alert.Events[3].GetMeta("source_ip") == "4.4.4.4" +results[14].Overflow.Alert.Events[3].GetMeta("target_user") == "realuser" results[14].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-02-16T12:24:19+02:00" -results[14].Overflow.Alert.Events[3].GetMeta("user") == "realuser" +results[14].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[14].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[14].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[14].Overflow.Alert.Events[4].GetMeta("log_format") == "CLF" -results[14].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[14].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[14].Overflow.Alert.Events[4].GetMeta("source_ip") == "4.4.4.4" +results[14].Overflow.Alert.Events[4].GetMeta("target_user") == "realuser" results[14].Overflow.Alert.Events[4].GetMeta("timestamp") == "2024-02-16T12:24:19+02:00" -results[14].Overflow.Alert.Events[4].GetMeta("user") == "realuser" +results[14].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[14].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[14].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[14].Overflow.Alert.Events[5].GetMeta("log_format") == "CLF" -results[14].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[14].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[14].Overflow.Alert.Events[5].GetMeta("source_ip") == "4.4.4.4" +results[14].Overflow.Alert.Events[5].GetMeta("target_user") == "realuser" results[14].Overflow.Alert.Events[5].GetMeta("timestamp") == "2024-02-16T12:24:19+02:00" -results[14].Overflow.Alert.Events[5].GetMeta("user") == "realuser" results[14].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[14].Overflow.Alert.Remediation == true results[14].Overflow.Alert.GetEventsCount() == 6 @@ -844,54 +844,54 @@ results[15].Overflow.Sources["4.4.4.4"].IP == "4.4.4.4" results[15].Overflow.Sources["4.4.4.4"].Range == "" results[15].Overflow.Sources["4.4.4.4"].GetScope() == "Ip" results[15].Overflow.Sources["4.4.4.4"].GetValue() == "4.4.4.4" +results[15].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[15].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[15].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[15].Overflow.Alert.Events[0].GetMeta("log_format") == "CLF" -results[15].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[15].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[15].Overflow.Alert.Events[0].GetMeta("source_ip") == "4.4.4.4" +results[15].Overflow.Alert.Events[0].GetMeta("target_user") == "realuser" results[15].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-16T12:24:19+02:00" -results[15].Overflow.Alert.Events[0].GetMeta("user") == "realuser" +results[15].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[15].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[15].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[15].Overflow.Alert.Events[1].GetMeta("log_format") == "CLF" -results[15].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[15].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[15].Overflow.Alert.Events[1].GetMeta("source_ip") == "4.4.4.4" +results[15].Overflow.Alert.Events[1].GetMeta("target_user") == "realuser" results[15].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-16T12:24:19+02:00" -results[15].Overflow.Alert.Events[1].GetMeta("user") == "realuser" +results[15].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[15].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[15].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[15].Overflow.Alert.Events[2].GetMeta("log_format") == "CLF" -results[15].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[15].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[15].Overflow.Alert.Events[2].GetMeta("source_ip") == "4.4.4.4" +results[15].Overflow.Alert.Events[2].GetMeta("target_user") == "realuser" results[15].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-16T12:24:19+02:00" -results[15].Overflow.Alert.Events[2].GetMeta("user") == "realuser" +results[15].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[15].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[15].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[15].Overflow.Alert.Events[3].GetMeta("log_format") == "CLF" -results[15].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[15].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[15].Overflow.Alert.Events[3].GetMeta("source_ip") == "4.4.4.4" +results[15].Overflow.Alert.Events[3].GetMeta("target_user") == "realuser" results[15].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-16T12:24:19+02:00" -results[15].Overflow.Alert.Events[3].GetMeta("user") == "realuser" +results[15].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[15].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[15].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[15].Overflow.Alert.Events[4].GetMeta("log_format") == "CLF" -results[15].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[15].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[15].Overflow.Alert.Events[4].GetMeta("source_ip") == "4.4.4.4" +results[15].Overflow.Alert.Events[4].GetMeta("target_user") == "realuser" results[15].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-16T12:24:19+02:00" -results[15].Overflow.Alert.Events[4].GetMeta("user") == "realuser" +results[15].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[15].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[15].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[15].Overflow.Alert.Events[5].GetMeta("log_format") == "CLF" -results[15].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[15].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[15].Overflow.Alert.Events[5].GetMeta("source_ip") == "4.4.4.4" +results[15].Overflow.Alert.Events[5].GetMeta("target_user") == "realuser" results[15].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-16T12:24:19+02:00" -results[15].Overflow.Alert.Events[5].GetMeta("user") == "realuser" results[15].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[15].Overflow.Alert.Remediation == true results[15].Overflow.Alert.GetEventsCount() == 6 @@ -900,54 +900,54 @@ results[16].Overflow.Sources["3.3.3.4"].IP == "3.3.3.4" results[16].Overflow.Sources["3.3.3.4"].Range == "" results[16].Overflow.Sources["3.3.3.4"].GetScope() == "Ip" results[16].Overflow.Sources["3.3.3.4"].GetValue() == "3.3.3.4" +results[16].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[16].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[16].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[16].Overflow.Alert.Events[0].GetMeta("log_format") == "CLF" -results[16].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[16].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[16].Overflow.Alert.Events[0].GetMeta("source_ip") == "3.3.3.4" +results[16].Overflow.Alert.Events[0].GetMeta("target_user") == "realuser@example.com" results[16].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-16T11:48:16+02:00" -results[16].Overflow.Alert.Events[0].GetMeta("user") == "realuser@example.com" +results[16].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[16].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[16].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[16].Overflow.Alert.Events[1].GetMeta("log_format") == "CLF" -results[16].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[16].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[16].Overflow.Alert.Events[1].GetMeta("source_ip") == "3.3.3.4" +results[16].Overflow.Alert.Events[1].GetMeta("target_user") == "realuser@example.com" results[16].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-16T11:48:16+02:00" -results[16].Overflow.Alert.Events[1].GetMeta("user") == "realuser@example.com" +results[16].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[16].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[16].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[16].Overflow.Alert.Events[2].GetMeta("log_format") == "CLF" -results[16].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[16].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[16].Overflow.Alert.Events[2].GetMeta("source_ip") == "3.3.3.4" +results[16].Overflow.Alert.Events[2].GetMeta("target_user") == "realuser@example.com" results[16].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-16T11:48:16+02:00" -results[16].Overflow.Alert.Events[2].GetMeta("user") == "realuser@example.com" +results[16].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[16].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[16].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[16].Overflow.Alert.Events[3].GetMeta("log_format") == "CLF" -results[16].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[16].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[16].Overflow.Alert.Events[3].GetMeta("source_ip") == "3.3.3.4" +results[16].Overflow.Alert.Events[3].GetMeta("target_user") == "realuser@example.com" results[16].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-16T11:48:16+02:00" -results[16].Overflow.Alert.Events[3].GetMeta("user") == "realuser@example.com" +results[16].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[16].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[16].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[16].Overflow.Alert.Events[4].GetMeta("log_format") == "CLF" -results[16].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[16].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[16].Overflow.Alert.Events[4].GetMeta("source_ip") == "3.3.3.4" +results[16].Overflow.Alert.Events[4].GetMeta("target_user") == "realuser@example.com" results[16].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-16T11:48:16+02:00" -results[16].Overflow.Alert.Events[4].GetMeta("user") == "realuser@example.com" +results[16].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[16].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[16].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[16].Overflow.Alert.Events[5].GetMeta("log_format") == "CLF" -results[16].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[16].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[16].Overflow.Alert.Events[5].GetMeta("source_ip") == "3.3.3.4" +results[16].Overflow.Alert.Events[5].GetMeta("target_user") == "realuser@example.com" results[16].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-16T11:48:16+02:00" -results[16].Overflow.Alert.Events[5].GetMeta("user") == "realuser@example.com" results[16].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[16].Overflow.Alert.Remediation == true results[16].Overflow.Alert.GetEventsCount() == 6 @@ -956,54 +956,54 @@ results[17].Overflow.Sources["3.3.3.3"].IP == "3.3.3.3" results[17].Overflow.Sources["3.3.3.3"].Range == "" results[17].Overflow.Sources["3.3.3.3"].GetScope() == "Ip" results[17].Overflow.Sources["3.3.3.3"].GetValue() == "3.3.3.3" +results[17].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[17].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[17].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[17].Overflow.Alert.Events[0].GetMeta("log_format") == "CLF" -results[17].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[17].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[17].Overflow.Alert.Events[0].GetMeta("source_ip") == "3.3.3.3" +results[17].Overflow.Alert.Events[0].GetMeta("target_user") == "realuser" results[17].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-16T11:48:16+02:00" -results[17].Overflow.Alert.Events[0].GetMeta("user") == "realuser" +results[17].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[17].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[17].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[17].Overflow.Alert.Events[1].GetMeta("log_format") == "CLF" -results[17].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[17].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[17].Overflow.Alert.Events[1].GetMeta("source_ip") == "3.3.3.3" +results[17].Overflow.Alert.Events[1].GetMeta("target_user") == "realuser" results[17].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-16T11:48:16+02:00" -results[17].Overflow.Alert.Events[1].GetMeta("user") == "realuser" +results[17].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[17].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[17].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[17].Overflow.Alert.Events[2].GetMeta("log_format") == "CLF" -results[17].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[17].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[17].Overflow.Alert.Events[2].GetMeta("source_ip") == "3.3.3.3" +results[17].Overflow.Alert.Events[2].GetMeta("target_user") == "realuser" results[17].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-16T11:48:16+02:00" -results[17].Overflow.Alert.Events[2].GetMeta("user") == "realuser" +results[17].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[17].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[17].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[17].Overflow.Alert.Events[3].GetMeta("log_format") == "CLF" -results[17].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[17].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[17].Overflow.Alert.Events[3].GetMeta("source_ip") == "3.3.3.3" +results[17].Overflow.Alert.Events[3].GetMeta("target_user") == "realuser" results[17].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-16T11:48:16+02:00" -results[17].Overflow.Alert.Events[3].GetMeta("user") == "realuser" +results[17].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[17].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[17].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[17].Overflow.Alert.Events[4].GetMeta("log_format") == "CLF" -results[17].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[17].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[17].Overflow.Alert.Events[4].GetMeta("source_ip") == "3.3.3.3" +results[17].Overflow.Alert.Events[4].GetMeta("target_user") == "realuser" results[17].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-16T11:48:16+02:00" -results[17].Overflow.Alert.Events[4].GetMeta("user") == "realuser" +results[17].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[17].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[17].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[17].Overflow.Alert.Events[5].GetMeta("log_format") == "CLF" -results[17].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[17].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[17].Overflow.Alert.Events[5].GetMeta("source_ip") == "3.3.3.3" +results[17].Overflow.Alert.Events[5].GetMeta("target_user") == "realuser" results[17].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-16T11:48:16+02:00" -results[17].Overflow.Alert.Events[5].GetMeta("user") == "realuser" results[17].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[17].Overflow.Alert.Remediation == true results[17].Overflow.Alert.GetEventsCount() == 6 @@ -1012,54 +1012,54 @@ results[18].Overflow.Sources["2.2.2.3"].IP == "2.2.2.3" results[18].Overflow.Sources["2.2.2.3"].Range == "" results[18].Overflow.Sources["2.2.2.3"].GetScope() == "Ip" results[18].Overflow.Sources["2.2.2.3"].GetValue() == "2.2.2.3" +results[18].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[18].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[18].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[18].Overflow.Alert.Events[0].GetMeta("log_format") == "CLF" -results[18].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[18].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[18].Overflow.Alert.Events[0].GetMeta("source_ip") == "2.2.2.3" +results[18].Overflow.Alert.Events[0].GetMeta("target_user") == "realuser@example.com" results[18].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-14T13:49:12+02:00" -results[18].Overflow.Alert.Events[0].GetMeta("user") == "realuser@example.com" +results[18].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[18].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[18].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[18].Overflow.Alert.Events[1].GetMeta("log_format") == "CLF" -results[18].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[18].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[18].Overflow.Alert.Events[1].GetMeta("source_ip") == "2.2.2.3" +results[18].Overflow.Alert.Events[1].GetMeta("target_user") == "realuser@example.com" results[18].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-14T13:49:12+02:00" -results[18].Overflow.Alert.Events[1].GetMeta("user") == "realuser@example.com" +results[18].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[18].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[18].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[18].Overflow.Alert.Events[2].GetMeta("log_format") == "CLF" -results[18].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[18].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[18].Overflow.Alert.Events[2].GetMeta("source_ip") == "2.2.2.3" +results[18].Overflow.Alert.Events[2].GetMeta("target_user") == "realuser@example.com" results[18].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-14T13:49:12+02:00" -results[18].Overflow.Alert.Events[2].GetMeta("user") == "realuser@example.com" +results[18].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[18].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[18].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[18].Overflow.Alert.Events[3].GetMeta("log_format") == "CLF" -results[18].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[18].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[18].Overflow.Alert.Events[3].GetMeta("source_ip") == "2.2.2.3" +results[18].Overflow.Alert.Events[3].GetMeta("target_user") == "realuser@example.com" results[18].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-14T13:49:12+02:00" -results[18].Overflow.Alert.Events[3].GetMeta("user") == "realuser@example.com" +results[18].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[18].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[18].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[18].Overflow.Alert.Events[4].GetMeta("log_format") == "CLF" -results[18].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[18].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[18].Overflow.Alert.Events[4].GetMeta("source_ip") == "2.2.2.3" +results[18].Overflow.Alert.Events[4].GetMeta("target_user") == "realuser@example.com" results[18].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-14T13:49:12+02:00" -results[18].Overflow.Alert.Events[4].GetMeta("user") == "realuser@example.com" +results[18].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[18].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[18].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[18].Overflow.Alert.Events[5].GetMeta("log_format") == "CLF" -results[18].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[18].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[18].Overflow.Alert.Events[5].GetMeta("source_ip") == "2.2.2.3" +results[18].Overflow.Alert.Events[5].GetMeta("target_user") == "realuser@example.com" results[18].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-14T13:49:12+02:00" -results[18].Overflow.Alert.Events[5].GetMeta("user") == "realuser@example.com" results[18].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[18].Overflow.Alert.Remediation == true results[18].Overflow.Alert.GetEventsCount() == 6 @@ -1068,54 +1068,54 @@ results[19].Overflow.Sources["2.2.2.2"].IP == "2.2.2.2" results[19].Overflow.Sources["2.2.2.2"].Range == "" results[19].Overflow.Sources["2.2.2.2"].GetScope() == "Ip" results[19].Overflow.Sources["2.2.2.2"].GetValue() == "2.2.2.2" +results[19].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[19].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[19].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[19].Overflow.Alert.Events[0].GetMeta("log_format") == "CLF" -results[19].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[19].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[19].Overflow.Alert.Events[0].GetMeta("source_ip") == "2.2.2.2" +results[19].Overflow.Alert.Events[0].GetMeta("target_user") == "realuser" results[19].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-14T13:49:12+02:00" -results[19].Overflow.Alert.Events[0].GetMeta("user") == "realuser" +results[19].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[19].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[19].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[19].Overflow.Alert.Events[1].GetMeta("log_format") == "CLF" -results[19].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[19].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[19].Overflow.Alert.Events[1].GetMeta("source_ip") == "2.2.2.2" +results[19].Overflow.Alert.Events[1].GetMeta("target_user") == "realuser" results[19].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-14T13:49:12+02:00" -results[19].Overflow.Alert.Events[1].GetMeta("user") == "realuser" +results[19].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[19].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[19].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[19].Overflow.Alert.Events[2].GetMeta("log_format") == "CLF" -results[19].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[19].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[19].Overflow.Alert.Events[2].GetMeta("source_ip") == "2.2.2.2" +results[19].Overflow.Alert.Events[2].GetMeta("target_user") == "realuser" results[19].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-14T13:49:12+02:00" -results[19].Overflow.Alert.Events[2].GetMeta("user") == "realuser" +results[19].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[19].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[19].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[19].Overflow.Alert.Events[3].GetMeta("log_format") == "CLF" -results[19].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[19].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[19].Overflow.Alert.Events[3].GetMeta("source_ip") == "2.2.2.2" +results[19].Overflow.Alert.Events[3].GetMeta("target_user") == "realuser" results[19].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-14T13:49:12+02:00" -results[19].Overflow.Alert.Events[3].GetMeta("user") == "realuser" +results[19].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[19].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[19].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[19].Overflow.Alert.Events[4].GetMeta("log_format") == "CLF" -results[19].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[19].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[19].Overflow.Alert.Events[4].GetMeta("source_ip") == "2.2.2.2" +results[19].Overflow.Alert.Events[4].GetMeta("target_user") == "realuser" results[19].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-14T13:49:12+02:00" -results[19].Overflow.Alert.Events[4].GetMeta("user") == "realuser" +results[19].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[19].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[19].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[19].Overflow.Alert.Events[5].GetMeta("log_format") == "CLF" -results[19].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[19].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[19].Overflow.Alert.Events[5].GetMeta("source_ip") == "2.2.2.2" +results[19].Overflow.Alert.Events[5].GetMeta("target_user") == "realuser" results[19].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-14T13:49:12+02:00" -results[19].Overflow.Alert.Events[5].GetMeta("user") == "realuser" results[19].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[19].Overflow.Alert.Remediation == true results[19].Overflow.Alert.GetEventsCount() == 6 @@ -1124,54 +1124,54 @@ results[20].Overflow.Sources["10.10.10.13"].IP == "10.10.10.13" results[20].Overflow.Sources["10.10.10.13"].Range == "" results[20].Overflow.Sources["10.10.10.13"].GetScope() == "Ip" results[20].Overflow.Sources["10.10.10.13"].GetValue() == "10.10.10.13" +results[20].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[20].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[20].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[20].Overflow.Alert.Events[0].GetMeta("log_format") == "JSON" -results[20].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[20].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[20].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.10.10.13" +results[20].Overflow.Alert.Events[0].GetMeta("target_user") == "realuser@example.com" results[20].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-13T13:46:31+02:00" -results[20].Overflow.Alert.Events[0].GetMeta("user") == "realuser@example.com" +results[20].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[20].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[20].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[20].Overflow.Alert.Events[1].GetMeta("log_format") == "JSON" -results[20].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[20].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[20].Overflow.Alert.Events[1].GetMeta("source_ip") == "10.10.10.13" +results[20].Overflow.Alert.Events[1].GetMeta("target_user") == "realuser@example.com" results[20].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-03-13T13:46:31+02:00" -results[20].Overflow.Alert.Events[1].GetMeta("user") == "realuser@example.com" +results[20].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[20].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[20].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[20].Overflow.Alert.Events[2].GetMeta("log_format") == "JSON" -results[20].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[20].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[20].Overflow.Alert.Events[2].GetMeta("source_ip") == "10.10.10.13" +results[20].Overflow.Alert.Events[2].GetMeta("target_user") == "realuser@example.com" results[20].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-03-13T13:46:31+02:00" -results[20].Overflow.Alert.Events[2].GetMeta("user") == "realuser@example.com" +results[20].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[20].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[20].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[20].Overflow.Alert.Events[3].GetMeta("log_format") == "JSON" -results[20].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[20].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[20].Overflow.Alert.Events[3].GetMeta("source_ip") == "10.10.10.13" +results[20].Overflow.Alert.Events[3].GetMeta("target_user") == "realuser@example.com" results[20].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-03-13T13:46:31+02:00" -results[20].Overflow.Alert.Events[3].GetMeta("user") == "realuser@example.com" +results[20].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[20].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[20].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[20].Overflow.Alert.Events[4].GetMeta("log_format") == "JSON" -results[20].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[20].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[20].Overflow.Alert.Events[4].GetMeta("source_ip") == "10.10.10.13" +results[20].Overflow.Alert.Events[4].GetMeta("target_user") == "realuser@example.com" results[20].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-03-13T13:46:31+02:00" -results[20].Overflow.Alert.Events[4].GetMeta("user") == "realuser@example.com" +results[20].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[20].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[20].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[20].Overflow.Alert.Events[5].GetMeta("log_format") == "JSON" -results[20].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[20].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[20].Overflow.Alert.Events[5].GetMeta("source_ip") == "10.10.10.13" +results[20].Overflow.Alert.Events[5].GetMeta("target_user") == "realuser@example.com" results[20].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-03-13T13:46:31+02:00" -results[20].Overflow.Alert.Events[5].GetMeta("user") == "realuser@example.com" results[20].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[20].Overflow.Alert.Remediation == true results[20].Overflow.Alert.GetEventsCount() == 6 @@ -1180,54 +1180,54 @@ results[21].Overflow.Sources["10.10.10.12"].IP == "10.10.10.12" results[21].Overflow.Sources["10.10.10.12"].Range == "" results[21].Overflow.Sources["10.10.10.12"].GetScope() == "Ip" results[21].Overflow.Sources["10.10.10.12"].GetValue() == "10.10.10.12" +results[21].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[21].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[21].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[21].Overflow.Alert.Events[0].GetMeta("log_format") == "JSON" -results[21].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[21].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[21].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.10.10.12" +results[21].Overflow.Alert.Events[0].GetMeta("target_user") == "realuser" results[21].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-13T13:46:31+02:00" -results[21].Overflow.Alert.Events[0].GetMeta("user") == "realuser" +results[21].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[21].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[21].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[21].Overflow.Alert.Events[1].GetMeta("log_format") == "JSON" -results[21].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[21].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[21].Overflow.Alert.Events[1].GetMeta("source_ip") == "10.10.10.12" +results[21].Overflow.Alert.Events[1].GetMeta("target_user") == "realuser" results[21].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-03-13T13:46:31+02:00" -results[21].Overflow.Alert.Events[1].GetMeta("user") == "realuser" +results[21].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[21].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[21].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[21].Overflow.Alert.Events[2].GetMeta("log_format") == "JSON" -results[21].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[21].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[21].Overflow.Alert.Events[2].GetMeta("source_ip") == "10.10.10.12" +results[21].Overflow.Alert.Events[2].GetMeta("target_user") == "realuser" results[21].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-03-13T13:46:31+02:00" -results[21].Overflow.Alert.Events[2].GetMeta("user") == "realuser" +results[21].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[21].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[21].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[21].Overflow.Alert.Events[3].GetMeta("log_format") == "JSON" -results[21].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[21].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[21].Overflow.Alert.Events[3].GetMeta("source_ip") == "10.10.10.12" +results[21].Overflow.Alert.Events[3].GetMeta("target_user") == "realuser" results[21].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-03-13T13:46:31+02:00" -results[21].Overflow.Alert.Events[3].GetMeta("user") == "realuser" +results[21].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[21].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[21].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[21].Overflow.Alert.Events[4].GetMeta("log_format") == "JSON" -results[21].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[21].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[21].Overflow.Alert.Events[4].GetMeta("source_ip") == "10.10.10.12" +results[21].Overflow.Alert.Events[4].GetMeta("target_user") == "realuser" results[21].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-03-13T13:46:31+02:00" -results[21].Overflow.Alert.Events[4].GetMeta("user") == "realuser" +results[21].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[21].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[21].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[21].Overflow.Alert.Events[5].GetMeta("log_format") == "JSON" -results[21].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[21].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[21].Overflow.Alert.Events[5].GetMeta("source_ip") == "10.10.10.12" +results[21].Overflow.Alert.Events[5].GetMeta("target_user") == "realuser" results[21].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-03-13T13:46:31+02:00" -results[21].Overflow.Alert.Events[5].GetMeta("user") == "realuser" results[21].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[21].Overflow.Alert.Remediation == true results[21].Overflow.Alert.GetEventsCount() == 6 @@ -1236,54 +1236,54 @@ results[22].Overflow.Sources["10.10.10.11"].IP == "10.10.10.11" results[22].Overflow.Sources["10.10.10.11"].Range == "" results[22].Overflow.Sources["10.10.10.11"].GetScope() == "Ip" results[22].Overflow.Sources["10.10.10.11"].GetValue() == "10.10.10.11" +results[22].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[22].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[22].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[22].Overflow.Alert.Events[0].GetMeta("log_format") == "JSON" -results[22].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[22].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[22].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.10.10.11" +results[22].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser@example.com" results[22].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-13T13:39:05+02:00" -results[22].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser@example.com" +results[22].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[22].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[22].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[22].Overflow.Alert.Events[1].GetMeta("log_format") == "JSON" -results[22].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[22].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[22].Overflow.Alert.Events[1].GetMeta("source_ip") == "10.10.10.11" +results[22].Overflow.Alert.Events[1].GetMeta("target_user") == "fakeuser@example.com" results[22].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-03-13T13:39:05+02:00" -results[22].Overflow.Alert.Events[1].GetMeta("user") == "fakeuser@example.com" +results[22].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[22].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[22].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[22].Overflow.Alert.Events[2].GetMeta("log_format") == "JSON" -results[22].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[22].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[22].Overflow.Alert.Events[2].GetMeta("source_ip") == "10.10.10.11" +results[22].Overflow.Alert.Events[2].GetMeta("target_user") == "fakeuser@example.com" results[22].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-03-13T13:39:05+02:00" -results[22].Overflow.Alert.Events[2].GetMeta("user") == "fakeuser@example.com" +results[22].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[22].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[22].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[22].Overflow.Alert.Events[3].GetMeta("log_format") == "JSON" -results[22].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[22].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[22].Overflow.Alert.Events[3].GetMeta("source_ip") == "10.10.10.11" +results[22].Overflow.Alert.Events[3].GetMeta("target_user") == "fakeuser@example.com" results[22].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-03-13T13:39:05+02:00" -results[22].Overflow.Alert.Events[3].GetMeta("user") == "fakeuser@example.com" +results[22].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[22].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[22].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[22].Overflow.Alert.Events[4].GetMeta("log_format") == "JSON" -results[22].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[22].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[22].Overflow.Alert.Events[4].GetMeta("source_ip") == "10.10.10.11" +results[22].Overflow.Alert.Events[4].GetMeta("target_user") == "fakeuser@example.com" results[22].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-03-13T13:39:05+02:00" -results[22].Overflow.Alert.Events[4].GetMeta("user") == "fakeuser@example.com" +results[22].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[22].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[22].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[22].Overflow.Alert.Events[5].GetMeta("log_format") == "JSON" -results[22].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[22].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[22].Overflow.Alert.Events[5].GetMeta("source_ip") == "10.10.10.11" +results[22].Overflow.Alert.Events[5].GetMeta("target_user") == "fakeuser@example.com" results[22].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-03-13T13:39:05+02:00" -results[22].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser@example.com" results[22].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[22].Overflow.Alert.Remediation == true results[22].Overflow.Alert.GetEventsCount() == 6 @@ -1292,54 +1292,54 @@ results[23].Overflow.Sources["10.10.10.10"].IP == "10.10.10.10" results[23].Overflow.Sources["10.10.10.10"].Range == "" results[23].Overflow.Sources["10.10.10.10"].GetScope() == "Ip" results[23].Overflow.Sources["10.10.10.10"].GetValue() == "10.10.10.10" +results[23].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[23].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[23].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[23].Overflow.Alert.Events[0].GetMeta("log_format") == "JSON" -results[23].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[23].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[23].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.10.10.10" +results[23].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser" results[23].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-13T13:39:05+02:00" -results[23].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser" +results[23].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[23].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[23].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[23].Overflow.Alert.Events[1].GetMeta("log_format") == "JSON" -results[23].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[23].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[23].Overflow.Alert.Events[1].GetMeta("source_ip") == "10.10.10.10" +results[23].Overflow.Alert.Events[1].GetMeta("target_user") == "fakeuser" results[23].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-03-13T13:39:05+02:00" -results[23].Overflow.Alert.Events[1].GetMeta("user") == "fakeuser" +results[23].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[23].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[23].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[23].Overflow.Alert.Events[2].GetMeta("log_format") == "JSON" -results[23].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[23].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[23].Overflow.Alert.Events[2].GetMeta("source_ip") == "10.10.10.10" +results[23].Overflow.Alert.Events[2].GetMeta("target_user") == "fakeuser" results[23].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-03-13T13:39:05+02:00" -results[23].Overflow.Alert.Events[2].GetMeta("user") == "fakeuser" +results[23].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[23].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[23].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[23].Overflow.Alert.Events[3].GetMeta("log_format") == "JSON" -results[23].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[23].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[23].Overflow.Alert.Events[3].GetMeta("source_ip") == "10.10.10.10" +results[23].Overflow.Alert.Events[3].GetMeta("target_user") == "fakeuser" results[23].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-03-13T13:39:05+02:00" -results[23].Overflow.Alert.Events[3].GetMeta("user") == "fakeuser" +results[23].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[23].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[23].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[23].Overflow.Alert.Events[4].GetMeta("log_format") == "JSON" -results[23].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[23].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[23].Overflow.Alert.Events[4].GetMeta("source_ip") == "10.10.10.10" +results[23].Overflow.Alert.Events[4].GetMeta("target_user") == "fakeuser" results[23].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-03-13T13:39:05+02:00" -results[23].Overflow.Alert.Events[4].GetMeta("user") == "fakeuser" +results[23].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[23].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[23].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[23].Overflow.Alert.Events[5].GetMeta("log_format") == "JSON" -results[23].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[23].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[23].Overflow.Alert.Events[5].GetMeta("source_ip") == "10.10.10.10" +results[23].Overflow.Alert.Events[5].GetMeta("target_user") == "fakeuser" results[23].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-03-13T13:39:05+02:00" -results[23].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser" results[23].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[23].Overflow.Alert.Remediation == true results[23].Overflow.Alert.GetEventsCount() == 6 @@ -1348,54 +1348,54 @@ results[24].Overflow.Sources["1.1.1.4"].IP == "1.1.1.4" results[24].Overflow.Sources["1.1.1.4"].Range == "" results[24].Overflow.Sources["1.1.1.4"].GetScope() == "Ip" results[24].Overflow.Sources["1.1.1.4"].GetValue() == "1.1.1.4" +results[24].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[24].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[24].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[24].Overflow.Alert.Events[0].GetMeta("log_format") == "CLF" -results[24].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[24].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[24].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.4" +results[24].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser@example.com" results[24].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-13T14:01:02+02:00" -results[24].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser@example.com" +results[24].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[24].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[24].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[24].Overflow.Alert.Events[1].GetMeta("log_format") == "CLF" -results[24].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[24].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[24].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.4" +results[24].Overflow.Alert.Events[1].GetMeta("target_user") == "fakeuser@example.com" results[24].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-03-13T14:01:02+02:00" -results[24].Overflow.Alert.Events[1].GetMeta("user") == "fakeuser@example.com" +results[24].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[24].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[24].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[24].Overflow.Alert.Events[2].GetMeta("log_format") == "CLF" -results[24].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[24].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[24].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.4" +results[24].Overflow.Alert.Events[2].GetMeta("target_user") == "fakeuser@example.com" results[24].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-03-13T14:01:02+02:00" -results[24].Overflow.Alert.Events[2].GetMeta("user") == "fakeuser@example.com" +results[24].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[24].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[24].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[24].Overflow.Alert.Events[3].GetMeta("log_format") == "CLF" -results[24].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[24].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[24].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.4" +results[24].Overflow.Alert.Events[3].GetMeta("target_user") == "fakeuser@example.com" results[24].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-03-13T14:01:02+02:00" -results[24].Overflow.Alert.Events[3].GetMeta("user") == "fakeuser@example.com" +results[24].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[24].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[24].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[24].Overflow.Alert.Events[4].GetMeta("log_format") == "CLF" -results[24].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[24].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[24].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.1.1.4" +results[24].Overflow.Alert.Events[4].GetMeta("target_user") == "fakeuser@example.com" results[24].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-03-13T14:01:02+02:00" -results[24].Overflow.Alert.Events[4].GetMeta("user") == "fakeuser@example.com" +results[24].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[24].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[24].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[24].Overflow.Alert.Events[5].GetMeta("log_format") == "CLF" -results[24].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[24].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[24].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.1.1.4" +results[24].Overflow.Alert.Events[5].GetMeta("target_user") == "fakeuser@example.com" results[24].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-03-13T14:01:02+02:00" -results[24].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser@example.com" results[24].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[24].Overflow.Alert.Remediation == true results[24].Overflow.Alert.GetEventsCount() == 6 @@ -1404,54 +1404,54 @@ results[25].Overflow.Sources["1.1.1.3"].IP == "1.1.1.3" results[25].Overflow.Sources["1.1.1.3"].Range == "" results[25].Overflow.Sources["1.1.1.3"].GetScope() == "Ip" results[25].Overflow.Sources["1.1.1.3"].GetValue() == "1.1.1.3" +results[25].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[25].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[25].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[25].Overflow.Alert.Events[0].GetMeta("log_format") == "CLF" -results[25].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[25].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[25].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.3" +results[25].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser" results[25].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-13T14:01:02+02:00" -results[25].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser" +results[25].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[25].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[25].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[25].Overflow.Alert.Events[1].GetMeta("log_format") == "CLF" -results[25].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[25].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[25].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.3" +results[25].Overflow.Alert.Events[1].GetMeta("target_user") == "fakeuser" results[25].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-03-13T14:01:02+02:00" -results[25].Overflow.Alert.Events[1].GetMeta("user") == "fakeuser" +results[25].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[25].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[25].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[25].Overflow.Alert.Events[2].GetMeta("log_format") == "CLF" -results[25].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[25].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[25].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.3" +results[25].Overflow.Alert.Events[2].GetMeta("target_user") == "fakeuser" results[25].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-03-13T14:01:02+02:00" -results[25].Overflow.Alert.Events[2].GetMeta("user") == "fakeuser" +results[25].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[25].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[25].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[25].Overflow.Alert.Events[3].GetMeta("log_format") == "CLF" -results[25].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[25].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[25].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.3" +results[25].Overflow.Alert.Events[3].GetMeta("target_user") == "fakeuser" results[25].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-03-13T14:01:02+02:00" -results[25].Overflow.Alert.Events[3].GetMeta("user") == "fakeuser" +results[25].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[25].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[25].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[25].Overflow.Alert.Events[4].GetMeta("log_format") == "CLF" -results[25].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[25].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[25].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.1.1.3" +results[25].Overflow.Alert.Events[4].GetMeta("target_user") == "fakeuser" results[25].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-03-13T14:01:02+02:00" -results[25].Overflow.Alert.Events[4].GetMeta("user") == "fakeuser" +results[25].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[25].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[25].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[25].Overflow.Alert.Events[5].GetMeta("log_format") == "CLF" -results[25].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[25].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[25].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.1.1.3" +results[25].Overflow.Alert.Events[5].GetMeta("target_user") == "fakeuser" results[25].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-03-13T14:01:02+02:00" -results[25].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser" results[25].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[25].Overflow.Alert.Remediation == true results[25].Overflow.Alert.GetEventsCount() == 6 @@ -1460,54 +1460,54 @@ results[26].Overflow.Sources["1.1.1.2"].IP == "1.1.1.2" results[26].Overflow.Sources["1.1.1.2"].Range == "" results[26].Overflow.Sources["1.1.1.2"].GetScope() == "Ip" results[26].Overflow.Sources["1.1.1.2"].GetValue() == "1.1.1.2" +results[26].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[26].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[26].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[26].Overflow.Alert.Events[0].GetMeta("log_format") == "CLF" -results[26].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[26].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[26].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.2" +results[26].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser1@example.com" results[26].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[26].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser1@example.com" +results[26].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[26].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[26].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[26].Overflow.Alert.Events[1].GetMeta("log_format") == "CLF" -results[26].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[26].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[26].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.2" +results[26].Overflow.Alert.Events[1].GetMeta("target_user") == "fakeuser2@example.com" results[26].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[26].Overflow.Alert.Events[1].GetMeta("user") == "fakeuser2@example.com" +results[26].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[26].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[26].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[26].Overflow.Alert.Events[2].GetMeta("log_format") == "CLF" -results[26].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[26].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[26].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.2" +results[26].Overflow.Alert.Events[2].GetMeta("target_user") == "fakeuser3@example.com" results[26].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[26].Overflow.Alert.Events[2].GetMeta("user") == "fakeuser3@example.com" +results[26].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[26].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[26].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[26].Overflow.Alert.Events[3].GetMeta("log_format") == "CLF" -results[26].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[26].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[26].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.2" +results[26].Overflow.Alert.Events[3].GetMeta("target_user") == "fakeuser4@example.com" results[26].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[26].Overflow.Alert.Events[3].GetMeta("user") == "fakeuser4@example.com" +results[26].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[26].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[26].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[26].Overflow.Alert.Events[4].GetMeta("log_format") == "CLF" -results[26].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[26].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[26].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.1.1.2" +results[26].Overflow.Alert.Events[4].GetMeta("target_user") == "fakeuser5@example.com" results[26].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[26].Overflow.Alert.Events[4].GetMeta("user") == "fakeuser5@example.com" +results[26].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[26].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[26].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[26].Overflow.Alert.Events[5].GetMeta("log_format") == "CLF" -results[26].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[26].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[26].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.1.1.2" +results[26].Overflow.Alert.Events[5].GetMeta("target_user") == "fakeuser6@example.com" results[26].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[26].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser6@example.com" results[26].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[26].Overflow.Alert.Remediation == true results[26].Overflow.Alert.GetEventsCount() == 6 @@ -1516,54 +1516,54 @@ results[27].Overflow.Sources["1.1.1.1"].IP == "1.1.1.1" results[27].Overflow.Sources["1.1.1.1"].Range == "" results[27].Overflow.Sources["1.1.1.1"].GetScope() == "Ip" results[27].Overflow.Sources["1.1.1.1"].GetValue() == "1.1.1.1" +results[27].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[27].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authelia-bf.log" results[27].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[27].Overflow.Alert.Events[0].GetMeta("log_format") == "CLF" -results[27].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[27].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[27].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.1" +results[27].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser1" results[27].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[27].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser1" +results[27].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[27].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[27].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[27].Overflow.Alert.Events[1].GetMeta("log_format") == "CLF" -results[27].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[27].Overflow.Alert.Events[1].GetMeta("service") == "authelia" results[27].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.1" +results[27].Overflow.Alert.Events[1].GetMeta("target_user") == "fakeuser2" results[27].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[27].Overflow.Alert.Events[1].GetMeta("user") == "fakeuser2" +results[27].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[27].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authelia-bf.log" results[27].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[27].Overflow.Alert.Events[2].GetMeta("log_format") == "CLF" -results[27].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[27].Overflow.Alert.Events[2].GetMeta("service") == "authelia" results[27].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.1" +results[27].Overflow.Alert.Events[2].GetMeta("target_user") == "fakeuser3" results[27].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[27].Overflow.Alert.Events[2].GetMeta("user") == "fakeuser3" +results[27].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[27].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authelia-bf.log" results[27].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[27].Overflow.Alert.Events[3].GetMeta("log_format") == "CLF" -results[27].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[27].Overflow.Alert.Events[3].GetMeta("service") == "authelia" results[27].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.1" +results[27].Overflow.Alert.Events[3].GetMeta("target_user") == "fakeuser4" results[27].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[27].Overflow.Alert.Events[3].GetMeta("user") == "fakeuser4" +results[27].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[27].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authelia-bf.log" results[27].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[27].Overflow.Alert.Events[4].GetMeta("log_format") == "CLF" -results[27].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[27].Overflow.Alert.Events[4].GetMeta("service") == "authelia" results[27].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.1.1.1" +results[27].Overflow.Alert.Events[4].GetMeta("target_user") == "fakeuser5" results[27].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[27].Overflow.Alert.Events[4].GetMeta("user") == "fakeuser5" +results[27].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[27].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authelia-bf.log" results[27].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[27].Overflow.Alert.Events[5].GetMeta("log_format") == "CLF" -results[27].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[27].Overflow.Alert.Events[5].GetMeta("service") == "authelia" results[27].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.1.1.1" +results[27].Overflow.Alert.Events[5].GetMeta("target_user") == "fakeuser6" results[27].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-14T13:47:54+02:00" -results[27].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser6" results[27].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[27].Overflow.Alert.Remediation == true -results[27].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[27].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/authelia-logs/authelia-logs.log b/.tests/authelia-logs/authelia-logs.log index 82b5ee6c2af..322aec020d7 100644 --- a/.tests/authelia-logs/authelia-logs.log +++ b/.tests/authelia-logs/authelia-logs.log @@ -28,3 +28,4 @@ time="2022-03-30T14:28:58+02:00" level=debug msg="Successful Duo authentication {"error":"user not found","level":"error","method":"POST","msg":"Error occurred getting details for user with username input 'fakeuser@example.com' which usually indicates they do not exist","path":"/api/firstfactor","remote_ip":"1.1.1.1","time":"2025-03-13T13:39:05+02:00"} {"error":"duo auth result: deny, status: deny, message: Login request denied.","level":"error","method":"POST","msg":"Unsuccessful Duo authentication attempt by user 'realuser'","path":"/api/secondfactor/duo","remote_ip":"1.1.1.1","time":"2025-03-13T13:46:31+02:00"} {"error":"duo auth result: deny, status: deny, message: Login request denied.","level":"error","method":"POST","msg":"Unsuccessful Duo authentication attempt by user 'realuser@example.com'","path":"/api/secondfactor/duo","remote_ip":"1.1.1.1","time":"2025-03-13T13:46:31+02:00"} +{"level":"error","method":"POST","msg":"Unsuccessful 1FA authentication attempt by user 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl': user not found","path":"/api/firstfactor","remote_ip":"1.1.1.1","time":"2025-03-13T14:00:00+02:00"} diff --git a/.tests/authelia-logs/parser.assert b/.tests/authelia-logs/parser.assert index 4feaee0f827..a04086f9a8d 100644 --- a/.tests/authelia-logs/parser.assert +++ b/.tests/authelia-logs/parser.assert @@ -1,5 +1,5 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 30 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 31 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "time=\"2025-03-13T14:01:02+02:00\" level=error msg=\"Error occurred getting details for user with username input 'fakeuser' which usually indicates they do not exist\" error=\"user not found\" method=POST path=/api/firstfactor remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "authelia" @@ -180,7 +180,13 @@ results["s00-raw"]["crowdsecurity/non-syslog"][29].Evt.Parsed["program"] == "aut basename(results["s00-raw"]["crowdsecurity/non-syslog"][29].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][29].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][29].Evt.Whitelisted == false -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 30 +results["s00-raw"]["crowdsecurity/non-syslog"][30].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][30].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful 1FA authentication attempt by user 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl': user not found\",\"path\":\"/api/firstfactor\",\"remote_ip\":\"1.1.1.1\",\"time\":\"2025-03-13T14:00:00+02:00\"}" +results["s00-raw"]["crowdsecurity/non-syslog"][30].Evt.Parsed["program"] == "authelia" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][30].Evt.Meta["datasource_path"]) == "authelia-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][30].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][30].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 31 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false @@ -211,18 +217,20 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][26].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][27].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][28].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][29].Success == false -len(results["s01-parse"]["LePresidente/authelia-logs"]) == 30 +results["s00-raw"]["crowdsecurity/syslog-logs"][30].Success == false +len(results["s01-parse"]["LePresidente/authelia-logs"]) == 31 results["s01-parse"]["LePresidente/authelia-logs"][0].Success == true results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Parsed["message"] == "time=\"2025-03-13T14:01:02+02:00\" level=error msg=\"Error occurred getting details for user with username input 'fakeuser' which usually indicates they do not exist\" error=\"user not found\" method=POST path=/api/firstfactor remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Parsed["user"] == "fakeuser" +results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["user"] == "fakeuser" +results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["target_user"] == "fakeuser" +results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Unmarshaled["authelia"]["msg"] == "Error occurred getting details for user with username input 'fakeuser' which usually indicates they do not exist" results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" @@ -230,19 +238,19 @@ results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Unmarshaled["authelia" results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Unmarshaled["authelia"]["time"] == "2025-03-13T14:01:02+02:00" results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Unmarshaled["authelia"]["error"] == "user not found" -results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][1].Success == true results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Parsed["message"] == "time=\"2025-03-13T14:01:02+02:00\" level=error msg=\"Error occurred getting details for user with username input 'fakeuser@example.com' which usually indicates they do not exist\" error=\"user not found\" method=POST path=/api/firstfactor remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Parsed["user"] == "fakeuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Meta["user"] == "fakeuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Meta["target_user"] == "fakeuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Unmarshaled["authelia"]["time"] == "2025-03-13T14:01:02+02:00" @@ -250,40 +258,39 @@ results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Unmarshaled["authelia" results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Unmarshaled["authelia"]["msg"] == "Error occurred getting details for user with username input 'fakeuser@example.com' which usually indicates they do not exist" -results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s01-parse"]["LePresidente/authelia-logs"][1].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][2].Success == true results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Parsed["auth_status"] == "Unsuccessful" results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Parsed["message"] == "time=\"2022-02-14T13:47:54+02:00\" level=error msg=\"Unsuccessful 1FA authentication attempt by user 'fakeuser': user not found\" method=POST path=/api/firstfactor remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Parsed["user"] == "fakeuser" +results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Meta["user"] == "fakeuser" -results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" -results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Unmarshaled["authelia"]["time"] == "2022-02-14T13:47:54+02:00" -results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Unmarshaled["authelia"]["level"] == "error" +results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Meta["target_user"] == "fakeuser" results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful 1FA authentication attempt by user 'fakeuser': user not found" results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" +results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" +results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Unmarshaled["authelia"]["time"] == "2022-02-14T13:47:54+02:00" +results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][2].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][3].Success == true results["s01-parse"]["LePresidente/authelia-logs"][3].Evt.Parsed["auth_status"] == "Unsuccessful" results["s01-parse"]["LePresidente/authelia-logs"][3].Evt.Parsed["message"] == "time=\"2022-02-14T13:47:54+02:00\" level=error msg=\"Unsuccessful 1FA authentication attempt by user 'fakeuser@example.com': user not found\" method=POST path=/api/firstfactor remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s01-parse"]["LePresidente/authelia-logs"][3].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][3].Evt.Parsed["user"] == "fakeuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][3].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][3].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][3].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][3].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/authelia-logs"][3].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][3].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][3].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][3].Evt.Meta["user"] == "fakeuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][3].Evt.Meta["target_user"] == "fakeuser@example.com" results["s01-parse"]["LePresidente/authelia-logs"][3].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s01-parse"]["LePresidente/authelia-logs"][3].Evt.Unmarshaled["authelia"]["time"] == "2022-02-14T13:47:54+02:00" results["s01-parse"]["LePresidente/authelia-logs"][3].Evt.Unmarshaled["authelia"]["level"] == "error" @@ -297,13 +304,13 @@ results["s01-parse"]["LePresidente/authelia-logs"][4].Evt.Parsed["auth_status"] results["s01-parse"]["LePresidente/authelia-logs"][4].Evt.Parsed["message"] == "time=\"2022-02-14T13:49:12+02:00\" level=error msg=\"Unsuccessful 1FA authentication attempt by user 'realuser'\" method=POST path=/api/firstfactor remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s01-parse"]["LePresidente/authelia-logs"][4].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][4].Evt.Parsed["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][4].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][4].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][4].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][4].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/authelia-logs"][4].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][4].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][4].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][4].Evt.Meta["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][4].Evt.Meta["target_user"] == "realuser" results["s01-parse"]["LePresidente/authelia-logs"][4].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][4].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][4].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful 1FA authentication attempt by user 'realuser'" @@ -317,72 +324,72 @@ results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Parsed["auth_status"] results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Parsed["message"] == "time=\"2022-02-14T13:49:12+02:00\" level=error msg=\"Unsuccessful 1FA authentication attempt by user 'realuser@example.com'\" method=POST path=/api/firstfactor remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Parsed["user"] == "realuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Meta["user"] == "realuser@example.com" -results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Unmarshaled["authelia"]["method"] == "POST" +results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Meta["target_user"] == "realuser@example.com" results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful 1FA authentication attempt by user 'realuser@example.com'" results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Unmarshaled["authelia"]["time"] == "2022-02-14T13:49:12+02:00" results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Unmarshaled["authelia"]["level"] == "error" +results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][5].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][6].Success == true results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Parsed["auth_status"] == "Successful" results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Parsed["message"] == "time=\"2022-03-30T14:28:52+02:00\" level=debug msg=\"Successful 1FA authentication attempt made by user 'realuser'\" method=POST path=/api/firstfactor remote_ip=127.0.0.1" results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Parsed["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Meta["auth_status"] == "success" basename(results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Meta["log_type"] == "auth_success" results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Meta["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Meta["target_user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Unmarshaled["authelia"]["level"] == "debug" +results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Unmarshaled["authelia"]["msg"] == "Successful 1FA authentication attempt made by user 'realuser'" results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Unmarshaled["authelia"]["remote_ip"] == "127.0.0.1" results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Unmarshaled["authelia"]["time"] == "2022-03-30T14:28:52+02:00" -results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Unmarshaled["authelia"]["level"] == "debug" -results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][6].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][7].Success == true results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Parsed["auth_status"] == "Unsuccessful" results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Parsed["message"] == "time=\"2022-02-16T11:48:16+02:00\" level=error msg=\"Unsuccessful Duo authentication attempt by user 'realuser': duo auth result: deny, status: deny, message: Login request denied.\" method=POST path=/api/secondfactor/duo remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Parsed["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Meta["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Meta["target_user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Unmarshaled["authelia"]["method"] == "POST" +results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful Duo authentication attempt by user 'realuser': duo auth result: deny, status: deny, message: Login request denied." +results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T11:48:16+02:00" results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Unmarshaled["authelia"]["level"] == "error" -results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Unmarshaled["authelia"]["method"] == "POST" -results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful Duo authentication attempt by user 'realuser': duo auth result: deny, status: deny, message: Login request denied." -results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" results["s01-parse"]["LePresidente/authelia-logs"][7].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][8].Success == true results["s01-parse"]["LePresidente/authelia-logs"][8].Evt.Parsed["auth_status"] == "Unsuccessful" results["s01-parse"]["LePresidente/authelia-logs"][8].Evt.Parsed["message"] == "time=\"2022-02-16T11:48:16+02:00\" level=error msg=\"Unsuccessful Duo authentication attempt by user 'realuser@example.com': duo auth result: deny, status: deny, message: Login request denied.\" method=POST path=/api/secondfactor/duo remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s01-parse"]["LePresidente/authelia-logs"][8].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][8].Evt.Parsed["user"] == "realuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][8].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][8].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][8].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][8].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/authelia-logs"][8].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][8].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][8].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][8].Evt.Meta["user"] == "realuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][8].Evt.Meta["target_user"] == "realuser@example.com" results["s01-parse"]["LePresidente/authelia-logs"][8].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful Duo authentication attempt by user 'realuser@example.com': duo auth result: deny, status: deny, message: Login request denied." results["s01-parse"]["LePresidente/authelia-logs"][8].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" results["s01-parse"]["LePresidente/authelia-logs"][8].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" @@ -396,13 +403,13 @@ results["s01-parse"]["LePresidente/authelia-logs"][9].Evt.Parsed["auth_status"] results["s01-parse"]["LePresidente/authelia-logs"][9].Evt.Parsed["message"] == "time=\"2022-03-30T14:28:58+02:00\" level=debug msg=\"Successful Duo authentication attempt made by user 'realuser'\" method=POST path=/api/secondfactor/duo remote_ip=127.0.0.1" results["s01-parse"]["LePresidente/authelia-logs"][9].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][9].Evt.Parsed["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][9].Evt.Meta["auth_status"] == "success" basename(results["s01-parse"]["LePresidente/authelia-logs"][9].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][9].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][9].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/authelia-logs"][9].Evt.Meta["log_type"] == "auth_success" results["s01-parse"]["LePresidente/authelia-logs"][9].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][9].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/authelia-logs"][9].Evt.Meta["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][9].Evt.Meta["target_user"] == "realuser" results["s01-parse"]["LePresidente/authelia-logs"][9].Evt.Unmarshaled["authelia"]["time"] == "2022-03-30T14:28:58+02:00" results["s01-parse"]["LePresidente/authelia-logs"][9].Evt.Unmarshaled["authelia"]["level"] == "debug" results["s01-parse"]["LePresidente/authelia-logs"][9].Evt.Unmarshaled["authelia"]["method"] == "POST" @@ -415,131 +422,131 @@ results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Parsed["auth_status"] results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Parsed["message"] == "time=\"2022-02-16T12:24:19+02:00\" level=error msg=\"Unsuccessful TOTP authentication attempt by user 'realuser'\" method=POST path=/api/secondfactor/totp remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Parsed["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Meta["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Meta["target_user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:24:19+02:00" results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful TOTP authentication attempt by user 'realuser'" results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/totp" -results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s01-parse"]["LePresidente/authelia-logs"][10].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][11].Success == true results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Parsed["auth_status"] == "Unsuccessful" results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Parsed["message"] == "time=\"2022-02-16T12:24:19+02:00\" level=error msg=\"Unsuccessful TOTP authentication attempt by user 'realuser@example.com'\" method=POST path=/api/secondfactor/totp remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Parsed["user"] == "realuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Meta["user"] == "realuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Meta["target_user"] == "realuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" +results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:24:19+02:00" results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful TOTP authentication attempt by user 'realuser@example.com'" results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/totp" -results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s01-parse"]["LePresidente/authelia-logs"][11].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][12].Success == true results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Parsed["auth_status"] == "Unsuccessful" results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Parsed["message"] == "time=\"2024-02-16T12:24:19+02:00\" level=error msg=\"Unsuccessful U2F authentication attempt by user 'realuser'\" method=POST path=/api/secondfactor/webauthn remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Parsed["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Meta["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Meta["target_user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful U2F authentication attempt by user 'realuser'" results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/webauthn" results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Unmarshaled["authelia"]["time"] == "2024-02-16T12:24:19+02:00" -results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][12].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][13].Success == true results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Parsed["auth_status"] == "Unsuccessful" results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Parsed["message"] == "time=\"2024-02-16T12:24:19+02:00\" level=error msg=\"Unsuccessful U2F authentication attempt by user 'realuser@example.com'\" method=POST path=/api/secondfactor/webauthn remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Parsed["user"] == "realuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Meta["user"] == "realuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Meta["target_user"] == "realuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Unmarshaled["authelia"]["level"] == "error" +results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful U2F authentication attempt by user 'realuser@example.com'" results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/webauthn" results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Unmarshaled["authelia"]["time"] == "2024-02-16T12:24:19+02:00" -results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Unmarshaled["authelia"]["level"] == "error" -results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][13].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][14].Success == true results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Parsed["auth_status"] == "Successful" results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Parsed["message"] == "time=\"2022-03-30T14:28:58+02:00\" level=debug msg=\"Successful Duo authentication attempt made by user 'realuser'\" method=POST path=/api/secondfactor/duo remote_ip=127.0.0.1" results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Parsed["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Meta["auth_status"] == "success" basename(results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Meta["log_type"] == "auth_success" results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Meta["user"] == "realuser" -results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" -results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Unmarshaled["authelia"]["remote_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Unmarshaled["authelia"]["time"] == "2022-03-30T14:28:58+02:00" +results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Meta["target_user"] == "realuser" results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Unmarshaled["authelia"]["level"] == "debug" results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Unmarshaled["authelia"]["msg"] == "Successful Duo authentication attempt made by user 'realuser'" +results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" +results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Unmarshaled["authelia"]["remote_ip"] == "127.0.0.1" +results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Unmarshaled["authelia"]["time"] == "2022-03-30T14:28:58+02:00" results["s01-parse"]["LePresidente/authelia-logs"][14].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][15].Success == true results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Parsed["auth_status"] == "Unsuccessful" results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful 1FA authentication attempt by user 'fakeuser': user not found\",\"path\":\"/api/firstfactor\",\"remote_ip\":\"1.1.1.1\",\"stack\":[{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/response.go\",\"Line\":177,\"Name\":\"markAuthenticationAttempt\"},{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/handler_firstfactor.go\",\"Line\":52,\"Name\":\"FirstFactorPost.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go\",\"Line\":52,\"Name\":\"AutheliaMiddleware.func1.1\"},{\"File\":\"github.com/fasthttp/router@v1.4.5/router.go\",\"Line\":414,\"Name\":\"(*Router).Handler\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/log_request.go\",\"Line\":14,\"Name\":\"LogRequestMiddleware.func1\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/server.go\",\"Line\":2298,\"Name\":\"(*Server).serveConn\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":223,\"Name\":\"(*workerPool).workerFunc\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":195,\"Name\":\"(*workerPool).getCh.func1\"},{\"File\":\"runtime/asm_amd64.s\",\"Line\":1581,\"Name\":\"goexit\"}],\"time\":\"2022-02-16T12:31:49+02:00\"}" results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Parsed["user"] == "fakeuser" +results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Meta["log_format"] == "JSON" -results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Meta["user"] == "fakeuser" -results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful 1FA authentication attempt by user 'fakeuser': user not found" -results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" -results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" +results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Meta["target_user"] == "fakeuser" results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:31:49+02:00" results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Unmarshaled["authelia"]["method"] == "POST" +results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful 1FA authentication attempt by user 'fakeuser': user not found" +results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" +results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s01-parse"]["LePresidente/authelia-logs"][15].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][16].Success == true results["s01-parse"]["LePresidente/authelia-logs"][16].Evt.Parsed["auth_status"] == "Unsuccessful" results["s01-parse"]["LePresidente/authelia-logs"][16].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful 1FA authentication attempt by user 'fakeuser@example.com': user not found\",\"path\":\"/api/firstfactor\",\"remote_ip\":\"1.1.1.1\",\"stack\":[{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/response.go\",\"Line\":177,\"Name\":\"markAuthenticationAttempt\"},{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/handler_firstfactor.go\",\"Line\":52,\"Name\":\"FirstFactorPost.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go\",\"Line\":52,\"Name\":\"AutheliaMiddleware.func1.1\"},{\"File\":\"github.com/fasthttp/router@v1.4.5/router.go\",\"Line\":414,\"Name\":\"(*Router).Handler\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/log_request.go\",\"Line\":14,\"Name\":\"LogRequestMiddleware.func1\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/server.go\",\"Line\":2298,\"Name\":\"(*Server).serveConn\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":223,\"Name\":\"(*workerPool).workerFunc\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":195,\"Name\":\"(*workerPool).getCh.func1\"},{\"File\":\"runtime/asm_amd64.s\",\"Line\":1581,\"Name\":\"goexit\"}],\"time\":\"2022-02-16T12:31:49+02:00\"}" results["s01-parse"]["LePresidente/authelia-logs"][16].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][16].Evt.Parsed["user"] == "fakeuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][16].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][16].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][16].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][16].Evt.Meta["log_format"] == "JSON" -results["s01-parse"]["LePresidente/authelia-logs"][16].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][16].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][16].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][16].Evt.Meta["user"] == "fakeuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][16].Evt.Meta["target_user"] == "fakeuser@example.com" results["s01-parse"]["LePresidente/authelia-logs"][16].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:31:49+02:00" results["s01-parse"]["LePresidente/authelia-logs"][16].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][16].Evt.Unmarshaled["authelia"]["method"] == "POST" @@ -552,127 +559,127 @@ results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Parsed["auth_status"] results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful 1FA authentication attempt by user 'realuser'\",\"path\":\"/api/firstfactor\",\"remote_ip\":\"1.1.1.1\",\"stack\":[{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/response.go\",\"Line\":181,\"Name\":\"markAuthenticationAttempt\"},{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/handler_firstfactor.go\",\"Line\":60,\"Name\":\"FirstFactorPost.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go\",\"Line\":52,\"Name\":\"AutheliaMiddleware.func1.1\"},{\"File\":\"github.com/fasthttp/router@v1.4.5/router.go\",\"Line\":414,\"Name\":\"(*Router).Handler\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/log_request.go\",\"Line\":14,\"Name\":\"LogRequestMiddleware.func1\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/server.go\",\"Line\":2298,\"Name\":\"(*Server).serveConn\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":223,\"Name\":\"(*workerPool).workerFunc\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":195,\"Name\":\"(*workerPool).getCh.func1\"},{\"File\":\"runtime/asm_amd64.s\",\"Line\":1581,\"Name\":\"goexit\"}],\"time\":\"2022-02-16T12:31:58+02:00\"}" results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Parsed["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Meta["log_format"] == "JSON" -results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Meta["user"] == "realuser" -results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" -results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:31:58+02:00" +results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Meta["target_user"] == "realuser" results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful 1FA authentication attempt by user 'realuser'" +results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" +results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" +results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:31:58+02:00" results["s01-parse"]["LePresidente/authelia-logs"][17].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][18].Success == true results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Parsed["auth_status"] == "Unsuccessful" results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful 1FA authentication attempt by user 'realuser@example.com'\",\"path\":\"/api/firstfactor\",\"remote_ip\":\"1.1.1.1\",\"stack\":[{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/response.go\",\"Line\":181,\"Name\":\"markAuthenticationAttempt\"},{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/handler_firstfactor.go\",\"Line\":60,\"Name\":\"FirstFactorPost.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go\",\"Line\":52,\"Name\":\"AutheliaMiddleware.func1.1\"},{\"File\":\"github.com/fasthttp/router@v1.4.5/router.go\",\"Line\":414,\"Name\":\"(*Router).Handler\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/log_request.go\",\"Line\":14,\"Name\":\"LogRequestMiddleware.func1\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/server.go\",\"Line\":2298,\"Name\":\"(*Server).serveConn\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":223,\"Name\":\"(*workerPool).workerFunc\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":195,\"Name\":\"(*workerPool).getCh.func1\"},{\"File\":\"runtime/asm_amd64.s\",\"Line\":1581,\"Name\":\"goexit\"}],\"time\":\"2022-02-16T12:31:58+02:00\"}" results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Parsed["user"] == "realuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Meta["log_format"] == "JSON" -results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Meta["user"] == "realuser@example.com" -results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:31:58+02:00" +results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Meta["target_user"] == "realuser@example.com" results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful 1FA authentication attempt by user 'realuser@example.com'" results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" +results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:31:58+02:00" results["s01-parse"]["LePresidente/authelia-logs"][18].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][19].Success == true results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Parsed["auth_status"] == "Successful" results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Parsed["message"] == "{\"level\":\"debug\",\"method\":\"POST\",\"msg\":\"Successful 1FA authentication attempt made by user 'realuser'\",\"path\":\"/api/firstfactor\",\"remote_ip\":\"127.0.0.1\",\"time\":\"2022-03-30T14:24:18+02:00\"}" results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Parsed["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Meta["auth_status"] == "success" basename(results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Meta["log_format"] == "JSON" -results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Meta["log_type"] == "auth_success" results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Meta["user"] == "realuser" -results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Unmarshaled["authelia"]["level"] == "debug" +results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Meta["target_user"] == "realuser" results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Unmarshaled["authelia"]["msg"] == "Successful 1FA authentication attempt made by user 'realuser'" results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Unmarshaled["authelia"]["remote_ip"] == "127.0.0.1" results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Unmarshaled["authelia"]["time"] == "2022-03-30T14:24:18+02:00" +results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Unmarshaled["authelia"]["level"] == "debug" results["s01-parse"]["LePresidente/authelia-logs"][19].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][20].Success == true results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Parsed["auth_status"] == "Unsuccessful" results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful Duo authentication attempt by user 'realuser': duo auth result: deny, status: deny, message: Login request denied.\",\"path\":\"/api/secondfactor/duo\",\"remote_ip\":\"1.1.1.1\",\"stack\":[{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/response.go\",\"Line\":177,\"Name\":\"markAuthenticationAttempt\"},{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/handler_sign_duo.go\",\"Line\":74,\"Name\":\"SecondFactorDuoPost.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/require_first_factor.go\",\"Line\":15,\"Name\":\"RequireFirstFactor.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go\",\"Line\":52,\"Name\":\"AutheliaMiddleware.func1.1\"},{\"File\":\"github.com/fasthttp/router@v1.4.5/router.go\",\"Line\":414,\"Name\":\"(*Router).Handler\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/log_request.go\",\"Line\":14,\"Name\":\"LogRequestMiddleware.func1\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/server.go\",\"Line\":2298,\"Name\":\"(*Server).serveConn\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":223,\"Name\":\"(*workerPool).workerFunc\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":195,\"Name\":\"(*workerPool).getCh.func1\"},{\"File\":\"runtime/asm_amd64.s\",\"Line\":1581,\"Name\":\"goexit\"}],\"time\":\"2022-02-16T12:32:13+02:00\"}" results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Parsed["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Meta["log_format"] == "JSON" -results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Meta["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Meta["target_user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful Duo authentication attempt by user 'realuser': duo auth result: deny, status: deny, message: Login request denied." results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:32:13+02:00" -results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][20].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][21].Success == true results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Parsed["auth_status"] == "Unsuccessful" results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful Duo authentication attempt by user 'realuser@example.com': duo auth result: deny, status: deny, message: Login request denied.\",\"path\":\"/api/secondfactor/duo\",\"remote_ip\":\"1.1.1.1\",\"stack\":[{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/response.go\",\"Line\":177,\"Name\":\"markAuthenticationAttempt\"},{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/handler_sign_duo.go\",\"Line\":74,\"Name\":\"SecondFactorDuoPost.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/require_first_factor.go\",\"Line\":15,\"Name\":\"RequireFirstFactor.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go\",\"Line\":52,\"Name\":\"AutheliaMiddleware.func1.1\"},{\"File\":\"github.com/fasthttp/router@v1.4.5/router.go\",\"Line\":414,\"Name\":\"(*Router).Handler\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/log_request.go\",\"Line\":14,\"Name\":\"LogRequestMiddleware.func1\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/server.go\",\"Line\":2298,\"Name\":\"(*Server).serveConn\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":223,\"Name\":\"(*workerPool).workerFunc\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":195,\"Name\":\"(*workerPool).getCh.func1\"},{\"File\":\"runtime/asm_amd64.s\",\"Line\":1581,\"Name\":\"goexit\"}],\"time\":\"2022-02-16T12:32:13+02:00\"}" results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Parsed["user"] == "realuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Meta["log_format"] == "JSON" -results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Meta["user"] == "realuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Meta["target_user"] == "realuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" +results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:32:13+02:00" results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful Duo authentication attempt by user 'realuser@example.com': duo auth result: deny, status: deny, message: Login request denied." results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" -results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:32:13+02:00" results["s01-parse"]["LePresidente/authelia-logs"][21].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][22].Success == true results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Parsed["auth_status"] == "Successful" results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Parsed["message"] == "{\"level\":\"debug\",\"method\":\"POST\",\"msg\":\"Successful Duo authentication attempt made by user 'realuser'\",\"path\":\"/api/secondfactor/duo\",\"remote_ip\":\"127.0.0.1\",\"time\":\"2022-03-30T14:26:22+02:00\"}" results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Parsed["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Meta["auth_status"] == "success" basename(results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Meta["log_format"] == "JSON" -results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Meta["log_type"] == "auth_success" results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Meta["user"] == "realuser" -results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Unmarshaled["authelia"]["level"] == "debug" +results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Meta["target_user"] == "realuser" results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Unmarshaled["authelia"]["msg"] == "Successful Duo authentication attempt made by user 'realuser'" results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Unmarshaled["authelia"]["remote_ip"] == "127.0.0.1" results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Unmarshaled["authelia"]["time"] == "2022-03-30T14:26:22+02:00" +results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Unmarshaled["authelia"]["level"] == "debug" results["s01-parse"]["LePresidente/authelia-logs"][22].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][23].Success == true results["s01-parse"]["LePresidente/authelia-logs"][23].Evt.Parsed["auth_status"] == "Unsuccessful" results["s01-parse"]["LePresidente/authelia-logs"][23].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful TOTP authentication attempt by user 'realuser'\",\"path\":\"/api/secondfactor/totp\",\"remote_ip\":\"1.1.1.1\",\"stack\":[{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/response.go\",\"Line\":181,\"Name\":\"markAuthenticationAttempt\"},{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/handler_sign_totp.go\",\"Line\":41,\"Name\":\"SecondFactorTOTPPost\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/require_first_factor.go\",\"Line\":15,\"Name\":\"RequireFirstFactor.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go\",\"Line\":52,\"Name\":\"AutheliaMiddleware.func1.1\"},{\"File\":\"github.com/fasthttp/router@v1.4.5/router.go\",\"Line\":414,\"Name\":\"(*Router).Handler\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/log_request.go\",\"Line\":14,\"Name\":\"LogRequestMiddleware.func1\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/server.go\",\"Line\":2298,\"Name\":\"(*Server).serveConn\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":223,\"Name\":\"(*workerPool).workerFunc\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":195,\"Name\":\"(*workerPool).getCh.func1\"},{\"File\":\"runtime/asm_amd64.s\",\"Line\":1581,\"Name\":\"goexit\"}],\"time\":\"2022-02-16T12:32:54+02:00\"}" results["s01-parse"]["LePresidente/authelia-logs"][23].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][23].Evt.Parsed["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][23].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][23].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][23].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][23].Evt.Meta["log_format"] == "JSON" -results["s01-parse"]["LePresidente/authelia-logs"][23].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][23].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][23].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][23].Evt.Meta["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][23].Evt.Meta["target_user"] == "realuser" results["s01-parse"]["LePresidente/authelia-logs"][23].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][23].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][23].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful TOTP authentication attempt by user 'realuser'" @@ -685,89 +692,89 @@ results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Parsed["auth_status"] results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful TOTP authentication attempt by user 'realuser@example.com'\",\"path\":\"/api/secondfactor/totp\",\"remote_ip\":\"1.1.1.1\",\"stack\":[{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/response.go\",\"Line\":181,\"Name\":\"markAuthenticationAttempt\"},{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/handler_sign_totp.go\",\"Line\":41,\"Name\":\"SecondFactorTOTPPost\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/require_first_factor.go\",\"Line\":15,\"Name\":\"RequireFirstFactor.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go\",\"Line\":52,\"Name\":\"AutheliaMiddleware.func1.1\"},{\"File\":\"github.com/fasthttp/router@v1.4.5/router.go\",\"Line\":414,\"Name\":\"(*Router).Handler\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/log_request.go\",\"Line\":14,\"Name\":\"LogRequestMiddleware.func1\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/server.go\",\"Line\":2298,\"Name\":\"(*Server).serveConn\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":223,\"Name\":\"(*workerPool).workerFunc\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":195,\"Name\":\"(*workerPool).getCh.func1\"},{\"File\":\"runtime/asm_amd64.s\",\"Line\":1581,\"Name\":\"goexit\"}],\"time\":\"2022-02-16T12:32:54+02:00\"}" results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Parsed["user"] == "realuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Meta["log_format"] == "JSON" -results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Meta["user"] == "realuser@example.com" -results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:32:54+02:00" +results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Meta["target_user"] == "realuser@example.com" results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful TOTP authentication attempt by user 'realuser@example.com'" results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/totp" +results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" +results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:32:54+02:00" results["s01-parse"]["LePresidente/authelia-logs"][24].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][25].Success == true results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Parsed["auth_status"] == "Successful" results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Parsed["message"] == "{\"level\":\"debug\",\"method\":\"POST\",\"msg\":\"Successful Duo authentication attempt made by user 'realuser'\",\"path\":\"/api/secondfactor/duo\",\"remote_ip\":\"127.0.0.1\",\"time\":\"2022-03-30T14:26:22+02:00\"}" results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Parsed["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Meta["auth_status"] == "success" basename(results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Meta["log_format"] == "JSON" -results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Meta["log_type"] == "auth_success" results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Meta["user"] == "realuser" -results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Unmarshaled["authelia"]["level"] == "debug" -results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Unmarshaled["authelia"]["method"] == "POST" -results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Unmarshaled["authelia"]["msg"] == "Successful Duo authentication attempt made by user 'realuser'" +results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Meta["target_user"] == "realuser" results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Unmarshaled["authelia"]["remote_ip"] == "127.0.0.1" results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Unmarshaled["authelia"]["time"] == "2022-03-30T14:26:22+02:00" +results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Unmarshaled["authelia"]["level"] == "debug" +results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Unmarshaled["authelia"]["method"] == "POST" +results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Unmarshaled["authelia"]["msg"] == "Successful Duo authentication attempt made by user 'realuser'" results["s01-parse"]["LePresidente/authelia-logs"][25].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][26].Success == true results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Parsed["message"] == "{\"error\":\"user not found\",\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Error occurred getting details for user with username input 'fakeuser' which usually indicates they do not exist\",\"path\":\"/api/firstfactor\",\"remote_ip\":\"1.1.1.1\",\"time\":\"2025-03-13T13:39:05+02:00\"}" results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Parsed["user"] == "fakeuser" +results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Meta["log_format"] == "JSON" -results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Meta["user"] == "fakeuser" +results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Meta["target_user"] == "fakeuser" +results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Unmarshaled["authelia"]["method"] == "POST" +results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Unmarshaled["authelia"]["msg"] == "Error occurred getting details for user with username input 'fakeuser' which usually indicates they do not exist" +results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Unmarshaled["authelia"]["time"] == "2025-03-13T13:39:05+02:00" results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Unmarshaled["authelia"]["error"] == "user not found" results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Unmarshaled["authelia"]["level"] == "error" -results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Unmarshaled["authelia"]["method"] == "POST" -results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Unmarshaled["authelia"]["msg"] == "Error occurred getting details for user with username input 'fakeuser' which usually indicates they do not exist" -results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s01-parse"]["LePresidente/authelia-logs"][26].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][27].Success == true results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Parsed["message"] == "{\"error\":\"user not found\",\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Error occurred getting details for user with username input 'fakeuser@example.com' which usually indicates they do not exist\",\"path\":\"/api/firstfactor\",\"remote_ip\":\"1.1.1.1\",\"time\":\"2025-03-13T13:39:05+02:00\"}" results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Parsed["user"] == "fakeuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Meta["log_format"] == "JSON" -results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Meta["user"] == "fakeuser@example.com" -results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Unmarshaled["authelia"]["error"] == "user not found" -results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Unmarshaled["authelia"]["level"] == "error" +results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Meta["target_user"] == "fakeuser@example.com" results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Unmarshaled["authelia"]["msg"] == "Error occurred getting details for user with username input 'fakeuser@example.com' which usually indicates they do not exist" results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Unmarshaled["authelia"]["time"] == "2025-03-13T13:39:05+02:00" +results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Unmarshaled["authelia"]["error"] == "user not found" +results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][27].Evt.Whitelisted == false results["s01-parse"]["LePresidente/authelia-logs"][28].Success == true results["s01-parse"]["LePresidente/authelia-logs"][28].Evt.Parsed["auth_status"] == "Unsuccessful" results["s01-parse"]["LePresidente/authelia-logs"][28].Evt.Parsed["message"] == "{\"error\":\"duo auth result: deny, status: deny, message: Login request denied.\",\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful Duo authentication attempt by user 'realuser'\",\"path\":\"/api/secondfactor/duo\",\"remote_ip\":\"1.1.1.1\",\"time\":\"2025-03-13T13:46:31+02:00\"}" results["s01-parse"]["LePresidente/authelia-logs"][28].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][28].Evt.Parsed["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][28].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][28].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][28].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][28].Evt.Meta["log_format"] == "JSON" -results["s01-parse"]["LePresidente/authelia-logs"][28].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][28].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][28].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][28].Evt.Meta["user"] == "realuser" +results["s01-parse"]["LePresidente/authelia-logs"][28].Evt.Meta["target_user"] == "realuser" results["s01-parse"]["LePresidente/authelia-logs"][28].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][28].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful Duo authentication attempt by user 'realuser'" results["s01-parse"]["LePresidente/authelia-logs"][28].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" @@ -781,34 +788,53 @@ results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Parsed["auth_status"] results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Parsed["message"] == "{\"error\":\"duo auth result: deny, status: deny, message: Login request denied.\",\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful Duo authentication attempt by user 'realuser@example.com'\",\"path\":\"/api/secondfactor/duo\",\"remote_ip\":\"1.1.1.1\",\"time\":\"2025-03-13T13:46:31+02:00\"}" results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Parsed["program"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Parsed["user"] == "realuser@example.com" +results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Meta["log_format"] == "JSON" -results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Meta["user"] == "realuser@example.com" -results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful Duo authentication attempt by user 'realuser@example.com'" -results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" +results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Meta["target_user"] == "realuser@example.com" results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Unmarshaled["authelia"]["time"] == "2025-03-13T13:46:31+02:00" results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Unmarshaled["authelia"]["error"] == "duo auth result: deny, status: deny, message: Login request denied." results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Unmarshaled["authelia"]["level"] == "error" results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Unmarshaled["authelia"]["method"] == "POST" +results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful Duo authentication attempt by user 'realuser@example.com'" +results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" results["s01-parse"]["LePresidente/authelia-logs"][29].Evt.Whitelisted == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 30 +results["s01-parse"]["LePresidente/authelia-logs"][30].Success == true +results["s01-parse"]["LePresidente/authelia-logs"][30].Evt.Parsed["auth_status"] == "Unsuccessful" +results["s01-parse"]["LePresidente/authelia-logs"][30].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful 1FA authentication attempt by user 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl': user not found\",\"path\":\"/api/firstfactor\",\"remote_ip\":\"1.1.1.1\",\"time\":\"2025-03-13T14:00:00+02:00\"}" +results["s01-parse"]["LePresidente/authelia-logs"][30].Evt.Parsed["program"] == "authelia" +results["s01-parse"]["LePresidente/authelia-logs"][30].Evt.Parsed["user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["LePresidente/authelia-logs"][30].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/authelia-logs"][30].Evt.Meta["datasource_path"]) == "authelia-logs.log" +results["s01-parse"]["LePresidente/authelia-logs"][30].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["LePresidente/authelia-logs"][30].Evt.Meta["log_format"] == "JSON" +results["s01-parse"]["LePresidente/authelia-logs"][30].Evt.Meta["service"] == "authelia" +results["s01-parse"]["LePresidente/authelia-logs"][30].Evt.Meta["source_ip"] == "1.1.1.1" +results["s01-parse"]["LePresidente/authelia-logs"][30].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["LePresidente/authelia-logs"][30].Evt.Unmarshaled["authelia"]["method"] == "POST" +results["s01-parse"]["LePresidente/authelia-logs"][30].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful 1FA authentication attempt by user 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl': user not found" +results["s01-parse"]["LePresidente/authelia-logs"][30].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" +results["s01-parse"]["LePresidente/authelia-logs"][30].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" +results["s01-parse"]["LePresidente/authelia-logs"][30].Evt.Unmarshaled["authelia"]["time"] == "2025-03-13T14:00:00+02:00" +results["s01-parse"]["LePresidente/authelia-logs"][30].Evt.Unmarshaled["authelia"]["level"] == "error" +results["s01-parse"]["LePresidente/authelia-logs"][30].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 31 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "time=\"2025-03-13T14:01:02+02:00\" level=error msg=\"Error occurred getting details for user with username input 'fakeuser' which usually indicates they do not exist\" error=\"user not found\" method=POST path=/api/firstfactor remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["user"] == "fakeuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "fakeuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-03-13T14:01:02+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "fakeuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-03-13T14:01:02+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" @@ -823,16 +849,15 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "time=\"2025-03-13T14:01:02+02:00\" level=error msg=\"Error occurred getting details for user with username input 'fakeuser@example.com' which usually indicates they do not exist\" error=\"user not found\" method=POST path=/api/firstfactor remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["user"] == "fakeuser@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "fakeuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-03-13T14:01:02+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "fakeuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-03-13T14:01:02+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["authelia"]["msg"] == "Error occurred getting details for user with username input 'fakeuser@example.com' which usually indicates they do not exist" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" @@ -840,42 +865,43 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["auth results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["authelia"]["time"] == "2025-03-13T14:01:02+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["authelia"]["error"] == "user not found" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["auth_status"] == "Unsuccessful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "time=\"2022-02-14T13:47:54+02:00\" level=error msg=\"Unsuccessful 1FA authentication attempt by user 'fakeuser': user not found\" method=POST path=/api/firstfactor remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["user"] == "fakeuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "fakeuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2022-02-14T13:47:54+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["user"] == "fakeuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2022-02-14T13:47:54+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["authelia"]["time"] == "2022-02-14T13:47:54+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful 1FA authentication attempt by user 'fakeuser': user not found" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["auth_status"] == "Unsuccessful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "time=\"2022-02-14T13:47:54+02:00\" level=error msg=\"Unsuccessful 1FA authentication attempt by user 'fakeuser@example.com': user not found\" method=POST path=/api/firstfactor remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["user"] == "fakeuser@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "fakeuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2022-02-14T13:47:54+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["user"] == "fakeuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2022-02-14T13:47:54+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["authelia"]["method"] == "POST" @@ -890,316 +916,316 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["auth_stat results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "time=\"2022-02-14T13:49:12+02:00\" level=error msg=\"Unsuccessful 1FA authentication attempt by user 'realuser'\" method=POST path=/api/firstfactor remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["user"] == "realuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2022-02-14T13:49:12+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2022-02-14T13:49:12+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["authelia"]["time"] == "2022-02-14T13:49:12+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful 1FA authentication attempt by user 'realuser'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["auth_status"] == "Unsuccessful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "time=\"2022-02-14T13:49:12+02:00\" level=error msg=\"Unsuccessful 1FA authentication attempt by user 'realuser@example.com'\" method=POST path=/api/firstfactor remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["user"] == "realuser@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_user"] == "realuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2022-02-14T13:49:12+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["user"] == "realuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2022-02-14T13:49:12+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["authelia"]["time"] == "2022-02-14T13:49:12+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful 1FA authentication attempt by user 'realuser@example.com'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["authelia"]["time"] == "2022-02-14T13:49:12+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["auth_status"] == "Successful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "time=\"2022-03-30T14:28:52+02:00\" level=debug msg=\"Successful 1FA authentication attempt made by user 'realuser'\" method=POST path=/api/firstfactor remote_ip=127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["user"] == "realuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["auth_status"] == "success" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "auth_success" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["target_user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2022-03-30T14:28:52+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2022-03-30T14:28:52+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["authelia"]["level"] == "debug" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["authelia"]["msg"] == "Successful 1FA authentication attempt made by user 'realuser'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["authelia"]["remote_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["authelia"]["time"] == "2022-03-30T14:28:52+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["authelia"]["level"] == "debug" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["auth_status"] == "Unsuccessful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "time=\"2022-02-16T11:48:16+02:00\" level=error msg=\"Unsuccessful Duo authentication attempt by user 'realuser': duo auth result: deny, status: deny, message: Login request denied.\" method=POST path=/api/secondfactor/duo remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["user"] == "realuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["target_user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2022-02-16T11:48:16+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2022-02-16T11:48:16+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T11:48:16+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful Duo authentication attempt by user 'realuser': duo auth result: deny, status: deny, message: Login request denied." results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T11:48:16+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["auth_status"] == "Unsuccessful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["message"] == "time=\"2022-02-16T11:48:16+02:00\" level=error msg=\"Unsuccessful Duo authentication attempt by user 'realuser@example.com': duo auth result: deny, status: deny, message: Login request denied.\" method=POST path=/api/secondfactor/duo remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["user"] == "realuser@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["target_user"] == "realuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2022-02-16T11:48:16+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["user"] == "realuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Enriched["MarshaledTime"] == "2022-02-16T11:48:16+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T11:48:16+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful Duo authentication attempt by user 'realuser@example.com': duo auth result: deny, status: deny, message: Login request denied." results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T11:48:16+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["auth_status"] == "Successful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["message"] == "time=\"2022-03-30T14:28:58+02:00\" level=debug msg=\"Successful Duo authentication attempt made by user 'realuser'\" method=POST path=/api/secondfactor/duo remote_ip=127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["user"] == "realuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["auth_status"] == "success" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_type"] == "auth_success" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["target_user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2022-03-30T14:28:58+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Enriched["MarshaledTime"] == "2022-03-30T14:28:58+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["authelia"]["remote_ip"] == "127.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["authelia"]["time"] == "2022-03-30T14:28:58+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["authelia"]["level"] == "debug" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["authelia"]["msg"] == "Successful Duo authentication attempt made by user 'realuser'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["authelia"]["remote_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["authelia"]["time"] == "2022-03-30T14:28:58+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["auth_status"] == "Unsuccessful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["message"] == "time=\"2022-02-16T12:24:19+02:00\" level=error msg=\"Unsuccessful TOTP authentication attempt by user 'realuser'\" method=POST path=/api/secondfactor/totp remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["user"] == "realuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["target_user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["timestamp"] == "2022-02-16T12:24:19+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Enriched["MarshaledTime"] == "2022-02-16T12:24:19+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/totp" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:24:19+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful TOTP authentication attempt by user 'realuser'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/totp" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["auth_status"] == "Unsuccessful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["message"] == "time=\"2022-02-16T12:24:19+02:00\" level=error msg=\"Unsuccessful TOTP authentication attempt by user 'realuser@example.com'\" method=POST path=/api/secondfactor/totp remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["user"] == "realuser@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["target_user"] == "realuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["timestamp"] == "2022-02-16T12:24:19+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["user"] == "realuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Enriched["MarshaledTime"] == "2022-02-16T12:24:19+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful TOTP authentication attempt by user 'realuser@example.com'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/totp" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:24:19+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Unmarshaled["authelia"]["method"] == "POST" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful TOTP authentication attempt by user 'realuser@example.com'" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/totp" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["auth_status"] == "Unsuccessful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["message"] == "time=\"2024-02-16T12:24:19+02:00\" level=error msg=\"Unsuccessful U2F authentication attempt by user 'realuser'\" method=POST path=/api/secondfactor/webauthn remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["user"] == "realuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["target_user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["timestamp"] == "2024-02-16T12:24:19+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Enriched["MarshaledTime"] == "2024-02-16T12:24:19+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful U2F authentication attempt by user 'realuser'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/webauthn" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Unmarshaled["authelia"]["time"] == "2024-02-16T12:24:19+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["auth_status"] == "Unsuccessful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["message"] == "time=\"2024-02-16T12:24:19+02:00\" level=error msg=\"Unsuccessful U2F authentication attempt by user 'realuser@example.com'\" method=POST path=/api/secondfactor/webauthn remote_ip=1.1.1.1 stack=\"longstacktrace\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["user"] == "realuser@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["target_user"] == "realuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["timestamp"] == "2024-02-16T12:24:19+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["user"] == "realuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Enriched["MarshaledTime"] == "2024-02-16T12:24:19+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Unmarshaled["authelia"]["time"] == "2024-02-16T12:24:19+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful U2F authentication attempt by user 'realuser@example.com'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/webauthn" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Unmarshaled["authelia"]["stack"] == "longstacktrace" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["auth_status"] == "Successful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["message"] == "time=\"2022-03-30T14:28:58+02:00\" level=debug msg=\"Successful Duo authentication attempt made by user 'realuser'\" method=POST path=/api/secondfactor/duo remote_ip=127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["user"] == "realuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["auth_status"] == "success" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["log_type"] == "auth_success" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["target_user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["timestamp"] == "2022-03-30T14:28:58+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Enriched["MarshaledTime"] == "2022-03-30T14:28:58+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Unmarshaled["authelia"]["level"] == "debug" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Unmarshaled["authelia"]["msg"] == "Successful Duo authentication attempt made by user 'realuser'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Unmarshaled["authelia"]["remote_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Unmarshaled["authelia"]["time"] == "2022-03-30T14:28:58+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Unmarshaled["authelia"]["level"] == "debug" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["auth_status"] == "Unsuccessful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful 1FA authentication attempt by user 'fakeuser': user not found\",\"path\":\"/api/firstfactor\",\"remote_ip\":\"1.1.1.1\",\"stack\":[{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/response.go\",\"Line\":177,\"Name\":\"markAuthenticationAttempt\"},{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/handler_firstfactor.go\",\"Line\":52,\"Name\":\"FirstFactorPost.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go\",\"Line\":52,\"Name\":\"AutheliaMiddleware.func1.1\"},{\"File\":\"github.com/fasthttp/router@v1.4.5/router.go\",\"Line\":414,\"Name\":\"(*Router).Handler\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/log_request.go\",\"Line\":14,\"Name\":\"LogRequestMiddleware.func1\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/server.go\",\"Line\":2298,\"Name\":\"(*Server).serveConn\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":223,\"Name\":\"(*workerPool).workerFunc\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":195,\"Name\":\"(*workerPool).getCh.func1\"},{\"File\":\"runtime/asm_amd64.s\",\"Line\":1581,\"Name\":\"goexit\"}],\"time\":\"2022-02-16T12:31:49+02:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["user"] == "fakeuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["log_format"] == "JSON" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["target_user"] == "fakeuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["timestamp"] == "2022-02-16T12:31:49+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["user"] == "fakeuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Enriched["MarshaledTime"] == "2022-02-16T12:31:49+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:31:49+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful 1FA authentication attempt by user 'fakeuser': user not found" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:31:49+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["auth_status"] == "Unsuccessful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful 1FA authentication attempt by user 'fakeuser@example.com': user not found\",\"path\":\"/api/firstfactor\",\"remote_ip\":\"1.1.1.1\",\"stack\":[{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/response.go\",\"Line\":177,\"Name\":\"markAuthenticationAttempt\"},{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/handler_firstfactor.go\",\"Line\":52,\"Name\":\"FirstFactorPost.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go\",\"Line\":52,\"Name\":\"AutheliaMiddleware.func1.1\"},{\"File\":\"github.com/fasthttp/router@v1.4.5/router.go\",\"Line\":414,\"Name\":\"(*Router).Handler\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/log_request.go\",\"Line\":14,\"Name\":\"LogRequestMiddleware.func1\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/server.go\",\"Line\":2298,\"Name\":\"(*Server).serveConn\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":223,\"Name\":\"(*workerPool).workerFunc\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":195,\"Name\":\"(*workerPool).getCh.func1\"},{\"File\":\"runtime/asm_amd64.s\",\"Line\":1581,\"Name\":\"goexit\"}],\"time\":\"2022-02-16T12:31:49+02:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["user"] == "fakeuser@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["log_format"] == "JSON" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["target_user"] == "fakeuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["timestamp"] == "2022-02-16T12:31:49+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["user"] == "fakeuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Enriched["MarshaledTime"] == "2022-02-16T12:31:49+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:31:49+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful 1FA authentication attempt by user 'fakeuser@example.com': user not found" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:31:49+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["auth_status"] == "Unsuccessful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful 1FA authentication attempt by user 'realuser'\",\"path\":\"/api/firstfactor\",\"remote_ip\":\"1.1.1.1\",\"stack\":[{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/response.go\",\"Line\":181,\"Name\":\"markAuthenticationAttempt\"},{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/handler_firstfactor.go\",\"Line\":60,\"Name\":\"FirstFactorPost.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go\",\"Line\":52,\"Name\":\"AutheliaMiddleware.func1.1\"},{\"File\":\"github.com/fasthttp/router@v1.4.5/router.go\",\"Line\":414,\"Name\":\"(*Router).Handler\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/log_request.go\",\"Line\":14,\"Name\":\"LogRequestMiddleware.func1\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/server.go\",\"Line\":2298,\"Name\":\"(*Server).serveConn\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":223,\"Name\":\"(*workerPool).workerFunc\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":195,\"Name\":\"(*workerPool).getCh.func1\"},{\"File\":\"runtime/asm_amd64.s\",\"Line\":1581,\"Name\":\"goexit\"}],\"time\":\"2022-02-16T12:31:58+02:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["user"] == "realuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["log_format"] == "JSON" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["target_user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["timestamp"] == "2022-02-16T12:31:58+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Enriched["MarshaledTime"] == "2022-02-16T12:31:58+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:31:58+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful 1FA authentication attempt by user 'realuser'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["auth_status"] == "Unsuccessful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful 1FA authentication attempt by user 'realuser@example.com'\",\"path\":\"/api/firstfactor\",\"remote_ip\":\"1.1.1.1\",\"stack\":[{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/response.go\",\"Line\":181,\"Name\":\"markAuthenticationAttempt\"},{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/handler_firstfactor.go\",\"Line\":60,\"Name\":\"FirstFactorPost.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go\",\"Line\":52,\"Name\":\"AutheliaMiddleware.func1.1\"},{\"File\":\"github.com/fasthttp/router@v1.4.5/router.go\",\"Line\":414,\"Name\":\"(*Router).Handler\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/log_request.go\",\"Line\":14,\"Name\":\"LogRequestMiddleware.func1\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/server.go\",\"Line\":2298,\"Name\":\"(*Server).serveConn\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":223,\"Name\":\"(*workerPool).workerFunc\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":195,\"Name\":\"(*workerPool).getCh.func1\"},{\"File\":\"runtime/asm_amd64.s\",\"Line\":1581,\"Name\":\"goexit\"}],\"time\":\"2022-02-16T12:31:58+02:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["user"] == "realuser@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["log_format"] == "JSON" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["target_user"] == "realuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["timestamp"] == "2022-02-16T12:31:58+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["user"] == "realuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Enriched["MarshaledTime"] == "2022-02-16T12:31:58+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful 1FA authentication attempt by user 'realuser@example.com'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" @@ -1213,14 +1239,14 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["auth_sta results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["message"] == "{\"level\":\"debug\",\"method\":\"POST\",\"msg\":\"Successful 1FA authentication attempt made by user 'realuser'\",\"path\":\"/api/firstfactor\",\"remote_ip\":\"127.0.0.1\",\"time\":\"2022-03-30T14:24:18+02:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["user"] == "realuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["auth_status"] == "success" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["log_format"] == "JSON" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["log_type"] == "auth_success" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["target_user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["timestamp"] == "2022-03-30T14:24:18+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Enriched["MarshaledTime"] == "2022-03-30T14:24:18+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Unmarshaled["authelia"]["level"] == "debug" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Unmarshaled["authelia"]["method"] == "POST" @@ -1234,14 +1260,14 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["auth_sta results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful Duo authentication attempt by user 'realuser': duo auth result: deny, status: deny, message: Login request denied.\",\"path\":\"/api/secondfactor/duo\",\"remote_ip\":\"1.1.1.1\",\"stack\":[{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/response.go\",\"Line\":177,\"Name\":\"markAuthenticationAttempt\"},{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/handler_sign_duo.go\",\"Line\":74,\"Name\":\"SecondFactorDuoPost.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/require_first_factor.go\",\"Line\":15,\"Name\":\"RequireFirstFactor.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go\",\"Line\":52,\"Name\":\"AutheliaMiddleware.func1.1\"},{\"File\":\"github.com/fasthttp/router@v1.4.5/router.go\",\"Line\":414,\"Name\":\"(*Router).Handler\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/log_request.go\",\"Line\":14,\"Name\":\"LogRequestMiddleware.func1\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/server.go\",\"Line\":2298,\"Name\":\"(*Server).serveConn\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":223,\"Name\":\"(*workerPool).workerFunc\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":195,\"Name\":\"(*workerPool).getCh.func1\"},{\"File\":\"runtime/asm_amd64.s\",\"Line\":1581,\"Name\":\"goexit\"}],\"time\":\"2022-02-16T12:32:13+02:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["user"] == "realuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["log_format"] == "JSON" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["target_user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["timestamp"] == "2022-02-16T12:32:13+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Enriched["MarshaledTime"] == "2022-02-16T12:32:13+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:32:13+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Unmarshaled["authelia"]["level"] == "error" @@ -1255,56 +1281,56 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["auth_sta results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful Duo authentication attempt by user 'realuser@example.com': duo auth result: deny, status: deny, message: Login request denied.\",\"path\":\"/api/secondfactor/duo\",\"remote_ip\":\"1.1.1.1\",\"stack\":[{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/response.go\",\"Line\":177,\"Name\":\"markAuthenticationAttempt\"},{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/handler_sign_duo.go\",\"Line\":74,\"Name\":\"SecondFactorDuoPost.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/require_first_factor.go\",\"Line\":15,\"Name\":\"RequireFirstFactor.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go\",\"Line\":52,\"Name\":\"AutheliaMiddleware.func1.1\"},{\"File\":\"github.com/fasthttp/router@v1.4.5/router.go\",\"Line\":414,\"Name\":\"(*Router).Handler\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/log_request.go\",\"Line\":14,\"Name\":\"LogRequestMiddleware.func1\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/server.go\",\"Line\":2298,\"Name\":\"(*Server).serveConn\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":223,\"Name\":\"(*workerPool).workerFunc\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":195,\"Name\":\"(*workerPool).getCh.func1\"},{\"File\":\"runtime/asm_amd64.s\",\"Line\":1581,\"Name\":\"goexit\"}],\"time\":\"2022-02-16T12:32:13+02:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["user"] == "realuser@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["log_format"] == "JSON" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["target_user"] == "realuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["timestamp"] == "2022-02-16T12:32:13+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["user"] == "realuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Enriched["MarshaledTime"] == "2022-02-16T12:32:13+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Unmarshaled["authelia"]["method"] == "POST" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful Duo authentication attempt by user 'realuser@example.com': duo auth result: deny, status: deny, message: Login request denied." -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:32:13+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Unmarshaled["authelia"]["level"] == "error" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Unmarshaled["authelia"]["method"] == "POST" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful Duo authentication attempt by user 'realuser@example.com': duo auth result: deny, status: deny, message: Login request denied." +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["auth_status"] == "Successful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["message"] == "{\"level\":\"debug\",\"method\":\"POST\",\"msg\":\"Successful Duo authentication attempt made by user 'realuser'\",\"path\":\"/api/secondfactor/duo\",\"remote_ip\":\"127.0.0.1\",\"time\":\"2022-03-30T14:26:22+02:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["user"] == "realuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["auth_status"] == "success" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["log_format"] == "JSON" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["log_type"] == "auth_success" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["target_user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["timestamp"] == "2022-03-30T14:26:22+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Enriched["MarshaledTime"] == "2022-03-30T14:26:22+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Unmarshaled["authelia"]["msg"] == "Successful Duo authentication attempt made by user 'realuser'" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Unmarshaled["authelia"]["remote_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Unmarshaled["authelia"]["time"] == "2022-03-30T14:26:22+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Unmarshaled["authelia"]["level"] == "debug" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Unmarshaled["authelia"]["method"] == "POST" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Unmarshaled["authelia"]["msg"] == "Successful Duo authentication attempt made by user 'realuser'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Unmarshaled["authelia"]["remote_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["auth_status"] == "Unsuccessful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful TOTP authentication attempt by user 'realuser'\",\"path\":\"/api/secondfactor/totp\",\"remote_ip\":\"1.1.1.1\",\"stack\":[{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/response.go\",\"Line\":181,\"Name\":\"markAuthenticationAttempt\"},{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/handler_sign_totp.go\",\"Line\":41,\"Name\":\"SecondFactorTOTPPost\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/require_first_factor.go\",\"Line\":15,\"Name\":\"RequireFirstFactor.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go\",\"Line\":52,\"Name\":\"AutheliaMiddleware.func1.1\"},{\"File\":\"github.com/fasthttp/router@v1.4.5/router.go\",\"Line\":414,\"Name\":\"(*Router).Handler\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/log_request.go\",\"Line\":14,\"Name\":\"LogRequestMiddleware.func1\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/server.go\",\"Line\":2298,\"Name\":\"(*Server).serveConn\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":223,\"Name\":\"(*workerPool).workerFunc\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":195,\"Name\":\"(*workerPool).getCh.func1\"},{\"File\":\"runtime/asm_amd64.s\",\"Line\":1581,\"Name\":\"goexit\"}],\"time\":\"2022-02-16T12:32:54+02:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["user"] == "realuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["log_format"] == "JSON" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["target_user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["timestamp"] == "2022-02-16T12:32:54+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Enriched["MarshaledTime"] == "2022-02-16T12:32:54+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Unmarshaled["authelia"]["method"] == "POST" @@ -1318,127 +1344,148 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Parsed["auth_sta results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful TOTP authentication attempt by user 'realuser@example.com'\",\"path\":\"/api/secondfactor/totp\",\"remote_ip\":\"1.1.1.1\",\"stack\":[{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/response.go\",\"Line\":181,\"Name\":\"markAuthenticationAttempt\"},{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/handler_sign_totp.go\",\"Line\":41,\"Name\":\"SecondFactorTOTPPost\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/require_first_factor.go\",\"Line\":15,\"Name\":\"RequireFirstFactor.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go\",\"Line\":52,\"Name\":\"AutheliaMiddleware.func1.1\"},{\"File\":\"github.com/fasthttp/router@v1.4.5/router.go\",\"Line\":414,\"Name\":\"(*Router).Handler\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/log_request.go\",\"Line\":14,\"Name\":\"LogRequestMiddleware.func1\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/server.go\",\"Line\":2298,\"Name\":\"(*Server).serveConn\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":223,\"Name\":\"(*workerPool).workerFunc\"},{\"File\":\"github.com/valyala/fasthttp@v1.32.0/workerpool.go\",\"Line\":195,\"Name\":\"(*workerPool).getCh.func1\"},{\"File\":\"runtime/asm_amd64.s\",\"Line\":1581,\"Name\":\"goexit\"}],\"time\":\"2022-02-16T12:32:54+02:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Parsed["user"] == "realuser@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["log_format"] == "JSON" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["target_user"] == "realuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["timestamp"] == "2022-02-16T12:32:54+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["user"] == "realuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Enriched["MarshaledTime"] == "2022-02-16T12:32:54+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/totp" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Unmarshaled["authelia"]["time"] == "2022-02-16T12:32:54+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful TOTP authentication attempt by user 'realuser@example.com'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/totp" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Parsed["auth_status"] == "Successful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Parsed["message"] == "{\"level\":\"debug\",\"method\":\"POST\",\"msg\":\"Successful Duo authentication attempt made by user 'realuser'\",\"path\":\"/api/secondfactor/duo\",\"remote_ip\":\"127.0.0.1\",\"time\":\"2022-03-30T14:26:22+02:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Parsed["user"] == "realuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["auth_status"] == "success" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["log_format"] == "JSON" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["log_type"] == "auth_success" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["target_user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["timestamp"] == "2022-03-30T14:26:22+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Enriched["MarshaledTime"] == "2022-03-30T14:26:22+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Unmarshaled["authelia"]["remote_ip"] == "127.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Unmarshaled["authelia"]["time"] == "2022-03-30T14:26:22+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Unmarshaled["authelia"]["level"] == "debug" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Unmarshaled["authelia"]["msg"] == "Successful Duo authentication attempt made by user 'realuser'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Unmarshaled["authelia"]["remote_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Unmarshaled["authelia"]["time"] == "2022-03-30T14:26:22+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Parsed["message"] == "{\"error\":\"user not found\",\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Error occurred getting details for user with username input 'fakeuser' which usually indicates they do not exist\",\"path\":\"/api/firstfactor\",\"remote_ip\":\"1.1.1.1\",\"time\":\"2025-03-13T13:39:05+02:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Parsed["user"] == "fakeuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["log_format"] == "JSON" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["target_user"] == "fakeuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["timestamp"] == "2025-03-13T13:39:05+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["user"] == "fakeuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Enriched["MarshaledTime"] == "2025-03-13T13:39:05+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Unmarshaled["authelia"]["time"] == "2025-03-13T13:39:05+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Unmarshaled["authelia"]["error"] == "user not found" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Unmarshaled["authelia"]["msg"] == "Error occurred getting details for user with username input 'fakeuser' which usually indicates they do not exist" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Unmarshaled["authelia"]["time"] == "2025-03-13T13:39:05+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Parsed["message"] == "{\"error\":\"user not found\",\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Error occurred getting details for user with username input 'fakeuser@example.com' which usually indicates they do not exist\",\"path\":\"/api/firstfactor\",\"remote_ip\":\"1.1.1.1\",\"time\":\"2025-03-13T13:39:05+02:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Parsed["user"] == "fakeuser@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["log_format"] == "JSON" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["target_user"] == "fakeuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["timestamp"] == "2025-03-13T13:39:05+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["user"] == "fakeuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Enriched["MarshaledTime"] == "2025-03-13T13:39:05+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Unmarshaled["authelia"]["time"] == "2025-03-13T13:39:05+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Unmarshaled["authelia"]["error"] == "user not found" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Unmarshaled["authelia"]["msg"] == "Error occurred getting details for user with username input 'fakeuser@example.com' which usually indicates they do not exist" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Unmarshaled["authelia"]["time"] == "2025-03-13T13:39:05+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Unmarshaled["authelia"]["error"] == "user not found" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["auth_status"] == "Unsuccessful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["message"] == "{\"error\":\"duo auth result: deny, status: deny, message: Login request denied.\",\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful Duo authentication attempt by user 'realuser'\",\"path\":\"/api/secondfactor/duo\",\"remote_ip\":\"1.1.1.1\",\"time\":\"2025-03-13T13:46:31+02:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["user"] == "realuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["log_format"] == "JSON" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["target_user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["timestamp"] == "2025-03-13T13:46:31+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Enriched["MarshaledTime"] == "2025-03-13T13:46:31+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Unmarshaled["authelia"]["method"] == "POST" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful Duo authentication attempt by user 'realuser'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Unmarshaled["authelia"]["time"] == "2025-03-13T13:46:31+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Unmarshaled["authelia"]["error"] == "duo auth result: deny, status: deny, message: Login request denied." results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Unmarshaled["authelia"]["level"] == "error" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Unmarshaled["authelia"]["method"] == "POST" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful Duo authentication attempt by user 'realuser'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Parsed["auth_status"] == "Unsuccessful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Parsed["message"] == "{\"error\":\"duo auth result: deny, status: deny, message: Login request denied.\",\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful Duo authentication attempt by user 'realuser@example.com'\",\"path\":\"/api/secondfactor/duo\",\"remote_ip\":\"1.1.1.1\",\"time\":\"2025-03-13T13:46:31+02:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Parsed["program"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Parsed["user"] == "realuser@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["datasource_path"]) == "authelia-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["log_format"] == "JSON" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["service"] == "authelia" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["target_user"] == "realuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["timestamp"] == "2025-03-13T13:46:31+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["user"] == "realuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Enriched["MarshaledTime"] == "2025-03-13T13:46:31+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Unmarshaled["authelia"]["time"] == "2025-03-13T13:46:31+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Unmarshaled["authelia"]["error"] == "duo auth result: deny, status: deny, message: Login request denied." results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Unmarshaled["authelia"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful Duo authentication attempt by user 'realuser@example.com'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Unmarshaled["authelia"]["time"] == "2025-03-13T13:46:31+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Whitelisted == false -len(results["success"][""]) == 0 \ No newline at end of file +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["auth_status"] == "Unsuccessful" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["message"] == "{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unsuccessful 1FA authentication attempt by user 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl': user not found\",\"path\":\"/api/firstfactor\",\"remote_ip\":\"1.1.1.1\",\"time\":\"2025-03-13T14:00:00+02:00\"}" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["program"] == "authelia" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["datasource_path"]) == "authelia-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["log_format"] == "JSON" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["service"] == "authelia" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["timestamp"] == "2025-03-13T14:00:00+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Enriched["MarshaledTime"] == "2025-03-13T14:00:00+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Unmarshaled["authelia"]["msg"] == "Unsuccessful 1FA authentication attempt by user 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl': user not found" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Unmarshaled["authelia"]["time"] == "2025-03-13T14:00:00+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Unmarshaled["authelia"]["level"] == "error" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Unmarshaled["authelia"]["method"] == "POST" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/authentik-bf/parser.assert b/.tests/authentik-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/authentik-bf/scenario.assert b/.tests/authentik-bf/scenario.assert index c20f06a1701..cdc6ee323b4 100644 --- a/.tests/authentik-bf/scenario.assert +++ b/.tests/authentik-bf/scenario.assert @@ -4,48 +4,48 @@ results[0].Overflow.Sources["3.3.3.3"].IP == "3.3.3.3" results[0].Overflow.Sources["3.3.3.3"].Range == "" results[0].Overflow.Sources["3.3.3.3"].GetScope() == "Ip" results[0].Overflow.Sources["3.3.3.3"].GetValue() == "3.3.3.3" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "authentik-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authentik-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "authentik_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "authentik" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "3.3.3.3" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "user1" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-10-17T17:39:46.598288Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "user1" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "authentik-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authentik-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "authentik_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "authentik" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "3.3.3.3" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "user2" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-10-17T17:39:46.598288Z" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "user2" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "authentik-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authentik-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "authentik_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "authentik" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "3.3.3.3" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "user3" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-10-17T17:39:46.598288Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "user3" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "authentik-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authentik-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "authentik_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "authentik" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "3.3.3.3" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "user4" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-10-17T17:39:46.598288Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "user4" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "authentik-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authentik-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "authentik_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "authentik" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "3.3.3.3" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "user5" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-10-17T17:39:46.598288Z" -results[0].Overflow.Alert.Events[4].GetMeta("username") == "user5" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "authentik-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authentik-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "authentik_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "authentik" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "3.3.3.3" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "user6" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-10-17T17:39:46.598288Z" -results[0].Overflow.Alert.Events[5].GetMeta("username") == "user6" results[0].Overflow.Alert.GetScenario() == "firix/authentik-bf_user-enum" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 @@ -54,48 +54,48 @@ results[1].Overflow.Sources["1.1.1.1"].IP == "1.1.1.1" results[1].Overflow.Sources["1.1.1.1"].Range == "" results[1].Overflow.Sources["1.1.1.1"].GetScope() == "Ip" results[1].Overflow.Sources["1.1.1.1"].GetValue() == "1.1.1.1" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "authentik-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authentik-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "authentik_invalid_username" results[1].Overflow.Alert.Events[0].GetMeta("service") == "authentik" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.1" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "user1" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-10-17T17:31:29.487016Z" -results[1].Overflow.Alert.Events[0].GetMeta("username") == "user1" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "authentik-bf.log" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authentik-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "authentik_invalid_username" results[1].Overflow.Alert.Events[1].GetMeta("service") == "authentik" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.1" +results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "user2" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-10-17T17:31:29.487016Z" -results[1].Overflow.Alert.Events[1].GetMeta("username") == "user2" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "authentik-bf.log" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authentik-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "authentik_invalid_username" results[1].Overflow.Alert.Events[2].GetMeta("service") == "authentik" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.1" +results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "user3" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-10-17T17:31:29.487016Z" -results[1].Overflow.Alert.Events[2].GetMeta("username") == "user3" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "authentik-bf.log" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authentik-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "authentik_invalid_username" results[1].Overflow.Alert.Events[3].GetMeta("service") == "authentik" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.1" +results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "user4" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-10-17T17:31:29.487016Z" -results[1].Overflow.Alert.Events[3].GetMeta("username") == "user4" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "authentik-bf.log" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authentik-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "authentik_invalid_username" results[1].Overflow.Alert.Events[4].GetMeta("service") == "authentik" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.1.1.1" +results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "user5" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-10-17T17:31:29.487016Z" -results[1].Overflow.Alert.Events[4].GetMeta("username") == "user5" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "authentik-bf.log" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authentik-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "authentik_invalid_username" results[1].Overflow.Alert.Events[5].GetMeta("service") == "authentik" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.1.1.1" +results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "user6" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-10-17T17:31:29.487016Z" -results[1].Overflow.Alert.Events[5].GetMeta("username") == "user6" results[1].Overflow.Alert.GetScenario() == "firix/authentik-bf_user-enum" results[1].Overflow.Alert.Remediation == true results[1].Overflow.Alert.GetEventsCount() == 6 @@ -104,48 +104,48 @@ results[2].Overflow.Sources["4.4.4.4"].IP == "4.4.4.4" results[2].Overflow.Sources["4.4.4.4"].Range == "" results[2].Overflow.Sources["4.4.4.4"].GetScope() == "Ip" results[2].Overflow.Sources["4.4.4.4"].GetValue() == "4.4.4.4" -results[2].Overflow.Alert.Events[0].GetMeta("datasource_path") == "authentik-bf.log" +results[2].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authentik-bf.log" results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[0].GetMeta("log_type") == "authentik_failed_auth" results[2].Overflow.Alert.Events[0].GetMeta("service") == "authentik" results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "4.4.4.4" +results[2].Overflow.Alert.Events[0].GetMeta("target_user") == "userX" results[2].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-10-17T17:39:46.598288Z" -results[2].Overflow.Alert.Events[0].GetMeta("username") == "userX" -results[2].Overflow.Alert.Events[1].GetMeta("datasource_path") == "authentik-bf.log" +results[2].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authentik-bf.log" results[2].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[1].GetMeta("log_type") == "authentik_failed_auth" results[2].Overflow.Alert.Events[1].GetMeta("service") == "authentik" results[2].Overflow.Alert.Events[1].GetMeta("source_ip") == "4.4.4.4" +results[2].Overflow.Alert.Events[1].GetMeta("target_user") == "userX" results[2].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-10-17T17:39:46.598288Z" -results[2].Overflow.Alert.Events[1].GetMeta("username") == "userX" -results[2].Overflow.Alert.Events[2].GetMeta("datasource_path") == "authentik-bf.log" +results[2].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authentik-bf.log" results[2].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[2].GetMeta("log_type") == "authentik_failed_auth" results[2].Overflow.Alert.Events[2].GetMeta("service") == "authentik" results[2].Overflow.Alert.Events[2].GetMeta("source_ip") == "4.4.4.4" +results[2].Overflow.Alert.Events[2].GetMeta("target_user") == "userX" results[2].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-10-17T17:39:46.598288Z" -results[2].Overflow.Alert.Events[2].GetMeta("username") == "userX" -results[2].Overflow.Alert.Events[3].GetMeta("datasource_path") == "authentik-bf.log" +results[2].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authentik-bf.log" results[2].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[3].GetMeta("log_type") == "authentik_failed_auth" results[2].Overflow.Alert.Events[3].GetMeta("service") == "authentik" results[2].Overflow.Alert.Events[3].GetMeta("source_ip") == "4.4.4.4" +results[2].Overflow.Alert.Events[3].GetMeta("target_user") == "userX" results[2].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-10-17T17:39:46.598288Z" -results[2].Overflow.Alert.Events[3].GetMeta("username") == "userX" -results[2].Overflow.Alert.Events[4].GetMeta("datasource_path") == "authentik-bf.log" +results[2].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authentik-bf.log" results[2].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[4].GetMeta("log_type") == "authentik_failed_auth" results[2].Overflow.Alert.Events[4].GetMeta("service") == "authentik" results[2].Overflow.Alert.Events[4].GetMeta("source_ip") == "4.4.4.4" +results[2].Overflow.Alert.Events[4].GetMeta("target_user") == "userX" results[2].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-10-17T17:39:46.598288Z" -results[2].Overflow.Alert.Events[4].GetMeta("username") == "userX" -results[2].Overflow.Alert.Events[5].GetMeta("datasource_path") == "authentik-bf.log" +results[2].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authentik-bf.log" results[2].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[5].GetMeta("log_type") == "authentik_failed_auth" results[2].Overflow.Alert.Events[5].GetMeta("service") == "authentik" results[2].Overflow.Alert.Events[5].GetMeta("source_ip") == "4.4.4.4" +results[2].Overflow.Alert.Events[5].GetMeta("target_user") == "userX" results[2].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-10-17T17:39:46.598288Z" -results[2].Overflow.Alert.Events[5].GetMeta("username") == "userX" results[2].Overflow.Alert.GetScenario() == "firix/authentik-bf" results[2].Overflow.Alert.Remediation == true results[2].Overflow.Alert.GetEventsCount() == 6 @@ -154,48 +154,48 @@ results[3].Overflow.Sources["3.3.3.3"].IP == "3.3.3.3" results[3].Overflow.Sources["3.3.3.3"].Range == "" results[3].Overflow.Sources["3.3.3.3"].GetScope() == "Ip" results[3].Overflow.Sources["3.3.3.3"].GetValue() == "3.3.3.3" -results[3].Overflow.Alert.Events[0].GetMeta("datasource_path") == "authentik-bf.log" +results[3].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authentik-bf.log" results[3].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[0].GetMeta("log_type") == "authentik_failed_auth" results[3].Overflow.Alert.Events[0].GetMeta("service") == "authentik" results[3].Overflow.Alert.Events[0].GetMeta("source_ip") == "3.3.3.3" +results[3].Overflow.Alert.Events[0].GetMeta("target_user") == "user1" results[3].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-10-17T17:39:46.598288Z" -results[3].Overflow.Alert.Events[0].GetMeta("username") == "user1" -results[3].Overflow.Alert.Events[1].GetMeta("datasource_path") == "authentik-bf.log" +results[3].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authentik-bf.log" results[3].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[1].GetMeta("log_type") == "authentik_failed_auth" results[3].Overflow.Alert.Events[1].GetMeta("service") == "authentik" results[3].Overflow.Alert.Events[1].GetMeta("source_ip") == "3.3.3.3" +results[3].Overflow.Alert.Events[1].GetMeta("target_user") == "user2" results[3].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-10-17T17:39:46.598288Z" -results[3].Overflow.Alert.Events[1].GetMeta("username") == "user2" -results[3].Overflow.Alert.Events[2].GetMeta("datasource_path") == "authentik-bf.log" +results[3].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authentik-bf.log" results[3].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[2].GetMeta("log_type") == "authentik_failed_auth" results[3].Overflow.Alert.Events[2].GetMeta("service") == "authentik" results[3].Overflow.Alert.Events[2].GetMeta("source_ip") == "3.3.3.3" +results[3].Overflow.Alert.Events[2].GetMeta("target_user") == "user3" results[3].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-10-17T17:39:46.598288Z" -results[3].Overflow.Alert.Events[2].GetMeta("username") == "user3" -results[3].Overflow.Alert.Events[3].GetMeta("datasource_path") == "authentik-bf.log" +results[3].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authentik-bf.log" results[3].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[3].GetMeta("log_type") == "authentik_failed_auth" results[3].Overflow.Alert.Events[3].GetMeta("service") == "authentik" results[3].Overflow.Alert.Events[3].GetMeta("source_ip") == "3.3.3.3" +results[3].Overflow.Alert.Events[3].GetMeta("target_user") == "user4" results[3].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-10-17T17:39:46.598288Z" -results[3].Overflow.Alert.Events[3].GetMeta("username") == "user4" -results[3].Overflow.Alert.Events[4].GetMeta("datasource_path") == "authentik-bf.log" +results[3].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authentik-bf.log" results[3].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[4].GetMeta("log_type") == "authentik_failed_auth" results[3].Overflow.Alert.Events[4].GetMeta("service") == "authentik" results[3].Overflow.Alert.Events[4].GetMeta("source_ip") == "3.3.3.3" +results[3].Overflow.Alert.Events[4].GetMeta("target_user") == "user5" results[3].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-10-17T17:39:46.598288Z" -results[3].Overflow.Alert.Events[4].GetMeta("username") == "user5" -results[3].Overflow.Alert.Events[5].GetMeta("datasource_path") == "authentik-bf.log" +results[3].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authentik-bf.log" results[3].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[5].GetMeta("log_type") == "authentik_failed_auth" results[3].Overflow.Alert.Events[5].GetMeta("service") == "authentik" results[3].Overflow.Alert.Events[5].GetMeta("source_ip") == "3.3.3.3" +results[3].Overflow.Alert.Events[5].GetMeta("target_user") == "user6" results[3].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-10-17T17:39:46.598288Z" -results[3].Overflow.Alert.Events[5].GetMeta("username") == "user6" results[3].Overflow.Alert.GetScenario() == "firix/authentik-bf" results[3].Overflow.Alert.Remediation == true results[3].Overflow.Alert.GetEventsCount() == 6 @@ -204,48 +204,48 @@ results[4].Overflow.Sources["2.2.2.2"].IP == "2.2.2.2" results[4].Overflow.Sources["2.2.2.2"].Range == "" results[4].Overflow.Sources["2.2.2.2"].GetScope() == "Ip" results[4].Overflow.Sources["2.2.2.2"].GetValue() == "2.2.2.2" -results[4].Overflow.Alert.Events[0].GetMeta("datasource_path") == "authentik-bf.log" +results[4].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authentik-bf.log" results[4].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[0].GetMeta("log_type") == "authentik_invalid_username" results[4].Overflow.Alert.Events[0].GetMeta("service") == "authentik" results[4].Overflow.Alert.Events[0].GetMeta("source_ip") == "2.2.2.2" +results[4].Overflow.Alert.Events[0].GetMeta("target_user") == "userX" results[4].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-10-17T17:31:29.487016Z" -results[4].Overflow.Alert.Events[0].GetMeta("username") == "userX" -results[4].Overflow.Alert.Events[1].GetMeta("datasource_path") == "authentik-bf.log" +results[4].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authentik-bf.log" results[4].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[1].GetMeta("log_type") == "authentik_invalid_username" results[4].Overflow.Alert.Events[1].GetMeta("service") == "authentik" results[4].Overflow.Alert.Events[1].GetMeta("source_ip") == "2.2.2.2" +results[4].Overflow.Alert.Events[1].GetMeta("target_user") == "userX" results[4].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-10-17T17:31:29.487016Z" -results[4].Overflow.Alert.Events[1].GetMeta("username") == "userX" -results[4].Overflow.Alert.Events[2].GetMeta("datasource_path") == "authentik-bf.log" +results[4].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authentik-bf.log" results[4].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[2].GetMeta("log_type") == "authentik_invalid_username" results[4].Overflow.Alert.Events[2].GetMeta("service") == "authentik" results[4].Overflow.Alert.Events[2].GetMeta("source_ip") == "2.2.2.2" +results[4].Overflow.Alert.Events[2].GetMeta("target_user") == "userX" results[4].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-10-17T17:31:29.487016Z" -results[4].Overflow.Alert.Events[2].GetMeta("username") == "userX" -results[4].Overflow.Alert.Events[3].GetMeta("datasource_path") == "authentik-bf.log" +results[4].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authentik-bf.log" results[4].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[3].GetMeta("log_type") == "authentik_invalid_username" results[4].Overflow.Alert.Events[3].GetMeta("service") == "authentik" results[4].Overflow.Alert.Events[3].GetMeta("source_ip") == "2.2.2.2" +results[4].Overflow.Alert.Events[3].GetMeta("target_user") == "userX" results[4].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-10-17T17:31:29.487016Z" -results[4].Overflow.Alert.Events[3].GetMeta("username") == "userX" -results[4].Overflow.Alert.Events[4].GetMeta("datasource_path") == "authentik-bf.log" +results[4].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authentik-bf.log" results[4].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[4].GetMeta("log_type") == "authentik_invalid_username" results[4].Overflow.Alert.Events[4].GetMeta("service") == "authentik" results[4].Overflow.Alert.Events[4].GetMeta("source_ip") == "2.2.2.2" +results[4].Overflow.Alert.Events[4].GetMeta("target_user") == "userX" results[4].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-10-17T17:31:29.487016Z" -results[4].Overflow.Alert.Events[4].GetMeta("username") == "userX" -results[4].Overflow.Alert.Events[5].GetMeta("datasource_path") == "authentik-bf.log" +results[4].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authentik-bf.log" results[4].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[5].GetMeta("log_type") == "authentik_invalid_username" results[4].Overflow.Alert.Events[5].GetMeta("service") == "authentik" results[4].Overflow.Alert.Events[5].GetMeta("source_ip") == "2.2.2.2" +results[4].Overflow.Alert.Events[5].GetMeta("target_user") == "userX" results[4].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-10-17T17:31:29.487016Z" -results[4].Overflow.Alert.Events[5].GetMeta("username") == "userX" results[4].Overflow.Alert.GetScenario() == "firix/authentik-bf" results[4].Overflow.Alert.Remediation == true results[4].Overflow.Alert.GetEventsCount() == 6 @@ -254,48 +254,48 @@ results[5].Overflow.Sources["1.1.1.1"].IP == "1.1.1.1" results[5].Overflow.Sources["1.1.1.1"].Range == "" results[5].Overflow.Sources["1.1.1.1"].GetScope() == "Ip" results[5].Overflow.Sources["1.1.1.1"].GetValue() == "1.1.1.1" -results[5].Overflow.Alert.Events[0].GetMeta("datasource_path") == "authentik-bf.log" +results[5].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[5].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "authentik-bf.log" results[5].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[5].Overflow.Alert.Events[0].GetMeta("log_type") == "authentik_invalid_username" results[5].Overflow.Alert.Events[0].GetMeta("service") == "authentik" results[5].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.1" +results[5].Overflow.Alert.Events[0].GetMeta("target_user") == "user1" results[5].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-10-17T17:31:29.487016Z" -results[5].Overflow.Alert.Events[0].GetMeta("username") == "user1" -results[5].Overflow.Alert.Events[1].GetMeta("datasource_path") == "authentik-bf.log" +results[5].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[5].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authentik-bf.log" results[5].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[5].Overflow.Alert.Events[1].GetMeta("log_type") == "authentik_invalid_username" results[5].Overflow.Alert.Events[1].GetMeta("service") == "authentik" results[5].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.1" +results[5].Overflow.Alert.Events[1].GetMeta("target_user") == "user2" results[5].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-10-17T17:31:29.487016Z" -results[5].Overflow.Alert.Events[1].GetMeta("username") == "user2" -results[5].Overflow.Alert.Events[2].GetMeta("datasource_path") == "authentik-bf.log" +results[5].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[5].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "authentik-bf.log" results[5].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[5].Overflow.Alert.Events[2].GetMeta("log_type") == "authentik_invalid_username" results[5].Overflow.Alert.Events[2].GetMeta("service") == "authentik" results[5].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.1" +results[5].Overflow.Alert.Events[2].GetMeta("target_user") == "user3" results[5].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-10-17T17:31:29.487016Z" -results[5].Overflow.Alert.Events[2].GetMeta("username") == "user3" -results[5].Overflow.Alert.Events[3].GetMeta("datasource_path") == "authentik-bf.log" +results[5].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[5].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "authentik-bf.log" results[5].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[5].Overflow.Alert.Events[3].GetMeta("log_type") == "authentik_invalid_username" results[5].Overflow.Alert.Events[3].GetMeta("service") == "authentik" results[5].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.1" +results[5].Overflow.Alert.Events[3].GetMeta("target_user") == "user4" results[5].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-10-17T17:31:29.487016Z" -results[5].Overflow.Alert.Events[3].GetMeta("username") == "user4" -results[5].Overflow.Alert.Events[4].GetMeta("datasource_path") == "authentik-bf.log" +results[5].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[5].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "authentik-bf.log" results[5].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[5].Overflow.Alert.Events[4].GetMeta("log_type") == "authentik_invalid_username" results[5].Overflow.Alert.Events[4].GetMeta("service") == "authentik" results[5].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.1.1.1" +results[5].Overflow.Alert.Events[4].GetMeta("target_user") == "user5" results[5].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-10-17T17:31:29.487016Z" -results[5].Overflow.Alert.Events[4].GetMeta("username") == "user5" -results[5].Overflow.Alert.Events[5].GetMeta("datasource_path") == "authentik-bf.log" +results[5].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[5].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "authentik-bf.log" results[5].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[5].Overflow.Alert.Events[5].GetMeta("log_type") == "authentik_invalid_username" results[5].Overflow.Alert.Events[5].GetMeta("service") == "authentik" results[5].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.1.1.1" +results[5].Overflow.Alert.Events[5].GetMeta("target_user") == "user6" results[5].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-10-17T17:31:29.487016Z" -results[5].Overflow.Alert.Events[5].GetMeta("username") == "user6" results[5].Overflow.Alert.GetScenario() == "firix/authentik-bf" results[5].Overflow.Alert.Remediation == true results[5].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/authentik-logs/authentik-logs.log b/.tests/authentik-logs/authentik-logs.log index fede19c0726..40fef63be41 100644 --- a/.tests/authentik-logs/authentik-logs.log +++ b/.tests/authentik-logs/authentik-logs.log @@ -1,3 +1,4 @@ {"action": "login_failed", "auth_via": "unauthenticated", "client_ip": "1.2.3.4", "context": {"geo": {"city": "Washington", "continent": "NA", "country": "US", "lat": 38.8894, "long": -77.0353}, "http_request": {"args": {"next": "/application/o/authorize/?client_id=xyz&redirect_uri=https%3A%2F%2Ffoo.mywebsite.com%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=profile+openid+email+ak_proxy&state=-b-123_-000"}, "method": "POST", "path": "/api/v3/flows/executor/default-authentication-flow/"}, "password": "********************", "stage": {"app": "authentik_stages_password", "model_name": "passwordstage", "name": "default-authentication-password", "pk": "abc"}, "username": "myuser"}, "event": "Created Event", "host": "foo.mywebsite.com", "level": "info", "logger": "authentik.events.models", "pid": 290146, "request_id": "a60cee518bb444c9a591d32a994268f3", "timestamp": "2023-10-17T17:39:46.598288", "user": {"email": "", "pk": 2, "username": "AnonymousUser"}} {"action": "invalid_identifier", "auth_via": "unauthenticated", "client_ip": "1.2.3.4", "context": {"stage": ""}, "event": "invalid_login", "host": "foo.mywebsite.com", "identifier": "wronguser", "level": "info", "logger": "authentik.flows.stage", "pid": 290146, "request_id": "b845048981dc46e4b8456e3f731551c2", "stage": "default-authentication-identification", "stage_view": "authentik.stages.identification.stage.IdentificationStageView", "timestamp": "2023-10-17T17:31:29.487016"} {"action": "login", "auth_via": "unauthenticated", "client_ip": "1.2.3.4", "context": {"auth_method": "password", "auth_method_args": {}, "geo": {"city": "Washington", "continent": "NA", "country": "US", "lat": 38.8894, "long": -77.0353}, "http_request": {"args": {"next": "/"}, "method": "GET", "path": "/api/v3/flows/executor/default-authentication-flow/"}}, "event": "Created Event", "host": "foo.mywebsite.com", "level": "info", "logger": "authentik.events.models", "pid": 290146, "request_id": "83b803b905eb40e89fc1c9bc052c2f4a", "timestamp": "2023-10-17T17:32:24.328552", "user": {"email": "myuser@myemail.com", "pk": 6, "username": "myuser"}} +{"action": "login_failed", "auth_via": "unauthenticated", "client_ip": "1.2.3.4", "context": {"geo": {"city": "Washington", "continent": "NA", "country": "US", "lat": 38.8894, "long": -77.0353}, "http_request": {"args": {"next": "/application/o/authorize/"}, "method": "POST", "path": "/api/v3/flows/executor/default-authentication-flow/"}, "password": "********************", "stage": {"app": "authentik_stages_password", "model_name": "passwordstage", "name": "default-authentication-password", "pk": "abc"}, "username": "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl"}, "event": "Created Event", "host": "foo.mywebsite.com", "level": "info", "logger": "authentik.events.models", "pid": 290146, "request_id": "test123456789012345678901234567890", "timestamp": "2023-10-17T17:40:00.000000", "user": {"email": "", "pk": 2, "username": "AnonymousUser"}} diff --git a/.tests/authentik-logs/parser.assert b/.tests/authentik-logs/parser.assert index 4399ea58d1f..4cbc2dda003 100644 --- a/.tests/authentik-logs/parser.assert +++ b/.tests/authentik-logs/parser.assert @@ -1,65 +1,101 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 3 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 4 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "{\"action\": \"login_failed\", \"auth_via\": \"unauthenticated\", \"client_ip\": \"1.2.3.4\", \"context\": {\"geo\": {\"city\": \"Washington\", \"continent\": \"NA\", \"country\": \"US\", \"lat\": 38.8894, \"long\": -77.0353}, \"http_request\": {\"args\": {\"next\": \"/application/o/authorize/?client_id=xyz&redirect_uri=https%3A%2F%2Ffoo.mywebsite.com%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=profile+openid+email+ak_proxy&state=-b-123_-000\"}, \"method\": \"POST\", \"path\": \"/api/v3/flows/executor/default-authentication-flow/\"}, \"password\": \"********************\", \"stage\": {\"app\": \"authentik_stages_password\", \"model_name\": \"passwordstage\", \"name\": \"default-authentication-password\", \"pk\": \"abc\"}, \"username\": \"myuser\"}, \"event\": \"Created Event\", \"host\": \"foo.mywebsite.com\", \"level\": \"info\", \"logger\": \"authentik.events.models\", \"pid\": 290146, \"request_id\": \"a60cee518bb444c9a591d32a994268f3\", \"timestamp\": \"2023-10-17T17:39:46.598288\", \"user\": {\"email\": \"\", \"pk\": 2, \"username\": \"AnonymousUser\"}}" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "authentik" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "authentik-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "authentik-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "{\"action\": \"invalid_identifier\", \"auth_via\": \"unauthenticated\", \"client_ip\": \"1.2.3.4\", \"context\": {\"stage\": \"\"}, \"event\": \"invalid_login\", \"host\": \"foo.mywebsite.com\", \"identifier\": \"wronguser\", \"level\": \"info\", \"logger\": \"authentik.flows.stage\", \"pid\": 290146, \"request_id\": \"b845048981dc46e4b8456e3f731551c2\", \"stage\": \"default-authentication-identification\", \"stage_view\": \"authentik.stages.identification.stage.IdentificationStageView\", \"timestamp\": \"2023-10-17T17:31:29.487016\"}" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "authentik" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "authentik-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "authentik-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "{\"action\": \"login\", \"auth_via\": \"unauthenticated\", \"client_ip\": \"1.2.3.4\", \"context\": {\"auth_method\": \"password\", \"auth_method_args\": {}, \"geo\": {\"city\": \"Washington\", \"continent\": \"NA\", \"country\": \"US\", \"lat\": 38.8894, \"long\": -77.0353}, \"http_request\": {\"args\": {\"next\": \"/\"}, \"method\": \"GET\", \"path\": \"/api/v3/flows/executor/default-authentication-flow/\"}}, \"event\": \"Created Event\", \"host\": \"foo.mywebsite.com\", \"level\": \"info\", \"logger\": \"authentik.events.models\", \"pid\": 290146, \"request_id\": \"83b803b905eb40e89fc1c9bc052c2f4a\", \"timestamp\": \"2023-10-17T17:32:24.328552\", \"user\": {\"email\": \"myuser@myemail.com\", \"pk\": 6, \"username\": \"myuser\"}}" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "authentik" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "authentik-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "authentik-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 3 +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "{\"action\": \"login_failed\", \"auth_via\": \"unauthenticated\", \"client_ip\": \"1.2.3.4\", \"context\": {\"geo\": {\"city\": \"Washington\", \"continent\": \"NA\", \"country\": \"US\", \"lat\": 38.8894, \"long\": -77.0353}, \"http_request\": {\"args\": {\"next\": \"/application/o/authorize/\"}, \"method\": \"POST\", \"path\": \"/api/v3/flows/executor/default-authentication-flow/\"}, \"password\": \"********************\", \"stage\": {\"app\": \"authentik_stages_password\", \"model_name\": \"passwordstage\", \"name\": \"default-authentication-password\", \"pk\": \"abc\"}, \"username\": \"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\"}, \"event\": \"Created Event\", \"host\": \"foo.mywebsite.com\", \"level\": \"info\", \"logger\": \"authentik.events.models\", \"pid\": 290146, \"request_id\": \"test123456789012345678901234567890\", \"timestamp\": \"2023-10-17T17:40:00.000000\", \"user\": {\"email\": \"\", \"pk\": 2, \"username\": \"AnonymousUser\"}}" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "authentik" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "authentik-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false -len(results["s01-parse"]["firix/authentik-logs"]) == 3 +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false +len(results["s01-parse"]["firix/authentik-logs"]) == 4 results["s01-parse"]["firix/authentik-logs"][0].Success == true results["s01-parse"]["firix/authentik-logs"][0].Evt.Parsed["message"] == "{\"action\": \"login_failed\", \"auth_via\": \"unauthenticated\", \"client_ip\": \"1.2.3.4\", \"context\": {\"geo\": {\"city\": \"Washington\", \"continent\": \"NA\", \"country\": \"US\", \"lat\": 38.8894, \"long\": -77.0353}, \"http_request\": {\"args\": {\"next\": \"/application/o/authorize/?client_id=xyz&redirect_uri=https%3A%2F%2Ffoo.mywebsite.com%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=profile+openid+email+ak_proxy&state=-b-123_-000\"}, \"method\": \"POST\", \"path\": \"/api/v3/flows/executor/default-authentication-flow/\"}, \"password\": \"********************\", \"stage\": {\"app\": \"authentik_stages_password\", \"model_name\": \"passwordstage\", \"name\": \"default-authentication-password\", \"pk\": \"abc\"}, \"username\": \"myuser\"}, \"event\": \"Created Event\", \"host\": \"foo.mywebsite.com\", \"level\": \"info\", \"logger\": \"authentik.events.models\", \"pid\": 290146, \"request_id\": \"a60cee518bb444c9a591d32a994268f3\", \"timestamp\": \"2023-10-17T17:39:46.598288\", \"user\": {\"email\": \"\", \"pk\": 2, \"username\": \"AnonymousUser\"}}" results["s01-parse"]["firix/authentik-logs"][0].Evt.Parsed["program"] == "authentik" -results["s01-parse"]["firix/authentik-logs"][0].Evt.Meta["datasource_path"] == "authentik-logs.log" +results["s01-parse"]["firix/authentik-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["firix/authentik-logs"][0].Evt.Meta["datasource_path"]) == "authentik-logs.log" results["s01-parse"]["firix/authentik-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["firix/authentik-logs"][0].Evt.Meta["log_type"] == "authentik_failed_auth" results["s01-parse"]["firix/authentik-logs"][0].Evt.Meta["service"] == "authentik" results["s01-parse"]["firix/authentik-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["firix/authentik-logs"][0].Evt.Meta["username"] == "myuser" +results["s01-parse"]["firix/authentik-logs"][0].Evt.Meta["target_user"] == "myuser" +results["s01-parse"]["firix/authentik-logs"][0].Evt.Whitelisted == false results["s01-parse"]["firix/authentik-logs"][1].Success == true results["s01-parse"]["firix/authentik-logs"][1].Evt.Parsed["message"] == "{\"action\": \"invalid_identifier\", \"auth_via\": \"unauthenticated\", \"client_ip\": \"1.2.3.4\", \"context\": {\"stage\": \"\"}, \"event\": \"invalid_login\", \"host\": \"foo.mywebsite.com\", \"identifier\": \"wronguser\", \"level\": \"info\", \"logger\": \"authentik.flows.stage\", \"pid\": 290146, \"request_id\": \"b845048981dc46e4b8456e3f731551c2\", \"stage\": \"default-authentication-identification\", \"stage_view\": \"authentik.stages.identification.stage.IdentificationStageView\", \"timestamp\": \"2023-10-17T17:31:29.487016\"}" results["s01-parse"]["firix/authentik-logs"][1].Evt.Parsed["program"] == "authentik" -results["s01-parse"]["firix/authentik-logs"][1].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["firix/authentik-logs"][1].Evt.Meta["username"] == "wronguser" -results["s01-parse"]["firix/authentik-logs"][1].Evt.Meta["datasource_path"] == "authentik-logs.log" +results["s01-parse"]["firix/authentik-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["firix/authentik-logs"][1].Evt.Meta["datasource_path"]) == "authentik-logs.log" results["s01-parse"]["firix/authentik-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["firix/authentik-logs"][1].Evt.Meta["log_type"] == "authentik_invalid_username" results["s01-parse"]["firix/authentik-logs"][1].Evt.Meta["service"] == "authentik" +results["s01-parse"]["firix/authentik-logs"][1].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["firix/authentik-logs"][1].Evt.Meta["target_user"] == "wronguser" +results["s01-parse"]["firix/authentik-logs"][1].Evt.Whitelisted == false results["s01-parse"]["firix/authentik-logs"][2].Success == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 +results["s01-parse"]["firix/authentik-logs"][3].Success == true +results["s01-parse"]["firix/authentik-logs"][3].Evt.Parsed["message"] == "{\"action\": \"login_failed\", \"auth_via\": \"unauthenticated\", \"client_ip\": \"1.2.3.4\", \"context\": {\"geo\": {\"city\": \"Washington\", \"continent\": \"NA\", \"country\": \"US\", \"lat\": 38.8894, \"long\": -77.0353}, \"http_request\": {\"args\": {\"next\": \"/application/o/authorize/\"}, \"method\": \"POST\", \"path\": \"/api/v3/flows/executor/default-authentication-flow/\"}, \"password\": \"********************\", \"stage\": {\"app\": \"authentik_stages_password\", \"model_name\": \"passwordstage\", \"name\": \"default-authentication-password\", \"pk\": \"abc\"}, \"username\": \"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\"}, \"event\": \"Created Event\", \"host\": \"foo.mywebsite.com\", \"level\": \"info\", \"logger\": \"authentik.events.models\", \"pid\": 290146, \"request_id\": \"test123456789012345678901234567890\", \"timestamp\": \"2023-10-17T17:40:00.000000\", \"user\": {\"email\": \"\", \"pk\": 2, \"username\": \"AnonymousUser\"}}" +results["s01-parse"]["firix/authentik-logs"][3].Evt.Parsed["program"] == "authentik" +results["s01-parse"]["firix/authentik-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["firix/authentik-logs"][3].Evt.Meta["datasource_path"]) == "authentik-logs.log" +results["s01-parse"]["firix/authentik-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["firix/authentik-logs"][3].Evt.Meta["service"] == "authentik" +results["s01-parse"]["firix/authentik-logs"][3].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["firix/authentik-logs"][3].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["firix/authentik-logs"][3].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 3 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "{\"action\": \"login_failed\", \"auth_via\": \"unauthenticated\", \"client_ip\": \"1.2.3.4\", \"context\": {\"geo\": {\"city\": \"Washington\", \"continent\": \"NA\", \"country\": \"US\", \"lat\": 38.8894, \"long\": -77.0353}, \"http_request\": {\"args\": {\"next\": \"/application/o/authorize/?client_id=xyz&redirect_uri=https%3A%2F%2Ffoo.mywebsite.com%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=profile+openid+email+ak_proxy&state=-b-123_-000\"}, \"method\": \"POST\", \"path\": \"/api/v3/flows/executor/default-authentication-flow/\"}, \"password\": \"********************\", \"stage\": {\"app\": \"authentik_stages_password\", \"model_name\": \"passwordstage\", \"name\": \"default-authentication-password\", \"pk\": \"abc\"}, \"username\": \"myuser\"}, \"event\": \"Created Event\", \"host\": \"foo.mywebsite.com\", \"level\": \"info\", \"logger\": \"authentik.events.models\", \"pid\": 290146, \"request_id\": \"a60cee518bb444c9a591d32a994268f3\", \"timestamp\": \"2023-10-17T17:39:46.598288\", \"user\": {\"email\": \"\", \"pk\": 2, \"username\": \"AnonymousUser\"}}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "authentik" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "authentik_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "authentik-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "authentik" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "myuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-10-17T17:39:46.598288Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "myuser" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "authentik-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-10-17T17:39:46.598288Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "{\"action\": \"invalid_identifier\", \"auth_via\": \"unauthenticated\", \"client_ip\": \"1.2.3.4\", \"context\": {\"stage\": \"\"}, \"event\": \"invalid_login\", \"host\": \"foo.mywebsite.com\", \"identifier\": \"wronguser\", \"level\": \"info\", \"logger\": \"authentik.flows.stage\", \"pid\": 290146, \"request_id\": \"b845048981dc46e4b8456e3f731551c2\", \"stage\": \"default-authentication-identification\", \"stage_view\": \"authentik.stages.identification.stage.IdentificationStageView\", \"timestamp\": \"2023-10-17T17:31:29.487016\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "authentik" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "authentik-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "authentik-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "authentik_invalid_username" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "authentik" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "wronguser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-10-17T17:31:29.487016Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "wronguser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-10-17T17:31:29.487016Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "{\"action\": \"login_failed\", \"auth_via\": \"unauthenticated\", \"client_ip\": \"1.2.3.4\", \"context\": {\"geo\": {\"city\": \"Washington\", \"continent\": \"NA\", \"country\": \"US\", \"lat\": 38.8894, \"long\": -77.0353}, \"http_request\": {\"args\": {\"next\": \"/application/o/authorize/\"}, \"method\": \"POST\", \"path\": \"/api/v3/flows/executor/default-authentication-flow/\"}, \"password\": \"********************\", \"stage\": {\"app\": \"authentik_stages_password\", \"model_name\": \"passwordstage\", \"name\": \"default-authentication-password\", \"pk\": \"abc\"}, \"username\": \"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\"}, \"event\": \"Created Event\", \"host\": \"foo.mywebsite.com\", \"level\": \"info\", \"logger\": \"authentik.events.models\", \"pid\": 290146, \"request_id\": \"test123456789012345678901234567890\", \"timestamp\": \"2023-10-17T17:40:00.000000\", \"user\": {\"email\": \"\", \"pk\": 2, \"username\": \"AnonymousUser\"}}" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "authentik" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "authentik-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "authentik" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-10-17T17:40:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2023-10-17T17:40:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/aws-alb-http-bad-user-agent/parser.assert b/.tests/aws-alb-http-bad-user-agent/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/aws-bf/parser.assert b/.tests/aws-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/aws-cloudtrail-postexploit/parser.assert b/.tests/aws-cloudtrail-postexploit/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/aws-nwo-login/parser.assert b/.tests/aws-nwo-login/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/baikal-bf/parser.assert b/.tests/baikal-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/baikal-bf/scenario.assert b/.tests/baikal-bf/scenario.assert index 51369707238..e6fd5ab5155 100644 --- a/.tests/baikal-bf/scenario.assert +++ b/.tests/baikal-bf/scenario.assert @@ -4,48 +4,48 @@ results[0].Overflow.Sources["33.202.22.97"].IP == "33.202.22.97" results[0].Overflow.Sources["33.202.22.97"].Range == "" results[0].Overflow.Sources["33.202.22.97"].GetScope() == "Ip" results[0].Overflow.Sources["33.202.22.97"].GetValue() == "33.202.22.97" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "baikal-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "baikal-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "baikal_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "baikal" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "33.202.22.97" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "root1" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-07-08T09:19:24.428126Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "root1" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "baikal-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "baikal-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "baikal_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "baikal" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "33.202.22.97" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "root2" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-07-08T09:19:28.528126Z" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "root2" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "baikal-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "baikal-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "baikal_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "baikal" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "33.202.22.97" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "root3" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-07-08T09:19:44.118526Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "root3" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "baikal-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "baikal-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "baikal_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "baikal" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "33.202.22.97" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "root4" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-07-08T09:19:47.572626Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "root4" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "baikal-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "baikal-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "baikal_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "baikal" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "33.202.22.97" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "root5" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-07-08T09:19:58.646126Z" -results[0].Overflow.Alert.Events[4].GetMeta("username") == "root5" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "baikal-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "baikal-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "baikal_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "baikal" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "33.202.22.97" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "root6" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-07-06T09:19:59.536126Z" -results[0].Overflow.Alert.Events[5].GetMeta("username") == "root6" results[0].Overflow.Alert.GetScenario() == "andreasbrett/baikal-bf_user-enum" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 @@ -54,39 +54,39 @@ results[1].Overflow.Sources["33.202.222.97"].IP == "33.202.222.97" results[1].Overflow.Sources["33.202.222.97"].Range == "" results[1].Overflow.Sources["33.202.222.97"].GetScope() == "Ip" results[1].Overflow.Sources["33.202.222.97"].GetValue() == "33.202.222.97" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "baikal-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "baikal-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "baikal_failed_auth_no_user" results[1].Overflow.Alert.Events[0].GetMeta("service") == "baikal" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "33.202.222.97" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-07-07T09:20:12.156126Z" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "baikal-bf.log" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "baikal-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "baikal_failed_auth_no_user" results[1].Overflow.Alert.Events[1].GetMeta("service") == "baikal" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "33.202.222.97" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-07-07T09:19:24.428126Z" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "baikal-bf.log" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "baikal-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "baikal_failed_auth_no_user" results[1].Overflow.Alert.Events[2].GetMeta("service") == "baikal" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "33.202.222.97" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-07-07T09:19:28.528126Z" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "baikal-bf.log" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "baikal-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "baikal_failed_auth_no_user" results[1].Overflow.Alert.Events[3].GetMeta("service") == "baikal" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "33.202.222.97" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-07-07T09:19:44.118526Z" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "baikal-bf.log" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "baikal-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "baikal_failed_auth_no_user" results[1].Overflow.Alert.Events[4].GetMeta("service") == "baikal" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "33.202.222.97" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-07-07T09:19:47.572626Z" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "baikal-bf.log" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "baikal-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "baikal_failed_auth_no_user" results[1].Overflow.Alert.Events[5].GetMeta("service") == "baikal" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "33.202.222.97" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-07-07T09:19:58.646126Z" @@ -98,48 +98,48 @@ results[2].Overflow.Sources["33.202.22.97"].IP == "33.202.22.97" results[2].Overflow.Sources["33.202.22.97"].Range == "" results[2].Overflow.Sources["33.202.22.97"].GetScope() == "Ip" results[2].Overflow.Sources["33.202.22.97"].GetValue() == "33.202.22.97" -results[2].Overflow.Alert.Events[0].GetMeta("datasource_path") == "baikal-bf.log" +results[2].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "baikal-bf.log" results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[0].GetMeta("log_type") == "baikal_failed_auth" results[2].Overflow.Alert.Events[0].GetMeta("service") == "baikal" results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "33.202.22.97" +results[2].Overflow.Alert.Events[0].GetMeta("target_user") == "root1" results[2].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-07-08T09:19:24.428126Z" -results[2].Overflow.Alert.Events[0].GetMeta("username") == "root1" -results[2].Overflow.Alert.Events[1].GetMeta("datasource_path") == "baikal-bf.log" +results[2].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "baikal-bf.log" results[2].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[1].GetMeta("log_type") == "baikal_failed_auth" results[2].Overflow.Alert.Events[1].GetMeta("service") == "baikal" results[2].Overflow.Alert.Events[1].GetMeta("source_ip") == "33.202.22.97" +results[2].Overflow.Alert.Events[1].GetMeta("target_user") == "root2" results[2].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-07-08T09:19:28.528126Z" -results[2].Overflow.Alert.Events[1].GetMeta("username") == "root2" -results[2].Overflow.Alert.Events[2].GetMeta("datasource_path") == "baikal-bf.log" +results[2].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "baikal-bf.log" results[2].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[2].GetMeta("log_type") == "baikal_failed_auth" results[2].Overflow.Alert.Events[2].GetMeta("service") == "baikal" results[2].Overflow.Alert.Events[2].GetMeta("source_ip") == "33.202.22.97" +results[2].Overflow.Alert.Events[2].GetMeta("target_user") == "root3" results[2].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-07-08T09:19:44.118526Z" -results[2].Overflow.Alert.Events[2].GetMeta("username") == "root3" -results[2].Overflow.Alert.Events[3].GetMeta("datasource_path") == "baikal-bf.log" +results[2].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "baikal-bf.log" results[2].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[3].GetMeta("log_type") == "baikal_failed_auth" results[2].Overflow.Alert.Events[3].GetMeta("service") == "baikal" results[2].Overflow.Alert.Events[3].GetMeta("source_ip") == "33.202.22.97" +results[2].Overflow.Alert.Events[3].GetMeta("target_user") == "root4" results[2].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-07-08T09:19:47.572626Z" -results[2].Overflow.Alert.Events[3].GetMeta("username") == "root4" -results[2].Overflow.Alert.Events[4].GetMeta("datasource_path") == "baikal-bf.log" +results[2].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "baikal-bf.log" results[2].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[4].GetMeta("log_type") == "baikal_failed_auth" results[2].Overflow.Alert.Events[4].GetMeta("service") == "baikal" results[2].Overflow.Alert.Events[4].GetMeta("source_ip") == "33.202.22.97" +results[2].Overflow.Alert.Events[4].GetMeta("target_user") == "root5" results[2].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-07-08T09:19:58.646126Z" -results[2].Overflow.Alert.Events[4].GetMeta("username") == "root5" -results[2].Overflow.Alert.Events[5].GetMeta("datasource_path") == "baikal-bf.log" +results[2].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "baikal-bf.log" results[2].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[5].GetMeta("log_type") == "baikal_failed_auth" results[2].Overflow.Alert.Events[5].GetMeta("service") == "baikal" results[2].Overflow.Alert.Events[5].GetMeta("source_ip") == "33.202.22.97" +results[2].Overflow.Alert.Events[5].GetMeta("target_user") == "root6" results[2].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-07-06T09:19:59.536126Z" -results[2].Overflow.Alert.Events[5].GetMeta("username") == "root6" results[2].Overflow.Alert.GetScenario() == "andreasbrett/baikal-bf" results[2].Overflow.Alert.Remediation == true results[2].Overflow.Alert.GetEventsCount() == 6 @@ -148,48 +148,48 @@ results[3].Overflow.Sources["33.202.142.97"].IP == "33.202.142.97" results[3].Overflow.Sources["33.202.142.97"].Range == "" results[3].Overflow.Sources["33.202.142.97"].GetScope() == "Ip" results[3].Overflow.Sources["33.202.142.97"].GetValue() == "33.202.142.97" -results[3].Overflow.Alert.Events[0].GetMeta("datasource_path") == "baikal-bf.log" +results[3].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "baikal-bf.log" results[3].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[0].GetMeta("log_type") == "baikal_failed_auth" results[3].Overflow.Alert.Events[0].GetMeta("service") == "baikal" results[3].Overflow.Alert.Events[0].GetMeta("source_ip") == "33.202.142.97" +results[3].Overflow.Alert.Events[0].GetMeta("target_user") == "admin" results[3].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-07-05T09:19:24.428126Z" -results[3].Overflow.Alert.Events[0].GetMeta("username") == "admin" -results[3].Overflow.Alert.Events[1].GetMeta("datasource_path") == "baikal-bf.log" +results[3].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "baikal-bf.log" results[3].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[1].GetMeta("log_type") == "baikal_failed_auth" results[3].Overflow.Alert.Events[1].GetMeta("service") == "baikal" results[3].Overflow.Alert.Events[1].GetMeta("source_ip") == "33.202.142.97" +results[3].Overflow.Alert.Events[1].GetMeta("target_user") == "admin" results[3].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-07-05T09:19:28.528126Z" -results[3].Overflow.Alert.Events[1].GetMeta("username") == "admin" -results[3].Overflow.Alert.Events[2].GetMeta("datasource_path") == "baikal-bf.log" +results[3].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "baikal-bf.log" results[3].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[2].GetMeta("log_type") == "baikal_failed_auth" results[3].Overflow.Alert.Events[2].GetMeta("service") == "baikal" results[3].Overflow.Alert.Events[2].GetMeta("source_ip") == "33.202.142.97" +results[3].Overflow.Alert.Events[2].GetMeta("target_user") == "admin" results[3].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-07-05T09:19:44.118526Z" -results[3].Overflow.Alert.Events[2].GetMeta("username") == "admin" -results[3].Overflow.Alert.Events[3].GetMeta("datasource_path") == "baikal-bf.log" +results[3].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "baikal-bf.log" results[3].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[3].GetMeta("log_type") == "baikal_failed_auth" results[3].Overflow.Alert.Events[3].GetMeta("service") == "baikal" results[3].Overflow.Alert.Events[3].GetMeta("source_ip") == "33.202.142.97" +results[3].Overflow.Alert.Events[3].GetMeta("target_user") == "admin" results[3].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-07-05T09:19:47.572626Z" -results[3].Overflow.Alert.Events[3].GetMeta("username") == "admin" -results[3].Overflow.Alert.Events[4].GetMeta("datasource_path") == "baikal-bf.log" +results[3].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "baikal-bf.log" results[3].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[4].GetMeta("log_type") == "baikal_failed_auth" results[3].Overflow.Alert.Events[4].GetMeta("service") == "baikal" results[3].Overflow.Alert.Events[4].GetMeta("source_ip") == "33.202.142.97" +results[3].Overflow.Alert.Events[4].GetMeta("target_user") == "admin" results[3].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-07-05T09:19:58.646126Z" -results[3].Overflow.Alert.Events[4].GetMeta("username") == "admin" -results[3].Overflow.Alert.Events[5].GetMeta("datasource_path") == "baikal-bf.log" +results[3].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "baikal-bf.log" results[3].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[5].GetMeta("log_type") == "baikal_failed_auth" results[3].Overflow.Alert.Events[5].GetMeta("service") == "baikal" results[3].Overflow.Alert.Events[5].GetMeta("source_ip") == "33.202.142.97" +results[3].Overflow.Alert.Events[5].GetMeta("target_user") == "admin" results[3].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-07-05T09:20:12.156126Z" -results[3].Overflow.Alert.Events[5].GetMeta("username") == "admin" results[3].Overflow.Alert.GetScenario() == "andreasbrett/baikal-bf" results[3].Overflow.Alert.Remediation == true results[3].Overflow.Alert.GetEventsCount() == 6 @@ -198,48 +198,48 @@ results[4].Overflow.Sources["33.202.122.97"].IP == "33.202.122.97" results[4].Overflow.Sources["33.202.122.97"].Range == "" results[4].Overflow.Sources["33.202.122.97"].GetScope() == "Ip" results[4].Overflow.Sources["33.202.122.97"].GetValue() == "33.202.122.97" -results[4].Overflow.Alert.Events[0].GetMeta("datasource_path") == "baikal-bf.log" +results[4].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "baikal-bf.log" results[4].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[0].GetMeta("log_type") == "baikal_failed_auth" results[4].Overflow.Alert.Events[0].GetMeta("service") == "baikal" results[4].Overflow.Alert.Events[0].GetMeta("source_ip") == "33.202.122.97" +results[4].Overflow.Alert.Events[0].GetMeta("target_user") == "root" results[4].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-07-06T09:19:24.428126Z" -results[4].Overflow.Alert.Events[0].GetMeta("username") == "root" -results[4].Overflow.Alert.Events[1].GetMeta("datasource_path") == "baikal-bf.log" +results[4].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "baikal-bf.log" results[4].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[1].GetMeta("log_type") == "baikal_failed_auth" results[4].Overflow.Alert.Events[1].GetMeta("service") == "baikal" results[4].Overflow.Alert.Events[1].GetMeta("source_ip") == "33.202.122.97" +results[4].Overflow.Alert.Events[1].GetMeta("target_user") == "root" results[4].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-07-06T09:19:28.528126Z" -results[4].Overflow.Alert.Events[1].GetMeta("username") == "root" -results[4].Overflow.Alert.Events[2].GetMeta("datasource_path") == "baikal-bf.log" +results[4].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "baikal-bf.log" results[4].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[2].GetMeta("log_type") == "baikal_failed_auth" results[4].Overflow.Alert.Events[2].GetMeta("service") == "baikal" results[4].Overflow.Alert.Events[2].GetMeta("source_ip") == "33.202.122.97" +results[4].Overflow.Alert.Events[2].GetMeta("target_user") == "root" results[4].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-07-06T09:19:44.118526Z" -results[4].Overflow.Alert.Events[2].GetMeta("username") == "root" -results[4].Overflow.Alert.Events[3].GetMeta("datasource_path") == "baikal-bf.log" +results[4].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "baikal-bf.log" results[4].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[3].GetMeta("log_type") == "baikal_failed_auth" results[4].Overflow.Alert.Events[3].GetMeta("service") == "baikal" results[4].Overflow.Alert.Events[3].GetMeta("source_ip") == "33.202.122.97" +results[4].Overflow.Alert.Events[3].GetMeta("target_user") == "root" results[4].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-07-06T09:19:47.572626Z" -results[4].Overflow.Alert.Events[3].GetMeta("username") == "root" -results[4].Overflow.Alert.Events[4].GetMeta("datasource_path") == "baikal-bf.log" +results[4].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "baikal-bf.log" results[4].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[4].GetMeta("log_type") == "baikal_failed_auth" results[4].Overflow.Alert.Events[4].GetMeta("service") == "baikal" results[4].Overflow.Alert.Events[4].GetMeta("source_ip") == "33.202.122.97" +results[4].Overflow.Alert.Events[4].GetMeta("target_user") == "root" results[4].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-07-06T09:19:58.646126Z" -results[4].Overflow.Alert.Events[4].GetMeta("username") == "root" -results[4].Overflow.Alert.Events[5].GetMeta("datasource_path") == "baikal-bf.log" +results[4].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "baikal-bf.log" results[4].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[5].GetMeta("log_type") == "baikal_failed_auth" results[4].Overflow.Alert.Events[5].GetMeta("service") == "baikal" results[4].Overflow.Alert.Events[5].GetMeta("source_ip") == "33.202.122.97" +results[4].Overflow.Alert.Events[5].GetMeta("target_user") == "root" results[4].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-07-06T09:19:59.536126Z" -results[4].Overflow.Alert.Events[5].GetMeta("username") == "root" results[4].Overflow.Alert.GetScenario() == "andreasbrett/baikal-bf" results[4].Overflow.Alert.Remediation == true results[4].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/baikal-logs/baikal-logs.log b/.tests/baikal-logs/baikal-logs.log index dbcc1b5703a..f291edbe5e0 100644 --- a/.tests/baikal-logs/baikal-logs.log +++ b/.tests/baikal-logs/baikal-logs.log @@ -15,4 +15,5 @@ [Fri Jul 07 09:19:44.118526 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal' [Fri Jul 07 09:19:47.572626 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal' [Fri Jul 07 09:19:58.646126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal' -[Fri Jul 07 09:20:12.156126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal' \ No newline at end of file +[Fri Jul 07 09:20:12.156126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal' +[Fri Jul 07 09:21:00.000000 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55310] AH01071: Got error 'PHP message: user crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl authentication failure for Baikal' \ No newline at end of file diff --git a/.tests/baikal-logs/parser.assert b/.tests/baikal-logs/parser.assert index a284daa14d5..f48cf63c451 100644 --- a/.tests/baikal-logs/parser.assert +++ b/.tests/baikal-logs/parser.assert @@ -1,96 +1,120 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 18 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 19 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "[Wed Jul 05 09:19:24.428126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "baikal" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "baikal-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "[Wed Jul 05 09:19:28.528126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "baikal" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "[Wed Jul 05 09:19:44.118526 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "baikal" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "baikal-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "[Wed Jul 05 09:19:47.572626 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "baikal" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "baikal-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "[Wed Jul 05 09:19:58.646126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "baikal" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "baikal-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "[Wed Jul 05 09:20:12.156126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "baikal" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"] == "baikal-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][6].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "baikal" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["message"] == "[Thu Jul 06 09:19:24.428126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.122.97:55309] AH01071: Got error 'PHP message: user root authentication failure for Baikal'" -results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "baikal" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][7].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["message"] == "[Thu Jul 06 09:19:28.528126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.122.97:55309] AH01071: Got error 'PHP message: user root authentication failure for Baikal'" results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["program"] == "baikal" -results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"] == "baikal-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][8].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["message"] == "[Thu Jul 06 09:19:44.118526 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.122.97:55309] AH01071: Got error 'PHP message: user root authentication failure for Baikal'" results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["program"] == "baikal" -results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_path"] == "baikal-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][9].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["message"] == "[Thu Jul 06 09:19:47.572626 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.122.97:55309] AH01071: Got error 'PHP message: user root authentication failure for Baikal'" results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["program"] == "baikal" -results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_path"] == "baikal-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][10].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Parsed["program"] == "baikal" results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Parsed["message"] == "[Thu Jul 06 09:19:58.646126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.122.97:55309] AH01071: Got error 'PHP message: user root authentication failure for Baikal'" -results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Parsed["program"] == "baikal" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][11].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Parsed["message"] == "[Fri Jul 07 09:20:12.156126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Parsed["program"] == "baikal" -results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_path"] == "baikal-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][12].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Parsed["program"] == "baikal" results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Parsed["message"] == "[Fri Jul 07 09:19:24.428126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" +results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Parsed["program"] == "baikal" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][13].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Parsed["program"] == "baikal" results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Parsed["message"] == "[Fri Jul 07 09:19:28.528126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" -results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Parsed["program"] == "baikal" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][14].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Parsed["message"] == "[Fri Jul 07 09:19:44.118526 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Parsed["program"] == "baikal" -results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Meta["datasource_path"] == "baikal-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][15].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Parsed["message"] == "[Fri Jul 07 09:19:47.572626 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Parsed["program"] == "baikal" -results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Meta["datasource_path"] == "baikal-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][16].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Parsed["program"] == "baikal" results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Parsed["message"] == "[Fri Jul 07 09:19:58.646126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" -results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Parsed["program"] == "baikal" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][17].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][17].Evt.Parsed["message"] == "[Fri Jul 07 09:20:12.156126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" results["s00-raw"]["crowdsecurity/non-syslog"][17].Evt.Parsed["program"] == "baikal" -results["s00-raw"]["crowdsecurity/non-syslog"][17].Evt.Meta["datasource_path"] == "baikal-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][17].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][17].Evt.Meta["datasource_type"] == "file" -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 18 +results["s00-raw"]["crowdsecurity/non-syslog"][17].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][18].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][18].Evt.Parsed["message"] == "[Fri Jul 07 09:21:00.000000 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55310] AH01071: Got error 'PHP message: user crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl authentication failure for Baikal'" +results["s00-raw"]["crowdsecurity/non-syslog"][18].Evt.Parsed["program"] == "baikal" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][18].Evt.Meta["datasource_path"]) == "baikal-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][18].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][18].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 19 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false @@ -109,7 +133,8 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][14].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][15].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][16].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][17].Success == false -len(results["s01-parse"]["andreasbrett/baikal-logs"]) == 18 +results["s00-raw"]["crowdsecurity/syslog-logs"][18].Success == false +len(results["s01-parse"]["andreasbrett/baikal-logs"]) == 19 results["s01-parse"]["andreasbrett/baikal-logs"][0].Success == true results["s01-parse"]["andreasbrett/baikal-logs"][0].Evt.Parsed["message"] == "[Wed Jul 05 09:19:24.428126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" results["s01-parse"]["andreasbrett/baikal-logs"][0].Evt.Parsed["program"] == "baikal" @@ -117,220 +142,252 @@ results["s01-parse"]["andreasbrett/baikal-logs"][0].Evt.Parsed["source_ip"] == " results["s01-parse"]["andreasbrett/baikal-logs"][0].Evt.Parsed["source_port"] == "55309" results["s01-parse"]["andreasbrett/baikal-logs"][0].Evt.Parsed["timestamp"] == "Wed Jul 05 09:19:24.428126 2023" results["s01-parse"]["andreasbrett/baikal-logs"][0].Evt.Parsed["username"] == "admin" -results["s01-parse"]["andreasbrett/baikal-logs"][0].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][0].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s01-parse"]["andreasbrett/baikal-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/baikal-logs"][0].Evt.Meta["log_type"] == "baikal_failed_auth" results["s01-parse"]["andreasbrett/baikal-logs"][0].Evt.Meta["service"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][0].Evt.Meta["source_ip"] == "33.202.142.97" -results["s01-parse"]["andreasbrett/baikal-logs"][0].Evt.Meta["username"] == "admin" +results["s01-parse"]["andreasbrett/baikal-logs"][0].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["andreasbrett/baikal-logs"][0].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/baikal-logs"][1].Success == true +results["s01-parse"]["andreasbrett/baikal-logs"][1].Evt.Parsed["message"] == "[Wed Jul 05 09:19:28.528126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" results["s01-parse"]["andreasbrett/baikal-logs"][1].Evt.Parsed["program"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][1].Evt.Parsed["source_ip"] == "33.202.142.97" results["s01-parse"]["andreasbrett/baikal-logs"][1].Evt.Parsed["source_port"] == "55309" results["s01-parse"]["andreasbrett/baikal-logs"][1].Evt.Parsed["timestamp"] == "Wed Jul 05 09:19:28.528126 2023" results["s01-parse"]["andreasbrett/baikal-logs"][1].Evt.Parsed["username"] == "admin" -results["s01-parse"]["andreasbrett/baikal-logs"][1].Evt.Parsed["message"] == "[Wed Jul 05 09:19:28.528126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" -results["s01-parse"]["andreasbrett/baikal-logs"][1].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][1].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s01-parse"]["andreasbrett/baikal-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/baikal-logs"][1].Evt.Meta["log_type"] == "baikal_failed_auth" results["s01-parse"]["andreasbrett/baikal-logs"][1].Evt.Meta["service"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][1].Evt.Meta["source_ip"] == "33.202.142.97" -results["s01-parse"]["andreasbrett/baikal-logs"][1].Evt.Meta["username"] == "admin" +results["s01-parse"]["andreasbrett/baikal-logs"][1].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["andreasbrett/baikal-logs"][1].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/baikal-logs"][2].Success == true +results["s01-parse"]["andreasbrett/baikal-logs"][2].Evt.Parsed["message"] == "[Wed Jul 05 09:19:44.118526 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" results["s01-parse"]["andreasbrett/baikal-logs"][2].Evt.Parsed["program"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][2].Evt.Parsed["source_ip"] == "33.202.142.97" results["s01-parse"]["andreasbrett/baikal-logs"][2].Evt.Parsed["source_port"] == "55309" results["s01-parse"]["andreasbrett/baikal-logs"][2].Evt.Parsed["timestamp"] == "Wed Jul 05 09:19:44.118526 2023" results["s01-parse"]["andreasbrett/baikal-logs"][2].Evt.Parsed["username"] == "admin" -results["s01-parse"]["andreasbrett/baikal-logs"][2].Evt.Parsed["message"] == "[Wed Jul 05 09:19:44.118526 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" -results["s01-parse"]["andreasbrett/baikal-logs"][2].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][2].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s01-parse"]["andreasbrett/baikal-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/baikal-logs"][2].Evt.Meta["log_type"] == "baikal_failed_auth" results["s01-parse"]["andreasbrett/baikal-logs"][2].Evt.Meta["service"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][2].Evt.Meta["source_ip"] == "33.202.142.97" -results["s01-parse"]["andreasbrett/baikal-logs"][2].Evt.Meta["username"] == "admin" +results["s01-parse"]["andreasbrett/baikal-logs"][2].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["andreasbrett/baikal-logs"][2].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/baikal-logs"][3].Success == true +results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Parsed["message"] == "[Wed Jul 05 09:19:47.572626 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" +results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Parsed["program"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Parsed["source_ip"] == "33.202.142.97" results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Parsed["source_port"] == "55309" results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Parsed["timestamp"] == "Wed Jul 05 09:19:47.572626 2023" results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Parsed["username"] == "admin" -results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Parsed["message"] == "[Wed Jul 05 09:19:47.572626 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" -results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Parsed["program"] == "baikal" -results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Meta["log_type"] == "baikal_failed_auth" +results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Meta["datasource_path"]) == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Meta["service"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Meta["source_ip"] == "33.202.142.97" -results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Meta["username"] == "admin" -results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Meta["datasource_path"] == "baikal-logs.log" -results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["andreasbrett/baikal-logs"][3].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/baikal-logs"][4].Success == true -results["s01-parse"]["andreasbrett/baikal-logs"][4].Evt.Parsed["timestamp"] == "Wed Jul 05 09:19:58.646126 2023" -results["s01-parse"]["andreasbrett/baikal-logs"][4].Evt.Parsed["username"] == "admin" results["s01-parse"]["andreasbrett/baikal-logs"][4].Evt.Parsed["message"] == "[Wed Jul 05 09:19:58.646126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" results["s01-parse"]["andreasbrett/baikal-logs"][4].Evt.Parsed["program"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][4].Evt.Parsed["source_ip"] == "33.202.142.97" results["s01-parse"]["andreasbrett/baikal-logs"][4].Evt.Parsed["source_port"] == "55309" +results["s01-parse"]["andreasbrett/baikal-logs"][4].Evt.Parsed["timestamp"] == "Wed Jul 05 09:19:58.646126 2023" +results["s01-parse"]["andreasbrett/baikal-logs"][4].Evt.Parsed["username"] == "admin" +results["s01-parse"]["andreasbrett/baikal-logs"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][4].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s01-parse"]["andreasbrett/baikal-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/baikal-logs"][4].Evt.Meta["log_type"] == "baikal_failed_auth" results["s01-parse"]["andreasbrett/baikal-logs"][4].Evt.Meta["service"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][4].Evt.Meta["source_ip"] == "33.202.142.97" -results["s01-parse"]["andreasbrett/baikal-logs"][4].Evt.Meta["username"] == "admin" -results["s01-parse"]["andreasbrett/baikal-logs"][4].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][4].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["andreasbrett/baikal-logs"][4].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/baikal-logs"][5].Success == true -results["s01-parse"]["andreasbrett/baikal-logs"][5].Evt.Parsed["timestamp"] == "Wed Jul 05 09:20:12.156126 2023" -results["s01-parse"]["andreasbrett/baikal-logs"][5].Evt.Parsed["username"] == "admin" results["s01-parse"]["andreasbrett/baikal-logs"][5].Evt.Parsed["message"] == "[Wed Jul 05 09:20:12.156126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" results["s01-parse"]["andreasbrett/baikal-logs"][5].Evt.Parsed["program"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][5].Evt.Parsed["source_ip"] == "33.202.142.97" results["s01-parse"]["andreasbrett/baikal-logs"][5].Evt.Parsed["source_port"] == "55309" -results["s01-parse"]["andreasbrett/baikal-logs"][5].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][5].Evt.Parsed["timestamp"] == "Wed Jul 05 09:20:12.156126 2023" +results["s01-parse"]["andreasbrett/baikal-logs"][5].Evt.Parsed["username"] == "admin" +results["s01-parse"]["andreasbrett/baikal-logs"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][5].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s01-parse"]["andreasbrett/baikal-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/baikal-logs"][5].Evt.Meta["log_type"] == "baikal_failed_auth" results["s01-parse"]["andreasbrett/baikal-logs"][5].Evt.Meta["service"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][5].Evt.Meta["source_ip"] == "33.202.142.97" -results["s01-parse"]["andreasbrett/baikal-logs"][5].Evt.Meta["username"] == "admin" +results["s01-parse"]["andreasbrett/baikal-logs"][5].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["andreasbrett/baikal-logs"][5].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/baikal-logs"][6].Success == true -results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Parsed["source_port"] == "55309" -results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Parsed["timestamp"] == "Thu Jul 06 09:19:24.428126 2023" -results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Parsed["username"] == "root" results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Parsed["message"] == "[Thu Jul 06 09:19:24.428126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.122.97:55309] AH01071: Got error 'PHP message: user root authentication failure for Baikal'" results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Parsed["program"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Parsed["source_ip"] == "33.202.122.97" -results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Meta["log_type"] == "baikal_failed_auth" +results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Parsed["source_port"] == "55309" +results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Parsed["timestamp"] == "Thu Jul 06 09:19:24.428126 2023" +results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Parsed["username"] == "root" +results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Meta["datasource_path"]) == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Meta["service"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Meta["source_ip"] == "33.202.122.97" -results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Meta["username"] == "root" -results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Meta["datasource_path"] == "baikal-logs.log" -results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Meta["target_user"] == "root" +results["s01-parse"]["andreasbrett/baikal-logs"][6].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/baikal-logs"][7].Success == true -results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Parsed["timestamp"] == "Thu Jul 06 09:19:28.528126 2023" -results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Parsed["username"] == "root" results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Parsed["message"] == "[Thu Jul 06 09:19:28.528126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.122.97:55309] AH01071: Got error 'PHP message: user root authentication failure for Baikal'" results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Parsed["program"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Parsed["source_ip"] == "33.202.122.97" results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Parsed["source_port"] == "55309" +results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Parsed["timestamp"] == "Thu Jul 06 09:19:28.528126 2023" +results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Parsed["username"] == "root" +results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Meta["datasource_path"]) == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Meta["service"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Meta["source_ip"] == "33.202.122.97" -results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Meta["username"] == "root" -results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Meta["datasource_path"] == "baikal-logs.log" -results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Meta["log_type"] == "baikal_failed_auth" +results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Meta["target_user"] == "root" +results["s01-parse"]["andreasbrett/baikal-logs"][7].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/baikal-logs"][8].Success == true -results["s01-parse"]["andreasbrett/baikal-logs"][8].Evt.Parsed["timestamp"] == "Thu Jul 06 09:19:44.118526 2023" -results["s01-parse"]["andreasbrett/baikal-logs"][8].Evt.Parsed["username"] == "root" results["s01-parse"]["andreasbrett/baikal-logs"][8].Evt.Parsed["message"] == "[Thu Jul 06 09:19:44.118526 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.122.97:55309] AH01071: Got error 'PHP message: user root authentication failure for Baikal'" results["s01-parse"]["andreasbrett/baikal-logs"][8].Evt.Parsed["program"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][8].Evt.Parsed["source_ip"] == "33.202.122.97" results["s01-parse"]["andreasbrett/baikal-logs"][8].Evt.Parsed["source_port"] == "55309" -results["s01-parse"]["andreasbrett/baikal-logs"][8].Evt.Meta["username"] == "root" -results["s01-parse"]["andreasbrett/baikal-logs"][8].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][8].Evt.Parsed["timestamp"] == "Thu Jul 06 09:19:44.118526 2023" +results["s01-parse"]["andreasbrett/baikal-logs"][8].Evt.Parsed["username"] == "root" +results["s01-parse"]["andreasbrett/baikal-logs"][8].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][8].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s01-parse"]["andreasbrett/baikal-logs"][8].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/baikal-logs"][8].Evt.Meta["log_type"] == "baikal_failed_auth" results["s01-parse"]["andreasbrett/baikal-logs"][8].Evt.Meta["service"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][8].Evt.Meta["source_ip"] == "33.202.122.97" +results["s01-parse"]["andreasbrett/baikal-logs"][8].Evt.Meta["target_user"] == "root" +results["s01-parse"]["andreasbrett/baikal-logs"][8].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/baikal-logs"][9].Success == true -results["s01-parse"]["andreasbrett/baikal-logs"][9].Evt.Parsed["timestamp"] == "Thu Jul 06 09:19:47.572626 2023" -results["s01-parse"]["andreasbrett/baikal-logs"][9].Evt.Parsed["username"] == "root" results["s01-parse"]["andreasbrett/baikal-logs"][9].Evt.Parsed["message"] == "[Thu Jul 06 09:19:47.572626 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.122.97:55309] AH01071: Got error 'PHP message: user root authentication failure for Baikal'" results["s01-parse"]["andreasbrett/baikal-logs"][9].Evt.Parsed["program"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][9].Evt.Parsed["source_ip"] == "33.202.122.97" results["s01-parse"]["andreasbrett/baikal-logs"][9].Evt.Parsed["source_port"] == "55309" -results["s01-parse"]["andreasbrett/baikal-logs"][9].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][9].Evt.Parsed["timestamp"] == "Thu Jul 06 09:19:47.572626 2023" +results["s01-parse"]["andreasbrett/baikal-logs"][9].Evt.Parsed["username"] == "root" +results["s01-parse"]["andreasbrett/baikal-logs"][9].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][9].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s01-parse"]["andreasbrett/baikal-logs"][9].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/baikal-logs"][9].Evt.Meta["log_type"] == "baikal_failed_auth" results["s01-parse"]["andreasbrett/baikal-logs"][9].Evt.Meta["service"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][9].Evt.Meta["source_ip"] == "33.202.122.97" -results["s01-parse"]["andreasbrett/baikal-logs"][9].Evt.Meta["username"] == "root" +results["s01-parse"]["andreasbrett/baikal-logs"][9].Evt.Meta["target_user"] == "root" +results["s01-parse"]["andreasbrett/baikal-logs"][9].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/baikal-logs"][10].Success == true -results["s01-parse"]["andreasbrett/baikal-logs"][10].Evt.Parsed["username"] == "root" results["s01-parse"]["andreasbrett/baikal-logs"][10].Evt.Parsed["message"] == "[Thu Jul 06 09:19:58.646126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.122.97:55309] AH01071: Got error 'PHP message: user root authentication failure for Baikal'" results["s01-parse"]["andreasbrett/baikal-logs"][10].Evt.Parsed["program"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][10].Evt.Parsed["source_ip"] == "33.202.122.97" results["s01-parse"]["andreasbrett/baikal-logs"][10].Evt.Parsed["source_port"] == "55309" results["s01-parse"]["andreasbrett/baikal-logs"][10].Evt.Parsed["timestamp"] == "Thu Jul 06 09:19:58.646126 2023" -results["s01-parse"]["andreasbrett/baikal-logs"][10].Evt.Meta["username"] == "root" -results["s01-parse"]["andreasbrett/baikal-logs"][10].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][10].Evt.Parsed["username"] == "root" +results["s01-parse"]["andreasbrett/baikal-logs"][10].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][10].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s01-parse"]["andreasbrett/baikal-logs"][10].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/baikal-logs"][10].Evt.Meta["log_type"] == "baikal_failed_auth" results["s01-parse"]["andreasbrett/baikal-logs"][10].Evt.Meta["service"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][10].Evt.Meta["source_ip"] == "33.202.122.97" +results["s01-parse"]["andreasbrett/baikal-logs"][10].Evt.Meta["target_user"] == "root" +results["s01-parse"]["andreasbrett/baikal-logs"][10].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/baikal-logs"][11].Success == true -results["s01-parse"]["andreasbrett/baikal-logs"][11].Evt.Parsed["source_port"] == "55309" -results["s01-parse"]["andreasbrett/baikal-logs"][11].Evt.Parsed["timestamp"] == "Fri Jul 07 09:20:12.156126 2023" results["s01-parse"]["andreasbrett/baikal-logs"][11].Evt.Parsed["message"] == "[Fri Jul 07 09:20:12.156126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" results["s01-parse"]["andreasbrett/baikal-logs"][11].Evt.Parsed["program"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][11].Evt.Parsed["source_ip"] == "33.202.222.97" +results["s01-parse"]["andreasbrett/baikal-logs"][11].Evt.Parsed["source_port"] == "55309" +results["s01-parse"]["andreasbrett/baikal-logs"][11].Evt.Parsed["timestamp"] == "Fri Jul 07 09:20:12.156126 2023" +results["s01-parse"]["andreasbrett/baikal-logs"][11].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][11].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s01-parse"]["andreasbrett/baikal-logs"][11].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/baikal-logs"][11].Evt.Meta["log_type"] == "baikal_failed_auth_no_user" results["s01-parse"]["andreasbrett/baikal-logs"][11].Evt.Meta["service"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][11].Evt.Meta["source_ip"] == "33.202.222.97" -results["s01-parse"]["andreasbrett/baikal-logs"][11].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][11].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/baikal-logs"][12].Success == true +results["s01-parse"]["andreasbrett/baikal-logs"][12].Evt.Parsed["message"] == "[Fri Jul 07 09:19:24.428126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" results["s01-parse"]["andreasbrett/baikal-logs"][12].Evt.Parsed["program"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][12].Evt.Parsed["source_ip"] == "33.202.222.97" results["s01-parse"]["andreasbrett/baikal-logs"][12].Evt.Parsed["source_port"] == "55309" results["s01-parse"]["andreasbrett/baikal-logs"][12].Evt.Parsed["timestamp"] == "Fri Jul 07 09:19:24.428126 2023" -results["s01-parse"]["andreasbrett/baikal-logs"][12].Evt.Parsed["message"] == "[Fri Jul 07 09:19:24.428126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" -results["s01-parse"]["andreasbrett/baikal-logs"][12].Evt.Meta["source_ip"] == "33.202.222.97" -results["s01-parse"]["andreasbrett/baikal-logs"][12].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][12].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][12].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s01-parse"]["andreasbrett/baikal-logs"][12].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/baikal-logs"][12].Evt.Meta["log_type"] == "baikal_failed_auth_no_user" results["s01-parse"]["andreasbrett/baikal-logs"][12].Evt.Meta["service"] == "baikal" +results["s01-parse"]["andreasbrett/baikal-logs"][12].Evt.Meta["source_ip"] == "33.202.222.97" +results["s01-parse"]["andreasbrett/baikal-logs"][12].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/baikal-logs"][13].Success == true -results["s01-parse"]["andreasbrett/baikal-logs"][13].Evt.Parsed["source_port"] == "55309" -results["s01-parse"]["andreasbrett/baikal-logs"][13].Evt.Parsed["timestamp"] == "Fri Jul 07 09:19:28.528126 2023" results["s01-parse"]["andreasbrett/baikal-logs"][13].Evt.Parsed["message"] == "[Fri Jul 07 09:19:28.528126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" results["s01-parse"]["andreasbrett/baikal-logs"][13].Evt.Parsed["program"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][13].Evt.Parsed["source_ip"] == "33.202.222.97" +results["s01-parse"]["andreasbrett/baikal-logs"][13].Evt.Parsed["source_port"] == "55309" +results["s01-parse"]["andreasbrett/baikal-logs"][13].Evt.Parsed["timestamp"] == "Fri Jul 07 09:19:28.528126 2023" +results["s01-parse"]["andreasbrett/baikal-logs"][13].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][13].Evt.Meta["datasource_path"]) == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][13].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["andreasbrett/baikal-logs"][13].Evt.Meta["service"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][13].Evt.Meta["source_ip"] == "33.202.222.97" -results["s01-parse"]["andreasbrett/baikal-logs"][13].Evt.Meta["datasource_path"] == "baikal-logs.log" -results["s01-parse"]["andreasbrett/baikal-logs"][13].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/baikal-logs"][13].Evt.Meta["log_type"] == "baikal_failed_auth_no_user" +results["s01-parse"]["andreasbrett/baikal-logs"][13].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/baikal-logs"][14].Success == true results["s01-parse"]["andreasbrett/baikal-logs"][14].Evt.Parsed["message"] == "[Fri Jul 07 09:19:44.118526 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" results["s01-parse"]["andreasbrett/baikal-logs"][14].Evt.Parsed["program"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][14].Evt.Parsed["source_ip"] == "33.202.222.97" results["s01-parse"]["andreasbrett/baikal-logs"][14].Evt.Parsed["source_port"] == "55309" results["s01-parse"]["andreasbrett/baikal-logs"][14].Evt.Parsed["timestamp"] == "Fri Jul 07 09:19:44.118526 2023" +results["s01-parse"]["andreasbrett/baikal-logs"][14].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][14].Evt.Meta["datasource_path"]) == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][14].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["andreasbrett/baikal-logs"][14].Evt.Meta["service"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][14].Evt.Meta["source_ip"] == "33.202.222.97" -results["s01-parse"]["andreasbrett/baikal-logs"][14].Evt.Meta["datasource_path"] == "baikal-logs.log" -results["s01-parse"]["andreasbrett/baikal-logs"][14].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/baikal-logs"][14].Evt.Meta["log_type"] == "baikal_failed_auth_no_user" +results["s01-parse"]["andreasbrett/baikal-logs"][14].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/baikal-logs"][15].Success == true results["s01-parse"]["andreasbrett/baikal-logs"][15].Evt.Parsed["message"] == "[Fri Jul 07 09:19:47.572626 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" results["s01-parse"]["andreasbrett/baikal-logs"][15].Evt.Parsed["program"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][15].Evt.Parsed["source_ip"] == "33.202.222.97" results["s01-parse"]["andreasbrett/baikal-logs"][15].Evt.Parsed["source_port"] == "55309" results["s01-parse"]["andreasbrett/baikal-logs"][15].Evt.Parsed["timestamp"] == "Fri Jul 07 09:19:47.572626 2023" -results["s01-parse"]["andreasbrett/baikal-logs"][15].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][15].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][15].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s01-parse"]["andreasbrett/baikal-logs"][15].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/baikal-logs"][15].Evt.Meta["log_type"] == "baikal_failed_auth_no_user" results["s01-parse"]["andreasbrett/baikal-logs"][15].Evt.Meta["service"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][15].Evt.Meta["source_ip"] == "33.202.222.97" +results["s01-parse"]["andreasbrett/baikal-logs"][15].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/baikal-logs"][16].Success == true results["s01-parse"]["andreasbrett/baikal-logs"][16].Evt.Parsed["message"] == "[Fri Jul 07 09:19:58.646126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" results["s01-parse"]["andreasbrett/baikal-logs"][16].Evt.Parsed["program"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][16].Evt.Parsed["source_ip"] == "33.202.222.97" results["s01-parse"]["andreasbrett/baikal-logs"][16].Evt.Parsed["source_port"] == "55309" results["s01-parse"]["andreasbrett/baikal-logs"][16].Evt.Parsed["timestamp"] == "Fri Jul 07 09:19:58.646126 2023" -results["s01-parse"]["andreasbrett/baikal-logs"][16].Evt.Meta["log_type"] == "baikal_failed_auth_no_user" +results["s01-parse"]["andreasbrett/baikal-logs"][16].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][16].Evt.Meta["datasource_path"]) == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][16].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["andreasbrett/baikal-logs"][16].Evt.Meta["service"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][16].Evt.Meta["source_ip"] == "33.202.222.97" -results["s01-parse"]["andreasbrett/baikal-logs"][16].Evt.Meta["datasource_path"] == "baikal-logs.log" -results["s01-parse"]["andreasbrett/baikal-logs"][16].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["andreasbrett/baikal-logs"][16].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/baikal-logs"][17].Success == true results["s01-parse"]["andreasbrett/baikal-logs"][17].Evt.Parsed["message"] == "[Fri Jul 07 09:20:12.156126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" results["s01-parse"]["andreasbrett/baikal-logs"][17].Evt.Parsed["program"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][17].Evt.Parsed["source_ip"] == "33.202.222.97" results["s01-parse"]["andreasbrett/baikal-logs"][17].Evt.Parsed["source_port"] == "55309" results["s01-parse"]["andreasbrett/baikal-logs"][17].Evt.Parsed["timestamp"] == "Fri Jul 07 09:20:12.156126 2023" -results["s01-parse"]["andreasbrett/baikal-logs"][17].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][17].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][17].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s01-parse"]["andreasbrett/baikal-logs"][17].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/baikal-logs"][17].Evt.Meta["log_type"] == "baikal_failed_auth_no_user" results["s01-parse"]["andreasbrett/baikal-logs"][17].Evt.Meta["service"] == "baikal" results["s01-parse"]["andreasbrett/baikal-logs"][17].Evt.Meta["source_ip"] == "33.202.222.97" -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 18 +results["s01-parse"]["andreasbrett/baikal-logs"][17].Evt.Whitelisted == false +results["s01-parse"]["andreasbrett/baikal-logs"][18].Success == true +results["s01-parse"]["andreasbrett/baikal-logs"][18].Evt.Parsed["message"] == "[Fri Jul 07 09:21:00.000000 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55310] AH01071: Got error 'PHP message: user crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl authentication failure for Baikal'" +results["s01-parse"]["andreasbrett/baikal-logs"][18].Evt.Parsed["program"] == "baikal" +results["s01-parse"]["andreasbrett/baikal-logs"][18].Evt.Parsed["source_ip"] == "33.202.222.97" +results["s01-parse"]["andreasbrett/baikal-logs"][18].Evt.Parsed["source_port"] == "55310" +results["s01-parse"]["andreasbrett/baikal-logs"][18].Evt.Parsed["timestamp"] == "Fri Jul 07 09:21:00.000000 2023" +results["s01-parse"]["andreasbrett/baikal-logs"][18].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["andreasbrett/baikal-logs"][18].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/baikal-logs"][18].Evt.Meta["datasource_path"]) == "baikal-logs.log" +results["s01-parse"]["andreasbrett/baikal-logs"][18].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["andreasbrett/baikal-logs"][18].Evt.Meta["service"] == "baikal" +results["s01-parse"]["andreasbrett/baikal-logs"][18].Evt.Meta["source_ip"] == "33.202.222.97" +results["s01-parse"]["andreasbrett/baikal-logs"][18].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["andreasbrett/baikal-logs"][18].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 19 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "[Wed Jul 05 09:19:24.428126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "baikal" @@ -338,14 +395,15 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_port"] == "55309" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Wed Jul 05 09:19:24.428126 2023" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "baikal_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "33.202.142.97" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-07-05T09:19:24.428126Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-07-05T09:19:24.428126Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "[Wed Jul 05 09:19:28.528126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "baikal" @@ -353,44 +411,47 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_port"] == "55309" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Wed Jul 05 09:19:28.528126 2023" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "baikal_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "baikal-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "33.202.142.97" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-07-05T09:19:28.528126Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "baikal-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-07-05T09:19:28.528126Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "[Wed Jul 05 09:19:44.118526 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "33.202.142.97" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_port"] == "55309" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Wed Jul 05 09:19:44.118526 2023" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "[Wed Jul 05 09:19:44.118526 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "baikal_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "33.202.142.97" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-07-05T09:19:44.118526Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["username"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2023-07-05T09:19:44.118526Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_port"] == "55309" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Wed Jul 05 09:19:47.572626 2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "[Wed Jul 05 09:19:47.572626 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "33.202.142.97" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_port"] == "55309" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Wed Jul 05 09:19:47.572626 2023" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "baikal_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "33.202.142.97" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2023-07-05T09:19:47.572626Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["username"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2023-07-05T09:19:47.572626Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "[Wed Jul 05 09:19:58.646126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "baikal" @@ -398,14 +459,15 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_port"] == "55309" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "Wed Jul 05 09:19:58.646126 2023" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "baikal_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "33.202.142.97" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2023-07-05T09:19:58.646126Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["username"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2023-07-05T09:19:58.646126Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "[Wed Jul 05 09:20:12.156126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.142.97:55309] AH01071: Got error 'PHP message: user admin authentication failure for Baikal', referer: https://baikal.example.com/html/admin/" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "baikal" @@ -413,14 +475,15 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_port"] == "55309" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "Wed Jul 05 09:20:12.156126 2023" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "baikal_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "baikal-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "33.202.142.97" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2023-07-05T09:20:12.156126Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "baikal-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2023-07-05T09:20:12.156126Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "[Thu Jul 06 09:19:24.428126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.122.97:55309] AH01071: Got error 'PHP message: user root authentication failure for Baikal'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "baikal" @@ -428,14 +491,15 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_port"] == "55309" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["timestamp"] == "Thu Jul 06 09:19:24.428126 2023" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["username"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["username"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "baikal_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "33.202.122.97" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["target_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2023-07-06T09:19:24.428126Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2023-07-06T09:19:24.428126Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "[Thu Jul 06 09:19:28.528126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.122.97:55309] AH01071: Got error 'PHP message: user root authentication failure for Baikal'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "baikal" @@ -443,148 +507,175 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_port"] == "55309" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["timestamp"] == "Thu Jul 06 09:19:28.528126 2023" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["username"] == "root" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "baikal_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "33.202.122.97" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["target_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2023-07-06T09:19:28.528126Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["username"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"] == "baikal-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2023-07-06T09:19:28.528126Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["timestamp"] == "Thu Jul 06 09:19:44.118526 2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["username"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["message"] == "[Thu Jul 06 09:19:44.118526 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.122.97:55309] AH01071: Got error 'PHP message: user root authentication failure for Baikal'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["program"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["source_ip"] == "33.202.122.97" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["source_port"] == "55309" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["timestamp"] == "Thu Jul 06 09:19:44.118526 2023" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["username"] == "root" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "baikal_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "33.202.122.97" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["target_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2023-07-06T09:19:44.118526Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["username"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Enriched["MarshaledTime"] == "2023-07-06T09:19:44.118526Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_port"] == "55309" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["timestamp"] == "Thu Jul 06 09:19:47.572626 2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["username"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["message"] == "[Thu Jul 06 09:19:47.572626 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.122.97:55309] AH01071: Got error 'PHP message: user root authentication failure for Baikal'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["program"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_ip"] == "33.202.122.97" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "33.202.122.97" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2023-07-06T09:19:47.572626Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["username"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_port"] == "55309" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["timestamp"] == "Thu Jul 06 09:19:47.572626 2023" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["username"] == "root" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_type"] == "baikal_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "baikal" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "33.202.122.97" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["target_user"] == "root" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2023-07-06T09:19:47.572626Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Enriched["MarshaledTime"] == "2023-07-06T09:19:47.572626Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["message"] == "[Thu Jul 06 09:19:58.646126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.122.97:55309] AH01071: Got error 'PHP message: user root authentication failure for Baikal'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["program"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["source_ip"] == "33.202.122.97" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["source_port"] == "55309" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["timestamp"] == "Thu Jul 06 09:19:58.646126 2023" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["username"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["message"] == "[Thu Jul 06 09:19:58.646126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.122.97:55309] AH01071: Got error 'PHP message: user root authentication failure for Baikal'" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["log_type"] == "baikal_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["service"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["source_ip"] == "33.202.122.97" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["target_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["timestamp"] == "2023-07-06T09:19:58.646126Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["username"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Enriched["MarshaledTime"] == "2023-07-06T09:19:58.646126Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["message"] == "[Fri Jul 07 09:20:12.156126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["program"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["source_ip"] == "33.202.222.97" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["source_port"] == "55309" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["timestamp"] == "Fri Jul 07 09:20:12.156126 2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_ip"] == "33.202.222.97" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["timestamp"] == "2023-07-07T09:20:12.156126Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["log_type"] == "baikal_failed_auth_no_user" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["service"] == "baikal" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_ip"] == "33.202.222.97" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["timestamp"] == "2023-07-07T09:20:12.156126Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Enriched["MarshaledTime"] == "2023-07-07T09:20:12.156126Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["message"] == "[Fri Jul 07 09:19:24.428126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["program"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["source_ip"] == "33.202.222.97" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["source_port"] == "55309" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["timestamp"] == "Fri Jul 07 09:19:24.428126 2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["timestamp"] == "2023-07-07T09:19:24.428126Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["log_type"] == "baikal_failed_auth_no_user" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["service"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["source_ip"] == "33.202.222.97" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["timestamp"] == "2023-07-07T09:19:24.428126Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Enriched["MarshaledTime"] == "2023-07-07T09:19:24.428126Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["message"] == "[Fri Jul 07 09:19:28.528126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["program"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["source_ip"] == "33.202.222.97" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["source_port"] == "55309" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["timestamp"] == "Fri Jul 07 09:19:28.528126 2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["log_type"] == "baikal_failed_auth_no_user" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["service"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["source_ip"] == "33.202.222.97" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["timestamp"] == "2023-07-07T09:19:28.528126Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Enriched["MarshaledTime"] == "2023-07-07T09:19:28.528126Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["message"] == "[Fri Jul 07 09:19:44.118526 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["program"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["source_ip"] == "33.202.222.97" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["source_port"] == "55309" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["timestamp"] == "Fri Jul 07 09:19:44.118526 2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["message"] == "[Fri Jul 07 09:19:44.118526 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["program"] == "baikal" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["log_type"] == "baikal_failed_auth_no_user" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["service"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["source_ip"] == "33.202.222.97" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["timestamp"] == "2023-07-07T09:19:44.118526Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Enriched["MarshaledTime"] == "2023-07-07T09:19:44.118526Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["message"] == "[Fri Jul 07 09:19:47.572626 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["program"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["source_ip"] == "33.202.222.97" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["source_port"] == "55309" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["timestamp"] == "Fri Jul 07 09:19:47.572626 2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["timestamp"] == "2023-07-07T09:19:47.572626Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["datasource_path"] == "baikal-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["datasource_path"]) == "baikal-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["log_type"] == "baikal_failed_auth_no_user" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["service"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["source_ip"] == "33.202.222.97" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["timestamp"] == "2023-07-07T09:19:47.572626Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Enriched["MarshaledTime"] == "2023-07-07T09:19:47.572626Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["message"] == "[Fri Jul 07 09:19:58.646126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["program"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["source_ip"] == "33.202.222.97" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["source_port"] == "55309" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["timestamp"] == "Fri Jul 07 09:19:58.646126 2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["log_type"] == "baikal_failed_auth_no_user" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["datasource_path"]) == "baikal-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["service"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["source_ip"] == "33.202.222.97" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["timestamp"] == "2023-07-07T09:19:58.646126Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["datasource_path"] == "baikal-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Enriched["MarshaledTime"] == "2023-07-07T09:19:58.646126Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["source_port"] == "55309" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["timestamp"] == "Fri Jul 07 09:20:12.156126 2023" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["message"] == "[Fri Jul 07 09:20:12.156126 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55309] AH01071: Got error 'PHP message: user (name stripped-out) authentication failure for Baikal'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["program"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["source_ip"] == "33.202.222.97" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["source_port"] == "55309" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["timestamp"] == "Fri Jul 07 09:20:12.156126 2023" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["datasource_path"]) == "baikal-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["service"] == "baikal" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["source_ip"] == "33.202.222.97" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["timestamp"] == "2023-07-07T09:20:12.156126Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["datasource_path"] == "baikal-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["log_type"] == "baikal_failed_auth_no_user" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Enriched["MarshaledTime"] == "2023-07-07T09:20:12.156126Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["message"] == "[Fri Jul 07 09:21:00.000000 2023] [proxy_fcgi:error] [pid 1178526:tid 139729482307328] [client 33.202.222.97:55310] AH01071: Got error 'PHP message: user crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl authentication failure for Baikal'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["program"] == "baikal" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["source_ip"] == "33.202.222.97" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["source_port"] == "55310" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["timestamp"] == "Fri Jul 07 09:21:00.000000 2023" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["datasource_path"]) == "baikal-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["service"] == "baikal" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["source_ip"] == "33.202.222.97" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["timestamp"] == "2023-07-07T09:21:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Enriched["MarshaledTime"] == "2023-07-07T09:21:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/bind9-refused/parser.assert b/.tests/bind9-refused/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/bind9-syslog/parser.assert b/.tests/bind9-syslog/parser.assert index d93b3d20a81..904b68ef295 100644 --- a/.tests/bind9-syslog/parser.assert +++ b/.tests/bind9-syslog/parser.assert @@ -1,181 +1,605 @@ +len(results) == 4 +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 12 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "19-Oct-2022 05:34:02.425 client @0x7f65100ee4d8 104.219.136.31#3076 (example.com): query (cache) 'example.com/ANY/IN' denied" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "2075772" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "named" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Nov 13 10:59:46" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "keira" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "19-Oct-2022 05:34:03.425 client @0x7f65100ee4d8 104.219.136.31#3076 (example.com): query 'example.com/ANY/IN' denied" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "2075772" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "named" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Nov 13 10:59:46" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "keira" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "20-Oct-2022 08:30:43.685 client @0x7f6520147ae8 164.92.117.245#55590 (example.com): zone transfer 'example.com/AXFR/IN' denied" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "2075772" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "named" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Nov 13 10:59:46" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "keira" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "03-Nov-2022 13:34:52.235 security: error: client @0x7fb04c007328 2003:f8:733:b600:6018:bbe4:d0ed:22#62449 (example.com): zone transfer 'example.com/AXFR/IN' denied" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "2075772" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "named" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Nov 13 10:59:46" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "keira" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "03-Nov-2022 13:37:23.345 error: client @0x7f7b200091e8 2003:f8:733:b600:6018:bbe4:d0ed:22#62465 (example.com): zone transfer 'example.com/AXFR/IN' denied" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "2075772" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "named" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Nov 13 10:59:46" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "keira" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "03-Nov-2022 13:37:37.525 security: client @0x7f3f9c009168 2003:f8:733:b600:6018:bbe4:d0ed:22#62466 (example.com): zone transfer 'example.com/AXFR/IN' denied" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["pid"] == "2075772" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "named" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Nov 13 10:59:46" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "keira" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["message"] == "03-Nov-2022 13:38:37.525 client @0x7fa0a4137838 2003:f8:733:b600:2c44:fab4:5e6e:d791#61738 (example.com): bad zone transfer request: 'example.com/IN': non-authoritative zone (NOTAUTH)" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["pid"] == "2075772" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["program"] == "named" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["timestamp"] == "Nov 13 10:59:46" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["machine"] == "keira" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["message"] == "security: client @0x7f37ac012d98 2003:f8:733:b600:6018:bbe4:d0ed:22#62518 (example.com): zone transfer 'example.com/AXFR/IN' denied" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["pid"] == "2075772" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["program"] == "named" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["timestamp"] == "Nov 13 10:59:46" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["machine"] == "keira" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][8].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["message"] == "client @0x7f8ac00071e8 2003:f8:733:b600:6018:bbe4:d0ed:22#62524 (example.com): zone transfer 'example.com/AXFR/IN' denied" +results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["pid"] == "2075772" +results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["program"] == "named" +results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["timestamp"] == "Nov 13 10:59:46" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["machine"] == "keira" +results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["message"] == "19-Oct-2022 05:34:02.425 client 104.219.136.31#3076 (example.com): query (cache) 'example.com/ANY/IN' denied" +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["pid"] == "2075772" +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["program"] == "named" +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["timestamp"] == "Nov 13 10:59:46" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["machine"] == "keira" +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["message"] == "19-Oct-2022 05:34:03.425 client 104.219.136.31#3076 (example.com): query 'example.com/ANY/IN' denied" +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["pid"] == "2075772" +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["program"] == "named" +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["timestamp"] == "Nov 13 10:59:46" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["machine"] == "keira" +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][11].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["message"] == "19-Oct-2022 05:34:03.425 client 3.135.188.55#52617 (sl): query (cache) 'sl/ANY/IN' denied" +results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["pid"] == "2075772" +results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["program"] == "named" +results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["timestamp"] == "Nov 13 10:59:46" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["machine"] == "keira" +results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Whitelisted == false len(results["s01-parse"]["mstilkerich/bind9"]) == 12 results["s01-parse"]["mstilkerich/bind9"][0].Success == true -results["s01-parse"]["mstilkerich/bind9"][0].Evt.Parsed["remote_addr"] == "104.219.136.31" -results["s01-parse"]["mstilkerich/bind9"][0].Evt.Parsed["timestamp"] == "19-Oct-2022 05:34:02.425" -results["s01-parse"]["mstilkerich/bind9"][0].Evt.Parsed["ts_m"] == "Oct" -results["s01-parse"]["mstilkerich/bind9"][0].Evt.Parsed["ts_y"] == "2022" -results["s01-parse"]["mstilkerich/bind9"][0].Evt.Parsed["ts_t"] == "05:34:02" +results["s01-parse"]["mstilkerich/bind9"][0].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["mstilkerich/bind9"][0].Evt.Parsed["message"] == "19-Oct-2022 05:34:02.425 client @0x7f65100ee4d8 104.219.136.31#3076 (example.com): query (cache) 'example.com/ANY/IN' denied" +results["s01-parse"]["mstilkerich/bind9"][0].Evt.Parsed["pid"] == "2075772" results["s01-parse"]["mstilkerich/bind9"][0].Evt.Parsed["program"] == "named" +results["s01-parse"]["mstilkerich/bind9"][0].Evt.Parsed["remote_addr"] == "104.219.136.31" results["s01-parse"]["mstilkerich/bind9"][0].Evt.Parsed["remote_port"] == "3076" +results["s01-parse"]["mstilkerich/bind9"][0].Evt.Parsed["timestamp"] == "19-Oct-2022 05:34:02.425" results["s01-parse"]["mstilkerich/bind9"][0].Evt.Parsed["ts_d"] == "19" +results["s01-parse"]["mstilkerich/bind9"][0].Evt.Parsed["ts_m"] == "Oct" results["s01-parse"]["mstilkerich/bind9"][0].Evt.Parsed["ts_ms"] == "425" -results["s01-parse"]["mstilkerich/bind9"][0].Evt.Meta["service"] == "bind9" -results["s01-parse"]["mstilkerich/bind9"][0].Evt.Meta["source_ip"] == "104.219.136.31" -results["s01-parse"]["mstilkerich/bind9"][0].Evt.Meta["datasource_path"] == "bind9-syslog.log" +results["s01-parse"]["mstilkerich/bind9"][0].Evt.Parsed["ts_t"] == "05:34:02" +results["s01-parse"]["mstilkerich/bind9"][0].Evt.Parsed["ts_y"] == "2022" +basename(results["s01-parse"]["mstilkerich/bind9"][0].Evt.Meta["datasource_path"]) == "bind9-syslog.log" results["s01-parse"]["mstilkerich/bind9"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["mstilkerich/bind9"][0].Evt.Meta["log_type"] == "bind9_denied" +results["s01-parse"]["mstilkerich/bind9"][0].Evt.Meta["machine"] == "keira" +results["s01-parse"]["mstilkerich/bind9"][0].Evt.Meta["service"] == "bind9" +results["s01-parse"]["mstilkerich/bind9"][0].Evt.Meta["source_ip"] == "104.219.136.31" +results["s01-parse"]["mstilkerich/bind9"][0].Evt.Whitelisted == false results["s01-parse"]["mstilkerich/bind9"][1].Success == true -results["s01-parse"]["mstilkerich/bind9"][1].Evt.Parsed["ts_d"] == "19" -results["s01-parse"]["mstilkerich/bind9"][1].Evt.Parsed["ts_m"] == "Oct" +results["s01-parse"]["mstilkerich/bind9"][1].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["mstilkerich/bind9"][1].Evt.Parsed["message"] == "19-Oct-2022 05:34:03.425 client @0x7f65100ee4d8 104.219.136.31#3076 (example.com): query 'example.com/ANY/IN' denied" +results["s01-parse"]["mstilkerich/bind9"][1].Evt.Parsed["pid"] == "2075772" results["s01-parse"]["mstilkerich/bind9"][1].Evt.Parsed["program"] == "named" results["s01-parse"]["mstilkerich/bind9"][1].Evt.Parsed["remote_addr"] == "104.219.136.31" results["s01-parse"]["mstilkerich/bind9"][1].Evt.Parsed["remote_port"] == "3076" results["s01-parse"]["mstilkerich/bind9"][1].Evt.Parsed["timestamp"] == "19-Oct-2022 05:34:03.425" -results["s01-parse"]["mstilkerich/bind9"][1].Evt.Parsed["message"] == "19-Oct-2022 05:34:03.425 client @0x7f65100ee4d8 104.219.136.31#3076 (example.com): query 'example.com/ANY/IN' denied" +results["s01-parse"]["mstilkerich/bind9"][1].Evt.Parsed["ts_d"] == "19" +results["s01-parse"]["mstilkerich/bind9"][1].Evt.Parsed["ts_m"] == "Oct" results["s01-parse"]["mstilkerich/bind9"][1].Evt.Parsed["ts_ms"] == "425" results["s01-parse"]["mstilkerich/bind9"][1].Evt.Parsed["ts_t"] == "05:34:03" results["s01-parse"]["mstilkerich/bind9"][1].Evt.Parsed["ts_y"] == "2022" -results["s01-parse"]["mstilkerich/bind9"][1].Evt.Meta["service"] == "bind9" -results["s01-parse"]["mstilkerich/bind9"][1].Evt.Meta["source_ip"] == "104.219.136.31" -results["s01-parse"]["mstilkerich/bind9"][1].Evt.Meta["datasource_path"] == "bind9-syslog.log" +basename(results["s01-parse"]["mstilkerich/bind9"][1].Evt.Meta["datasource_path"]) == "bind9-syslog.log" results["s01-parse"]["mstilkerich/bind9"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["mstilkerich/bind9"][1].Evt.Meta["log_type"] == "bind9_denied" +results["s01-parse"]["mstilkerich/bind9"][1].Evt.Meta["machine"] == "keira" +results["s01-parse"]["mstilkerich/bind9"][1].Evt.Meta["service"] == "bind9" +results["s01-parse"]["mstilkerich/bind9"][1].Evt.Meta["source_ip"] == "104.219.136.31" +results["s01-parse"]["mstilkerich/bind9"][1].Evt.Whitelisted == false results["s01-parse"]["mstilkerich/bind9"][2].Success == true -results["s01-parse"]["mstilkerich/bind9"][2].Evt.Parsed["ts_m"] == "Oct" -results["s01-parse"]["mstilkerich/bind9"][2].Evt.Parsed["ts_t"] == "08:30:43" +results["s01-parse"]["mstilkerich/bind9"][2].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["mstilkerich/bind9"][2].Evt.Parsed["message"] == "20-Oct-2022 08:30:43.685 client @0x7f6520147ae8 164.92.117.245#55590 (example.com): zone transfer 'example.com/AXFR/IN' denied" +results["s01-parse"]["mstilkerich/bind9"][2].Evt.Parsed["pid"] == "2075772" +results["s01-parse"]["mstilkerich/bind9"][2].Evt.Parsed["program"] == "named" results["s01-parse"]["mstilkerich/bind9"][2].Evt.Parsed["remote_addr"] == "164.92.117.245" results["s01-parse"]["mstilkerich/bind9"][2].Evt.Parsed["remote_port"] == "55590" results["s01-parse"]["mstilkerich/bind9"][2].Evt.Parsed["timestamp"] == "20-Oct-2022 08:30:43.685" results["s01-parse"]["mstilkerich/bind9"][2].Evt.Parsed["ts_d"] == "20" +results["s01-parse"]["mstilkerich/bind9"][2].Evt.Parsed["ts_m"] == "Oct" results["s01-parse"]["mstilkerich/bind9"][2].Evt.Parsed["ts_ms"] == "685" +results["s01-parse"]["mstilkerich/bind9"][2].Evt.Parsed["ts_t"] == "08:30:43" results["s01-parse"]["mstilkerich/bind9"][2].Evt.Parsed["ts_y"] == "2022" -results["s01-parse"]["mstilkerich/bind9"][2].Evt.Parsed["program"] == "named" +basename(results["s01-parse"]["mstilkerich/bind9"][2].Evt.Meta["datasource_path"]) == "bind9-syslog.log" results["s01-parse"]["mstilkerich/bind9"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["mstilkerich/bind9"][2].Evt.Meta["log_type"] == "bind9_denied" +results["s01-parse"]["mstilkerich/bind9"][2].Evt.Meta["machine"] == "keira" results["s01-parse"]["mstilkerich/bind9"][2].Evt.Meta["service"] == "bind9" results["s01-parse"]["mstilkerich/bind9"][2].Evt.Meta["source_ip"] == "164.92.117.245" -results["s01-parse"]["mstilkerich/bind9"][2].Evt.Meta["datasource_path"] == "bind9-syslog.log" +results["s01-parse"]["mstilkerich/bind9"][2].Evt.Whitelisted == false results["s01-parse"]["mstilkerich/bind9"][3].Success == true -results["s01-parse"]["mstilkerich/bind9"][3].Evt.Parsed["remote_port"] == "62449" -results["s01-parse"]["mstilkerich/bind9"][3].Evt.Parsed["timestamp"] == "03-Nov-2022 13:34:52.235" -results["s01-parse"]["mstilkerich/bind9"][3].Evt.Parsed["ts_m"] == "Nov" -results["s01-parse"]["mstilkerich/bind9"][3].Evt.Parsed["ts_ms"] == "235" -results["s01-parse"]["mstilkerich/bind9"][3].Evt.Parsed["ts_y"] == "2022" +results["s01-parse"]["mstilkerich/bind9"][3].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["mstilkerich/bind9"][3].Evt.Parsed["message"] == "03-Nov-2022 13:34:52.235 security: error: client @0x7fb04c007328 2003:f8:733:b600:6018:bbe4:d0ed:22#62449 (example.com): zone transfer 'example.com/AXFR/IN' denied" +results["s01-parse"]["mstilkerich/bind9"][3].Evt.Parsed["pid"] == "2075772" results["s01-parse"]["mstilkerich/bind9"][3].Evt.Parsed["program"] == "named" results["s01-parse"]["mstilkerich/bind9"][3].Evt.Parsed["remote_addr"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" +results["s01-parse"]["mstilkerich/bind9"][3].Evt.Parsed["remote_port"] == "62449" +results["s01-parse"]["mstilkerich/bind9"][3].Evt.Parsed["timestamp"] == "03-Nov-2022 13:34:52.235" results["s01-parse"]["mstilkerich/bind9"][3].Evt.Parsed["ts_d"] == "03" +results["s01-parse"]["mstilkerich/bind9"][3].Evt.Parsed["ts_m"] == "Nov" +results["s01-parse"]["mstilkerich/bind9"][3].Evt.Parsed["ts_ms"] == "235" results["s01-parse"]["mstilkerich/bind9"][3].Evt.Parsed["ts_t"] == "13:34:52" -results["s01-parse"]["mstilkerich/bind9"][3].Evt.Meta["service"] == "bind9" -results["s01-parse"]["mstilkerich/bind9"][3].Evt.Meta["source_ip"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" -results["s01-parse"]["mstilkerich/bind9"][3].Evt.Meta["datasource_path"] == "bind9-syslog.log" +results["s01-parse"]["mstilkerich/bind9"][3].Evt.Parsed["ts_y"] == "2022" +basename(results["s01-parse"]["mstilkerich/bind9"][3].Evt.Meta["datasource_path"]) == "bind9-syslog.log" results["s01-parse"]["mstilkerich/bind9"][3].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["mstilkerich/bind9"][3].Evt.Meta["log_type"] == "bind9_denied" +results["s01-parse"]["mstilkerich/bind9"][3].Evt.Meta["machine"] == "keira" +results["s01-parse"]["mstilkerich/bind9"][3].Evt.Meta["service"] == "bind9" +results["s01-parse"]["mstilkerich/bind9"][3].Evt.Meta["source_ip"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" +results["s01-parse"]["mstilkerich/bind9"][3].Evt.Whitelisted == false results["s01-parse"]["mstilkerich/bind9"][4].Success == true -results["s01-parse"]["mstilkerich/bind9"][4].Evt.Parsed["ts_y"] == "2022" +results["s01-parse"]["mstilkerich/bind9"][4].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["mstilkerich/bind9"][4].Evt.Parsed["message"] == "03-Nov-2022 13:37:23.345 error: client @0x7f7b200091e8 2003:f8:733:b600:6018:bbe4:d0ed:22#62465 (example.com): zone transfer 'example.com/AXFR/IN' denied" -results["s01-parse"]["mstilkerich/bind9"][4].Evt.Parsed["ts_d"] == "03" +results["s01-parse"]["mstilkerich/bind9"][4].Evt.Parsed["pid"] == "2075772" +results["s01-parse"]["mstilkerich/bind9"][4].Evt.Parsed["program"] == "named" +results["s01-parse"]["mstilkerich/bind9"][4].Evt.Parsed["remote_addr"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" results["s01-parse"]["mstilkerich/bind9"][4].Evt.Parsed["remote_port"] == "62465" results["s01-parse"]["mstilkerich/bind9"][4].Evt.Parsed["timestamp"] == "03-Nov-2022 13:37:23.345" +results["s01-parse"]["mstilkerich/bind9"][4].Evt.Parsed["ts_d"] == "03" results["s01-parse"]["mstilkerich/bind9"][4].Evt.Parsed["ts_m"] == "Nov" results["s01-parse"]["mstilkerich/bind9"][4].Evt.Parsed["ts_ms"] == "345" results["s01-parse"]["mstilkerich/bind9"][4].Evt.Parsed["ts_t"] == "13:37:23" -results["s01-parse"]["mstilkerich/bind9"][4].Evt.Parsed["program"] == "named" -results["s01-parse"]["mstilkerich/bind9"][4].Evt.Parsed["remote_addr"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" -results["s01-parse"]["mstilkerich/bind9"][4].Evt.Meta["service"] == "bind9" -results["s01-parse"]["mstilkerich/bind9"][4].Evt.Meta["source_ip"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" -results["s01-parse"]["mstilkerich/bind9"][4].Evt.Meta["datasource_path"] == "bind9-syslog.log" +results["s01-parse"]["mstilkerich/bind9"][4].Evt.Parsed["ts_y"] == "2022" +basename(results["s01-parse"]["mstilkerich/bind9"][4].Evt.Meta["datasource_path"]) == "bind9-syslog.log" results["s01-parse"]["mstilkerich/bind9"][4].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["mstilkerich/bind9"][4].Evt.Meta["log_type"] == "bind9_denied" +results["s01-parse"]["mstilkerich/bind9"][4].Evt.Meta["machine"] == "keira" +results["s01-parse"]["mstilkerich/bind9"][4].Evt.Meta["service"] == "bind9" +results["s01-parse"]["mstilkerich/bind9"][4].Evt.Meta["source_ip"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" +results["s01-parse"]["mstilkerich/bind9"][4].Evt.Whitelisted == false results["s01-parse"]["mstilkerich/bind9"][5].Success == true -results["s01-parse"]["mstilkerich/bind9"][5].Evt.Parsed["ts_m"] == "Nov" +results["s01-parse"]["mstilkerich/bind9"][5].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["mstilkerich/bind9"][5].Evt.Parsed["message"] == "03-Nov-2022 13:37:37.525 security: client @0x7f3f9c009168 2003:f8:733:b600:6018:bbe4:d0ed:22#62466 (example.com): zone transfer 'example.com/AXFR/IN' denied" +results["s01-parse"]["mstilkerich/bind9"][5].Evt.Parsed["pid"] == "2075772" +results["s01-parse"]["mstilkerich/bind9"][5].Evt.Parsed["program"] == "named" results["s01-parse"]["mstilkerich/bind9"][5].Evt.Parsed["remote_addr"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" -results["s01-parse"]["mstilkerich/bind9"][5].Evt.Parsed["timestamp"] == "03-Nov-2022 13:37:37.525" results["s01-parse"]["mstilkerich/bind9"][5].Evt.Parsed["remote_port"] == "62466" +results["s01-parse"]["mstilkerich/bind9"][5].Evt.Parsed["timestamp"] == "03-Nov-2022 13:37:37.525" results["s01-parse"]["mstilkerich/bind9"][5].Evt.Parsed["ts_d"] == "03" +results["s01-parse"]["mstilkerich/bind9"][5].Evt.Parsed["ts_m"] == "Nov" results["s01-parse"]["mstilkerich/bind9"][5].Evt.Parsed["ts_ms"] == "525" results["s01-parse"]["mstilkerich/bind9"][5].Evt.Parsed["ts_t"] == "13:37:37" results["s01-parse"]["mstilkerich/bind9"][5].Evt.Parsed["ts_y"] == "2022" -results["s01-parse"]["mstilkerich/bind9"][5].Evt.Parsed["message"] == "03-Nov-2022 13:37:37.525 security: client @0x7f3f9c009168 2003:f8:733:b600:6018:bbe4:d0ed:22#62466 (example.com): zone transfer 'example.com/AXFR/IN' denied" -results["s01-parse"]["mstilkerich/bind9"][5].Evt.Parsed["program"] == "named" -results["s01-parse"]["mstilkerich/bind9"][5].Evt.Meta["source_ip"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" -results["s01-parse"]["mstilkerich/bind9"][5].Evt.Meta["datasource_path"] == "bind9-syslog.log" +basename(results["s01-parse"]["mstilkerich/bind9"][5].Evt.Meta["datasource_path"]) == "bind9-syslog.log" results["s01-parse"]["mstilkerich/bind9"][5].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["mstilkerich/bind9"][5].Evt.Meta["log_type"] == "bind9_denied" +results["s01-parse"]["mstilkerich/bind9"][5].Evt.Meta["machine"] == "keira" results["s01-parse"]["mstilkerich/bind9"][5].Evt.Meta["service"] == "bind9" +results["s01-parse"]["mstilkerich/bind9"][5].Evt.Meta["source_ip"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" +results["s01-parse"]["mstilkerich/bind9"][5].Evt.Whitelisted == false results["s01-parse"]["mstilkerich/bind9"][6].Success == true +results["s01-parse"]["mstilkerich/bind9"][6].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["mstilkerich/bind9"][6].Evt.Parsed["message"] == "03-Nov-2022 13:38:37.525 client @0x7fa0a4137838 2003:f8:733:b600:2c44:fab4:5e6e:d791#61738 (example.com): bad zone transfer request: 'example.com/IN': non-authoritative zone (NOTAUTH)" +results["s01-parse"]["mstilkerich/bind9"][6].Evt.Parsed["pid"] == "2075772" results["s01-parse"]["mstilkerich/bind9"][6].Evt.Parsed["program"] == "named" results["s01-parse"]["mstilkerich/bind9"][6].Evt.Parsed["remote_addr"] == "2003:f8:733:b600:2c44:fab4:5e6e:d791" -results["s01-parse"]["mstilkerich/bind9"][6].Evt.Parsed["ts_d"] == "03" -results["s01-parse"]["mstilkerich/bind9"][6].Evt.Parsed["ts_y"] == "2022" results["s01-parse"]["mstilkerich/bind9"][6].Evt.Parsed["remote_port"] == "61738" results["s01-parse"]["mstilkerich/bind9"][6].Evt.Parsed["timestamp"] == "03-Nov-2022 13:38:37.525" +results["s01-parse"]["mstilkerich/bind9"][6].Evt.Parsed["ts_d"] == "03" results["s01-parse"]["mstilkerich/bind9"][6].Evt.Parsed["ts_m"] == "Nov" results["s01-parse"]["mstilkerich/bind9"][6].Evt.Parsed["ts_ms"] == "525" results["s01-parse"]["mstilkerich/bind9"][6].Evt.Parsed["ts_t"] == "13:38:37" -results["s01-parse"]["mstilkerich/bind9"][6].Evt.Meta["datasource_path"] == "bind9-syslog.log" +results["s01-parse"]["mstilkerich/bind9"][6].Evt.Parsed["ts_y"] == "2022" +basename(results["s01-parse"]["mstilkerich/bind9"][6].Evt.Meta["datasource_path"]) == "bind9-syslog.log" results["s01-parse"]["mstilkerich/bind9"][6].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["mstilkerich/bind9"][6].Evt.Meta["log_type"] == "bind9_denied" +results["s01-parse"]["mstilkerich/bind9"][6].Evt.Meta["machine"] == "keira" results["s01-parse"]["mstilkerich/bind9"][6].Evt.Meta["service"] == "bind9" results["s01-parse"]["mstilkerich/bind9"][6].Evt.Meta["source_ip"] == "2003:f8:733:b600:2c44:fab4:5e6e:d791" +results["s01-parse"]["mstilkerich/bind9"][6].Evt.Whitelisted == false results["s01-parse"]["mstilkerich/bind9"][7].Success == true +results["s01-parse"]["mstilkerich/bind9"][7].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["mstilkerich/bind9"][7].Evt.Parsed["message"] == "security: client @0x7f37ac012d98 2003:f8:733:b600:6018:bbe4:d0ed:22#62518 (example.com): zone transfer 'example.com/AXFR/IN' denied" +results["s01-parse"]["mstilkerich/bind9"][7].Evt.Parsed["pid"] == "2075772" results["s01-parse"]["mstilkerich/bind9"][7].Evt.Parsed["program"] == "named" results["s01-parse"]["mstilkerich/bind9"][7].Evt.Parsed["remote_addr"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" results["s01-parse"]["mstilkerich/bind9"][7].Evt.Parsed["remote_port"] == "62518" -results["s01-parse"]["mstilkerich/bind9"][7].Evt.Meta["datasource_path"] == "bind9-syslog.log" +basename(results["s01-parse"]["mstilkerich/bind9"][7].Evt.Meta["datasource_path"]) == "bind9-syslog.log" results["s01-parse"]["mstilkerich/bind9"][7].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["mstilkerich/bind9"][7].Evt.Meta["log_type"] == "bind9_denied" +results["s01-parse"]["mstilkerich/bind9"][7].Evt.Meta["machine"] == "keira" results["s01-parse"]["mstilkerich/bind9"][7].Evt.Meta["service"] == "bind9" results["s01-parse"]["mstilkerich/bind9"][7].Evt.Meta["source_ip"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" +results["s01-parse"]["mstilkerich/bind9"][7].Evt.Whitelisted == false results["s01-parse"]["mstilkerich/bind9"][8].Success == true -results["s01-parse"]["mstilkerich/bind9"][8].Evt.Parsed["program"] == "named" -results["s01-parse"]["mstilkerich/bind9"][8].Evt.Parsed["remote_port"] == "62524" +results["s01-parse"]["mstilkerich/bind9"][8].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["mstilkerich/bind9"][8].Evt.Parsed["message"] == "client @0x7f8ac00071e8 2003:f8:733:b600:6018:bbe4:d0ed:22#62524 (example.com): zone transfer 'example.com/AXFR/IN' denied" +results["s01-parse"]["mstilkerich/bind9"][8].Evt.Parsed["pid"] == "2075772" +results["s01-parse"]["mstilkerich/bind9"][8].Evt.Parsed["program"] == "named" results["s01-parse"]["mstilkerich/bind9"][8].Evt.Parsed["remote_addr"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" -results["s01-parse"]["mstilkerich/bind9"][8].Evt.Meta["datasource_path"] == "bind9-syslog.log" +results["s01-parse"]["mstilkerich/bind9"][8].Evt.Parsed["remote_port"] == "62524" +basename(results["s01-parse"]["mstilkerich/bind9"][8].Evt.Meta["datasource_path"]) == "bind9-syslog.log" results["s01-parse"]["mstilkerich/bind9"][8].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["mstilkerich/bind9"][8].Evt.Meta["log_type"] == "bind9_denied" +results["s01-parse"]["mstilkerich/bind9"][8].Evt.Meta["machine"] == "keira" results["s01-parse"]["mstilkerich/bind9"][8].Evt.Meta["service"] == "bind9" results["s01-parse"]["mstilkerich/bind9"][8].Evt.Meta["source_ip"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" +results["s01-parse"]["mstilkerich/bind9"][8].Evt.Whitelisted == false results["s01-parse"]["mstilkerich/bind9"][9].Success == true -results["s01-parse"]["mstilkerich/bind9"][9].Evt.Parsed["remote_addr"] == "104.219.136.31" -results["s01-parse"]["mstilkerich/bind9"][9].Evt.Parsed["timestamp"] == "19-Oct-2022 05:34:02.425" -results["s01-parse"]["mstilkerich/bind9"][9].Evt.Parsed["ts_m"] == "Oct" -results["s01-parse"]["mstilkerich/bind9"][9].Evt.Parsed["ts_y"] == "2022" -results["s01-parse"]["mstilkerich/bind9"][9].Evt.Parsed["ts_t"] == "05:34:02" +results["s01-parse"]["mstilkerich/bind9"][9].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["mstilkerich/bind9"][9].Evt.Parsed["message"] == "19-Oct-2022 05:34:02.425 client 104.219.136.31#3076 (example.com): query (cache) 'example.com/ANY/IN' denied" +results["s01-parse"]["mstilkerich/bind9"][9].Evt.Parsed["pid"] == "2075772" results["s01-parse"]["mstilkerich/bind9"][9].Evt.Parsed["program"] == "named" +results["s01-parse"]["mstilkerich/bind9"][9].Evt.Parsed["remote_addr"] == "104.219.136.31" results["s01-parse"]["mstilkerich/bind9"][9].Evt.Parsed["remote_port"] == "3076" +results["s01-parse"]["mstilkerich/bind9"][9].Evt.Parsed["timestamp"] == "19-Oct-2022 05:34:02.425" results["s01-parse"]["mstilkerich/bind9"][9].Evt.Parsed["ts_d"] == "19" +results["s01-parse"]["mstilkerich/bind9"][9].Evt.Parsed["ts_m"] == "Oct" results["s01-parse"]["mstilkerich/bind9"][9].Evt.Parsed["ts_ms"] == "425" -results["s01-parse"]["mstilkerich/bind9"][9].Evt.Meta["service"] == "bind9" -results["s01-parse"]["mstilkerich/bind9"][9].Evt.Meta["source_ip"] == "104.219.136.31" -results["s01-parse"]["mstilkerich/bind9"][9].Evt.Meta["datasource_path"] == "bind9-syslog.log" +results["s01-parse"]["mstilkerich/bind9"][9].Evt.Parsed["ts_t"] == "05:34:02" +results["s01-parse"]["mstilkerich/bind9"][9].Evt.Parsed["ts_y"] == "2022" +basename(results["s01-parse"]["mstilkerich/bind9"][9].Evt.Meta["datasource_path"]) == "bind9-syslog.log" results["s01-parse"]["mstilkerich/bind9"][9].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["mstilkerich/bind9"][9].Evt.Meta["log_type"] == "bind9_denied" +results["s01-parse"]["mstilkerich/bind9"][9].Evt.Meta["machine"] == "keira" +results["s01-parse"]["mstilkerich/bind9"][9].Evt.Meta["service"] == "bind9" +results["s01-parse"]["mstilkerich/bind9"][9].Evt.Meta["source_ip"] == "104.219.136.31" +results["s01-parse"]["mstilkerich/bind9"][9].Evt.Whitelisted == false results["s01-parse"]["mstilkerich/bind9"][10].Success == true -results["s01-parse"]["mstilkerich/bind9"][10].Evt.Parsed["ts_d"] == "19" -results["s01-parse"]["mstilkerich/bind9"][10].Evt.Parsed["ts_m"] == "Oct" +results["s01-parse"]["mstilkerich/bind9"][10].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["mstilkerich/bind9"][10].Evt.Parsed["message"] == "19-Oct-2022 05:34:03.425 client 104.219.136.31#3076 (example.com): query 'example.com/ANY/IN' denied" +results["s01-parse"]["mstilkerich/bind9"][10].Evt.Parsed["pid"] == "2075772" results["s01-parse"]["mstilkerich/bind9"][10].Evt.Parsed["program"] == "named" results["s01-parse"]["mstilkerich/bind9"][10].Evt.Parsed["remote_addr"] == "104.219.136.31" results["s01-parse"]["mstilkerich/bind9"][10].Evt.Parsed["remote_port"] == "3076" results["s01-parse"]["mstilkerich/bind9"][10].Evt.Parsed["timestamp"] == "19-Oct-2022 05:34:03.425" -results["s01-parse"]["mstilkerich/bind9"][10].Evt.Parsed["message"] == "19-Oct-2022 05:34:03.425 client 104.219.136.31#3076 (example.com): query 'example.com/ANY/IN' denied" +results["s01-parse"]["mstilkerich/bind9"][10].Evt.Parsed["ts_d"] == "19" +results["s01-parse"]["mstilkerich/bind9"][10].Evt.Parsed["ts_m"] == "Oct" results["s01-parse"]["mstilkerich/bind9"][10].Evt.Parsed["ts_ms"] == "425" results["s01-parse"]["mstilkerich/bind9"][10].Evt.Parsed["ts_t"] == "05:34:03" results["s01-parse"]["mstilkerich/bind9"][10].Evt.Parsed["ts_y"] == "2022" -results["s01-parse"]["mstilkerich/bind9"][10].Evt.Meta["service"] == "bind9" -results["s01-parse"]["mstilkerich/bind9"][10].Evt.Meta["source_ip"] == "104.219.136.31" -results["s01-parse"]["mstilkerich/bind9"][10].Evt.Meta["datasource_path"] == "bind9-syslog.log" +basename(results["s01-parse"]["mstilkerich/bind9"][10].Evt.Meta["datasource_path"]) == "bind9-syslog.log" results["s01-parse"]["mstilkerich/bind9"][10].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["mstilkerich/bind9"][10].Evt.Meta["log_type"] == "bind9_denied" +results["s01-parse"]["mstilkerich/bind9"][10].Evt.Meta["machine"] == "keira" +results["s01-parse"]["mstilkerich/bind9"][10].Evt.Meta["service"] == "bind9" +results["s01-parse"]["mstilkerich/bind9"][10].Evt.Meta["source_ip"] == "104.219.136.31" +results["s01-parse"]["mstilkerich/bind9"][10].Evt.Whitelisted == false results["s01-parse"]["mstilkerich/bind9"][11].Success == true -results["s01-parse"]["mstilkerich/bind9"][11].Evt.Parsed["ts_d"] == "19" -results["s01-parse"]["mstilkerich/bind9"][11].Evt.Parsed["ts_m"] == "Oct" +results["s01-parse"]["mstilkerich/bind9"][11].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["mstilkerich/bind9"][11].Evt.Parsed["message"] == "19-Oct-2022 05:34:03.425 client 3.135.188.55#52617 (sl): query (cache) 'sl/ANY/IN' denied" +results["s01-parse"]["mstilkerich/bind9"][11].Evt.Parsed["pid"] == "2075772" results["s01-parse"]["mstilkerich/bind9"][11].Evt.Parsed["program"] == "named" results["s01-parse"]["mstilkerich/bind9"][11].Evt.Parsed["remote_addr"] == "3.135.188.55" results["s01-parse"]["mstilkerich/bind9"][11].Evt.Parsed["remote_port"] == "52617" results["s01-parse"]["mstilkerich/bind9"][11].Evt.Parsed["timestamp"] == "19-Oct-2022 05:34:03.425" -results["s01-parse"]["mstilkerich/bind9"][11].Evt.Parsed["message"] == "19-Oct-2022 05:34:03.425 client 3.135.188.55#52617 (sl): query (cache) 'sl/ANY/IN' denied" +results["s01-parse"]["mstilkerich/bind9"][11].Evt.Parsed["ts_d"] == "19" +results["s01-parse"]["mstilkerich/bind9"][11].Evt.Parsed["ts_m"] == "Oct" results["s01-parse"]["mstilkerich/bind9"][11].Evt.Parsed["ts_ms"] == "425" results["s01-parse"]["mstilkerich/bind9"][11].Evt.Parsed["ts_t"] == "05:34:03" results["s01-parse"]["mstilkerich/bind9"][11].Evt.Parsed["ts_y"] == "2022" +basename(results["s01-parse"]["mstilkerich/bind9"][11].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s01-parse"]["mstilkerich/bind9"][11].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["mstilkerich/bind9"][11].Evt.Meta["log_type"] == "bind9_denied" +results["s01-parse"]["mstilkerich/bind9"][11].Evt.Meta["machine"] == "keira" results["s01-parse"]["mstilkerich/bind9"][11].Evt.Meta["service"] == "bind9" results["s01-parse"]["mstilkerich/bind9"][11].Evt.Meta["source_ip"] == "3.135.188.55" -results["s01-parse"]["mstilkerich/bind9"][11].Evt.Meta["datasource_path"] == "bind9-syslog.log" -results["s01-parse"]["mstilkerich/bind9"][11].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["mstilkerich/bind9"][11].Evt.Meta["log_type"] == "bind9_denied" \ No newline at end of file +results["s01-parse"]["mstilkerich/bind9"][11].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 12 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "19-Oct-2022 05:34:02.425 client @0x7f65100ee4d8 104.219.136.31#3076 (example.com): query (cache) 'example.com/ANY/IN' denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "2075772" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "named" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "104.219.136.31" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_port"] == "3076" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "19-Oct-2022 05:34:02.425" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["ts_d"] == "19" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["ts_m"] == "Oct" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["ts_ms"] == "425" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["ts_t"] == "05:34:02" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["ts_y"] == "2022" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "bind9_denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "keira" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "bind9" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "104.219.136.31" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-10-19T05:34:02Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-10-19T05:34:02Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "19-Oct-2022 05:34:03.425 client @0x7f65100ee4d8 104.219.136.31#3076 (example.com): query 'example.com/ANY/IN' denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "2075772" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "named" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "104.219.136.31" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_port"] == "3076" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "19-Oct-2022 05:34:03.425" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["ts_d"] == "19" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["ts_m"] == "Oct" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["ts_ms"] == "425" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["ts_t"] == "05:34:03" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["ts_y"] == "2022" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "bind9_denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "keira" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "bind9" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "104.219.136.31" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-10-19T05:34:03Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-10-19T05:34:03Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "20-Oct-2022 08:30:43.685 client @0x7f6520147ae8 164.92.117.245#55590 (example.com): zone transfer 'example.com/AXFR/IN' denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "2075772" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "named" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "164.92.117.245" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_port"] == "55590" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "20-Oct-2022 08:30:43.685" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["ts_d"] == "20" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["ts_m"] == "Oct" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["ts_ms"] == "685" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["ts_t"] == "08:30:43" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["ts_y"] == "2022" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "bind9_denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "keira" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "bind9" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "164.92.117.245" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2022-10-20T08:30:43Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2022-10-20T08:30:43Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "03-Nov-2022 13:34:52.235 security: error: client @0x7fb04c007328 2003:f8:733:b600:6018:bbe4:d0ed:22#62449 (example.com): zone transfer 'example.com/AXFR/IN' denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "2075772" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "named" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_addr"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_port"] == "62449" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "03-Nov-2022 13:34:52.235" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["ts_d"] == "03" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["ts_m"] == "Nov" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["ts_ms"] == "235" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["ts_t"] == "13:34:52" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["ts_y"] == "2022" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "bind9_denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "keira" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "bind9" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2022-11-03T13:34:52Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2022-11-03T13:34:52Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "03-Nov-2022 13:37:23.345 error: client @0x7f7b200091e8 2003:f8:733:b600:6018:bbe4:d0ed:22#62465 (example.com): zone transfer 'example.com/AXFR/IN' denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pid"] == "2075772" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "named" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_addr"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_port"] == "62465" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "03-Nov-2022 13:37:23.345" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["ts_d"] == "03" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["ts_m"] == "Nov" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["ts_ms"] == "345" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["ts_t"] == "13:37:23" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["ts_y"] == "2022" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "bind9_denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "keira" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "bind9" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2022-11-03T13:37:23Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2022-11-03T13:37:23Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "03-Nov-2022 13:37:37.525 security: client @0x7f3f9c009168 2003:f8:733:b600:6018:bbe4:d0ed:22#62466 (example.com): zone transfer 'example.com/AXFR/IN' denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pid"] == "2075772" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "named" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_addr"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_port"] == "62466" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "03-Nov-2022 13:37:37.525" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["ts_d"] == "03" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["ts_m"] == "Nov" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["ts_ms"] == "525" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["ts_t"] == "13:37:37" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["ts_y"] == "2022" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "bind9_denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["machine"] == "keira" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "bind9" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2022-11-03T13:37:37Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2022-11-03T13:37:37Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "03-Nov-2022 13:38:37.525 client @0x7fa0a4137838 2003:f8:733:b600:2c44:fab4:5e6e:d791#61738 (example.com): bad zone transfer request: 'example.com/IN': non-authoritative zone (NOTAUTH)" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["pid"] == "2075772" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "named" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["remote_addr"] == "2003:f8:733:b600:2c44:fab4:5e6e:d791" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["remote_port"] == "61738" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["timestamp"] == "03-Nov-2022 13:38:37.525" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["ts_d"] == "03" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["ts_m"] == "Nov" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["ts_ms"] == "525" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["ts_t"] == "13:38:37" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["ts_y"] == "2022" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "bind9_denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["machine"] == "keira" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "bind9" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "2003:f8:733:b600:2c44:fab4:5e6e:d791" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2022-11-03T13:38:37Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2022-11-03T13:38:37Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "security: client @0x7f37ac012d98 2003:f8:733:b600:6018:bbe4:d0ed:22#62518 (example.com): zone transfer 'example.com/AXFR/IN' denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["pid"] == "2075772" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "named" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["remote_addr"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["remote_port"] == "62518" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "bind9_denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["machine"] == "keira" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "bind9" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2025-11-13T10:59:46Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2025-11-13T10:59:46Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["message"] == "client @0x7f8ac00071e8 2003:f8:733:b600:6018:bbe4:d0ed:22#62524 (example.com): zone transfer 'example.com/AXFR/IN' denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["pid"] == "2075772" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["program"] == "named" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["remote_addr"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["remote_port"] == "62524" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "bind9_denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["machine"] == "keira" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "bind9" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "2003:f8:733:b600:6018:bbe4:d0ed:22" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2025-11-13T10:59:46Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Enriched["MarshaledTime"] == "2025-11-13T10:59:46Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["message"] == "19-Oct-2022 05:34:02.425 client 104.219.136.31#3076 (example.com): query (cache) 'example.com/ANY/IN' denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["pid"] == "2075772" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["program"] == "named" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["remote_addr"] == "104.219.136.31" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["remote_port"] == "3076" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["timestamp"] == "19-Oct-2022 05:34:02.425" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["ts_d"] == "19" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["ts_m"] == "Oct" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["ts_ms"] == "425" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["ts_t"] == "05:34:02" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["ts_y"] == "2022" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_type"] == "bind9_denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["machine"] == "keira" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "bind9" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "104.219.136.31" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2022-10-19T05:34:02Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Enriched["MarshaledTime"] == "2022-10-19T05:34:02Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["message"] == "19-Oct-2022 05:34:03.425 client 104.219.136.31#3076 (example.com): query 'example.com/ANY/IN' denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["pid"] == "2075772" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["program"] == "named" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["remote_addr"] == "104.219.136.31" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["remote_port"] == "3076" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["timestamp"] == "19-Oct-2022 05:34:03.425" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["ts_d"] == "19" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["ts_m"] == "Oct" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["ts_ms"] == "425" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["ts_t"] == "05:34:03" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["ts_y"] == "2022" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["log_type"] == "bind9_denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["machine"] == "keira" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["service"] == "bind9" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["source_ip"] == "104.219.136.31" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["timestamp"] == "2022-10-19T05:34:03Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Enriched["MarshaledTime"] == "2022-10-19T05:34:03Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["message"] == "19-Oct-2022 05:34:03.425 client 3.135.188.55#52617 (sl): query (cache) 'sl/ANY/IN' denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["pid"] == "2075772" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["program"] == "named" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["remote_addr"] == "3.135.188.55" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["remote_port"] == "52617" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["timestamp"] == "19-Oct-2022 05:34:03.425" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["ts_d"] == "19" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["ts_m"] == "Oct" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["ts_ms"] == "425" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["ts_t"] == "05:34:03" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["ts_y"] == "2022" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_path"]) == "bind9-syslog.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["log_type"] == "bind9_denied" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["machine"] == "keira" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["service"] == "bind9" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_ip"] == "3.135.188.55" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["timestamp"] == "2022-10-19T05:34:03Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Enriched["MarshaledTime"] == "2022-10-19T05:34:03Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/bitwarden-bf/parser.assert b/.tests/bitwarden-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/bitwarden-bf/scenario.assert b/.tests/bitwarden-bf/scenario.assert index 2a68bdb84e6..495439d331b 100644 --- a/.tests/bitwarden-bf/scenario.assert +++ b/.tests/bitwarden-bf/scenario.assert @@ -4,39 +4,39 @@ results[0].Overflow.Sources["207.96.38.254"].IP == "207.96.38.254" results[0].Overflow.Sources["207.96.38.254"].Range == "" results[0].Overflow.Sources["207.96.38.254"].GetScope() == "Ip" results[0].Overflow.Sources["207.96.38.254"].GetValue() == "207.96.38.254" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "bitwarden-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "bitwarden_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "bitwarden" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "207.96.38.254" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-04-24T13:06:36.295Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "bitwarden-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "bitwarden_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "bitwarden" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "207.96.38.254" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-04-24T13:06:37.124Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "bitwarden-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "bitwarden_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "bitwarden" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "207.96.38.254" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-04-24T13:06:37.235Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "bitwarden-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "bitwarden_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "bitwarden" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "207.96.38.254" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-04-24T13:06:38.215Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "bitwarden-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "bitwarden_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "bitwarden" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "207.96.38.254" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-04-24T13:06:39.391Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "bitwarden-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "bitwarden_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "bitwarden" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "207.96.38.254" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-04-24T13:06:39.392Z" @@ -48,39 +48,39 @@ results[1].Overflow.Sources["207.96.38.253"].IP == "207.96.38.253" results[1].Overflow.Sources["207.96.38.253"].Range == "" results[1].Overflow.Sources["207.96.38.253"].GetScope() == "Ip" results[1].Overflow.Sources["207.96.38.253"].GetValue() == "207.96.38.253" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "bitwarden-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "bitwarden_failed_auth" results[1].Overflow.Alert.Events[0].GetMeta("service") == "bitwarden" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "207.96.38.253" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-04-23T22:07:05.311Z" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "bitwarden-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "bitwarden_failed_auth" results[1].Overflow.Alert.Events[1].GetMeta("service") == "bitwarden" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "207.96.38.253" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-04-23T22:07:06.436Z" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "bitwarden-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "bitwarden_failed_auth" results[1].Overflow.Alert.Events[2].GetMeta("service") == "bitwarden" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "207.96.38.253" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-04-23T22:07:07.436Z" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "bitwarden-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "bitwarden_failed_auth" results[1].Overflow.Alert.Events[3].GetMeta("service") == "bitwarden" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "207.96.38.253" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-04-23T22:07:08.436Z" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "bitwarden-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "bitwarden_failed_auth" results[1].Overflow.Alert.Events[4].GetMeta("service") == "bitwarden" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "207.96.38.253" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-04-23T22:07:09.436Z" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "bitwarden-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "bitwarden_failed_auth" results[1].Overflow.Alert.Events[5].GetMeta("service") == "bitwarden" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "207.96.38.253" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-04-23T22:07:09.436Z" diff --git a/.tests/bitwarden-logs/parser.assert b/.tests/bitwarden-logs/parser.assert index 7a1b1986774..45893daea6b 100644 --- a/.tests/bitwarden-logs/parser.assert +++ b/.tests/bitwarden-logs/parser.assert @@ -1,100 +1,100 @@ -len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 4 -results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2023-04-23 21:53:37.311 -05:00 [WRN] Failed login attempt, 2FA invalid. 207.96.38.253" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "bitwarden" -basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "bitwarden-logs.log" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false -results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2023-04-23 21:53:54.706 -05:00 [ERR] Request to https://push.bitwarden.com/push/register is unsuccessful with status of \"BadRequest\"-Bad Request" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "bitwarden" -basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "bitwarden-logs.log" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false -results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "2023-04-24 13:06:35.295 -05:00 [WRN] Failed login attempt. 207.96.38.253" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "bitwarden" -basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "bitwarden-logs.log" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false -results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "2023-04-24 16:10:32.219 -05:00 [INF] Identity started." -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "bitwarden" -basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "bitwarden-logs.log" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4 -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false -len(results["s01-parse"]["MariuszKociubinski/bitwarden-logs"]) == 4 -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Success == true -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["exim_day"] == "23" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["exim_month"] == "04" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["exim_time"] == "21:53:37.311" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["exim_year"] == "2023" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["message"] == "2023-04-23 21:53:37.311 -05:00 [WRN] Failed login attempt, 2FA invalid. 207.96.38.253" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["program"] == "bitwarden" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["source_ip"] == "207.96.38.253" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["timestamp"] == "2023-04-23 21:53:37.311" -basename(results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Meta["datasource_path"]) == "bitwarden-logs.log" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Meta["log_type"] == "bitwarden_failed_auth" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Meta["service"] == "bitwarden" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Meta["source_ip"] == "207.96.38.253" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Whitelisted == false -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][1].Success == false -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Success == true -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["exim_day"] == "24" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["exim_month"] == "04" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["exim_time"] == "13:06:35.295" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["exim_year"] == "2023" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["message"] == "2023-04-24 13:06:35.295 -05:00 [WRN] Failed login attempt. 207.96.38.253" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["program"] == "bitwarden" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["source_ip"] == "207.96.38.253" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["timestamp"] == "2023-04-24 13:06:35.295" -basename(results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Meta["datasource_path"]) == "bitwarden-logs.log" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Meta["log_type"] == "bitwarden_failed_auth" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Meta["service"] == "bitwarden" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Meta["source_ip"] == "207.96.38.253" -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Whitelisted == false -results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][3].Success == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["exim_day"] == "23" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["exim_month"] == "04" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["exim_time"] == "21:53:37.311" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["exim_year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2023-04-23 21:53:37.311 -05:00 [WRN] Failed login attempt, 2FA invalid. 207.96.38.253" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "bitwarden" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "207.96.38.253" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2023-04-23 21:53:37.311" -basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "bitwarden-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "bitwarden_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "bitwarden" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "207.96.38.253" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-04-23T21:53:37.311Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-04-23T21:53:37.311Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["exim_day"] == "24" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["exim_month"] == "04" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["exim_time"] == "13:06:35.295" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["exim_year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "2023-04-24 13:06:35.295 -05:00 [WRN] Failed login attempt. 207.96.38.253" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "bitwarden" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "207.96.38.253" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2023-04-24 13:06:35.295" -basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "bitwarden-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "bitwarden_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "bitwarden" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "207.96.38.253" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-04-24T13:06:35.295Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-04-24T13:06:35.295Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false -len(results["success"][""]) == 0 +len(results) == 4 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 4 +results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2023-04-23 21:53:37.311 -05:00 [WRN] Failed login attempt, 2FA invalid. 207.96.38.253" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "bitwarden" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "bitwarden-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2023-04-23 21:53:54.706 -05:00 [ERR] Request to https://push.bitwarden.com/push/register is unsuccessful with status of \"BadRequest\"-Bad Request" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "bitwarden" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "bitwarden-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "2023-04-24 13:06:35.295 -05:00 [WRN] Failed login attempt. 207.96.38.253" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "bitwarden" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "bitwarden-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "2023-04-24 16:10:32.219 -05:00 [INF] Identity started." +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "bitwarden" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "bitwarden-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false +len(results["s01-parse"]["MariuszKociubinski/bitwarden-logs"]) == 4 +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Success == true +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["exim_day"] == "23" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["exim_month"] == "04" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["exim_time"] == "21:53:37.311" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["exim_year"] == "2023" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["message"] == "2023-04-23 21:53:37.311 -05:00 [WRN] Failed login attempt, 2FA invalid. 207.96.38.253" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["program"] == "bitwarden" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["source_ip"] == "207.96.38.253" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["timestamp"] == "2023-04-23 21:53:37.311" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Meta["datasource_path"]) == "bitwarden-logs.log" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Meta["service"] == "bitwarden" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Meta["source_ip"] == "207.96.38.253" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Whitelisted == false +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][1].Success == false +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Success == true +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["exim_day"] == "24" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["exim_month"] == "04" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["exim_time"] == "13:06:35.295" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["exim_year"] == "2023" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["message"] == "2023-04-24 13:06:35.295 -05:00 [WRN] Failed login attempt. 207.96.38.253" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["program"] == "bitwarden" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["source_ip"] == "207.96.38.253" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["timestamp"] == "2023-04-24 13:06:35.295" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Meta["datasource_path"]) == "bitwarden-logs.log" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Meta["service"] == "bitwarden" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Meta["source_ip"] == "207.96.38.253" +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Whitelisted == false +results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][3].Success == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["exim_day"] == "23" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["exim_month"] == "04" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["exim_time"] == "21:53:37.311" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["exim_year"] == "2023" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2023-04-23 21:53:37.311 -05:00 [WRN] Failed login attempt, 2FA invalid. 207.96.38.253" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "bitwarden" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "207.96.38.253" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2023-04-23 21:53:37.311" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "bitwarden-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "bitwarden" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "207.96.38.253" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-04-23T21:53:37.311Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-04-23T21:53:37.311Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["exim_day"] == "24" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["exim_month"] == "04" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["exim_time"] == "13:06:35.295" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["exim_year"] == "2023" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "2023-04-24 13:06:35.295 -05:00 [WRN] Failed login attempt. 207.96.38.253" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "bitwarden" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "207.96.38.253" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2023-04-24 13:06:35.295" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "bitwarden-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "bitwarden" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "207.96.38.253" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-04-24T13:06:35.295Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-04-24T13:06:35.295Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/bookstack-bf/parser.assert b/.tests/bookstack-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/bookstack-bf/scenario.assert b/.tests/bookstack-bf/scenario.assert index f70711f675b..dca29d52410 100644 --- a/.tests/bookstack-bf/scenario.assert +++ b/.tests/bookstack-bf/scenario.assert @@ -4,34 +4,34 @@ results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" results[0].Overflow.Sources["1.2.3.4"].Range == "" results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "bookstack-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "bookstack-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "bookstack_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "bookstack" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "user@example.com" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-09-23T09:58:51Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "bookstack-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "bookstack-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "bookstack_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "bookstack" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "user@example.com" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-09-23T09:58:52Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "bookstack-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "bookstack-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "bookstack_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "bookstack" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "user@example.com" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-09-23T09:58:53Z" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "bookstack-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "bookstack-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "bookstack_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "bookstack" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "user@example.com" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-09-23T09:58:55Z" results[0].Overflow.Alert.GetScenario() == "xs539/bookstack-bf" results[0].Overflow.Alert.Remediation == true -results[0].Overflow.Alert.GetEventsCount() == 4 \ No newline at end of file +results[0].Overflow.Alert.GetEventsCount() == 4 diff --git a/.tests/bookstack-logs/bookstack-logs.log b/.tests/bookstack-logs/bookstack-logs.log index 346c85da9ff..fb8ee9b1afa 100644 --- a/.tests/bookstack-logs/bookstack-logs.log +++ b/.tests/bookstack-logs/bookstack-logs.log @@ -1,2 +1,3 @@ 2023/09/23 09:58:54 [error] 298#298: *1093 FastCGI sent in stderr: "PHP message: Failed login for user@example.com" while reading response header from upstream, client: 1.2.3.4, server: _, request: "POST /login HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "bookstack.example.com", referrer: "https://bookstack.example.com/login" [Fri Mar 15 10:12:48.1234 2024] [php:notice] [pid 83429] [client 192.168.1.1:23006] Failed login for Does@not.exist, referer: http://0.0.0.0:9080/login +[Fri Mar 15 10:13:00.0000 2024] [php:notice] [pid 83430] [client 1.2.3.4:23007] Failed login for crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl, referer: http://0.0.0.0:9080/login diff --git a/.tests/bookstack-logs/parser.assert b/.tests/bookstack-logs/parser.assert index 2e547fec92f..4baa80c6cba 100644 --- a/.tests/bookstack-logs/parser.assert +++ b/.tests/bookstack-logs/parser.assert @@ -1,30 +1,37 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 2 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 3 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2023/09/23 09:58:54 [error] 298#298: *1093 FastCGI sent in stderr: \"PHP message: Failed login for user@example.com\" while reading response header from upstream, client: 1.2.3.4, server: _, request: \"POST /login HTTP/1.1\", upstream: \"fastcgi://127.0.0.1:9000\", host: \"bookstack.example.com\", referrer: \"https://bookstack.example.com/login\"" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "bookstack" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "bookstack-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "bookstack-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "[Fri Mar 15 10:12:48.1234 2024] [php:notice] [pid 83429] [client 192.168.1.1:23006] Failed login for Does@not.exist, referer: http://0.0.0.0:9080/login" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "bookstack" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "bookstack-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "bookstack-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2 +results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "[Fri Mar 15 10:13:00.0000 2024] [php:notice] [pid 83430] [client 1.2.3.4:23007] Failed login for crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl, referer: http://0.0.0.0:9080/login" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "bookstack" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "bookstack-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 3 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false -len(results["s01-parse"]["xs539/bookstack-logs"]) == 2 +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false +len(results["s01-parse"]["xs539/bookstack-logs"]) == 3 results["s01-parse"]["xs539/bookstack-logs"][0].Success == true results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Parsed["message"] == "2023/09/23 09:58:54 [error] 298#298: *1093 FastCGI sent in stderr: \"PHP message: Failed login for user@example.com\" while reading response header from upstream, client: 1.2.3.4, server: _, request: \"POST /login HTTP/1.1\", upstream: \"fastcgi://127.0.0.1:9000\", host: \"bookstack.example.com\", referrer: \"https://bookstack.example.com/login\"" results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Parsed["program"] == "bookstack" results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Parsed["remote_addr"] == "1.2.3.4" results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Parsed["target_user"] == "user@example.com" results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Parsed["timestamp"] == "2023/09/23 09:58:54" -results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Meta["datasource_path"] == "bookstack-logs.log" +results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Meta["datasource_path"]) == "bookstack-logs.log" results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Meta["log_type"] == "bookstack_failed_auth" results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Meta["service"] == "bookstack" results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Meta["target_user"] == "user@example.com" @@ -39,23 +46,40 @@ results["s01-parse"]["xs539/bookstack-logs"][1].Evt.Parsed["remote_addr"] == "19 results["s01-parse"]["xs539/bookstack-logs"][1].Evt.Parsed["remote_port"] == "23006" results["s01-parse"]["xs539/bookstack-logs"][1].Evt.Parsed["target_user"] == "Does@not.exist" results["s01-parse"]["xs539/bookstack-logs"][1].Evt.Parsed["timestamp"] == "Fri Mar 15 10:12:48.1234 2024" -results["s01-parse"]["xs539/bookstack-logs"][1].Evt.Meta["datasource_path"] == "bookstack-logs.log" +results["s01-parse"]["xs539/bookstack-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["xs539/bookstack-logs"][1].Evt.Meta["datasource_path"]) == "bookstack-logs.log" results["s01-parse"]["xs539/bookstack-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["xs539/bookstack-logs"][1].Evt.Meta["log_type"] == "bookstack_failed_auth" results["s01-parse"]["xs539/bookstack-logs"][1].Evt.Meta["service"] == "bookstack" results["s01-parse"]["xs539/bookstack-logs"][1].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["xs539/bookstack-logs"][1].Evt.Meta["target_user"] == "Does@not.exist" results["s01-parse"]["xs539/bookstack-logs"][1].Evt.Whitelisted == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 +results["s01-parse"]["xs539/bookstack-logs"][2].Success == true +results["s01-parse"]["xs539/bookstack-logs"][2].Evt.Parsed["http_referer"] == "http://0.0.0.0:9080/login" +results["s01-parse"]["xs539/bookstack-logs"][2].Evt.Parsed["log_level"] == "notice" +results["s01-parse"]["xs539/bookstack-logs"][2].Evt.Parsed["message"] == "[Fri Mar 15 10:13:00.0000 2024] [php:notice] [pid 83430] [client 1.2.3.4:23007] Failed login for crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl, referer: http://0.0.0.0:9080/login" +results["s01-parse"]["xs539/bookstack-logs"][2].Evt.Parsed["pid"] == "83430" +results["s01-parse"]["xs539/bookstack-logs"][2].Evt.Parsed["program"] == "bookstack" +results["s01-parse"]["xs539/bookstack-logs"][2].Evt.Parsed["remote_addr"] == "1.2.3.4" +results["s01-parse"]["xs539/bookstack-logs"][2].Evt.Parsed["remote_port"] == "23007" +results["s01-parse"]["xs539/bookstack-logs"][2].Evt.Parsed["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["xs539/bookstack-logs"][2].Evt.Parsed["timestamp"] == "Fri Mar 15 10:13:00.0000 2024" +results["s01-parse"]["xs539/bookstack-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["xs539/bookstack-logs"][2].Evt.Meta["datasource_path"]) == "bookstack-logs.log" +results["s01-parse"]["xs539/bookstack-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["xs539/bookstack-logs"][2].Evt.Meta["service"] == "bookstack" +results["s01-parse"]["xs539/bookstack-logs"][2].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["xs539/bookstack-logs"][2].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["xs539/bookstack-logs"][2].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 3 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2023/09/23 09:58:54 [error] 298#298: *1093 FastCGI sent in stderr: \"PHP message: Failed login for user@example.com\" while reading response header from upstream, client: 1.2.3.4, server: _, request: \"POST /login HTTP/1.1\", upstream: \"fastcgi://127.0.0.1:9000\", host: \"bookstack.example.com\", referrer: \"https://bookstack.example.com/login\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "bookstack" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["target_user"] == "user@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2023/09/23 09:58:54" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "bookstack-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "bookstack-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "bookstack_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "bookstack" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "user@example.com" @@ -72,13 +96,32 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_ad results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_port"] == "23006" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["target_user"] == "Does@not.exist" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Fri Mar 15 10:12:48.1234 2024" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "bookstack-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "bookstack-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "bookstack_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "bookstack" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "Does@not.exist" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2024-03-15T10:12:48.1234Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2024-03-15T10:12:48.1234Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["http_referer"] == "http://0.0.0.0:9080/login" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["log_level"] == "notice" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "[Fri Mar 15 10:13:00.0000 2024] [php:notice] [pid 83430] [client 1.2.3.4:23007] Failed login for crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl, referer: http://0.0.0.0:9080/login" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "83430" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "bookstack" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_port"] == "23007" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Fri Mar 15 10:13:00.0000 2024" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "bookstack-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "bookstack" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2024-03-15T10:13:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2024-03-15T10:13:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/caddy-basic-auth-bf/parser.assert b/.tests/caddy-basic-auth-bf/parser.assert deleted file mode 100644 index 8b137891791..00000000000 --- a/.tests/caddy-basic-auth-bf/parser.assert +++ /dev/null @@ -1 +0,0 @@ - diff --git a/.tests/caddy-crs-anomaly-score/parser.assert b/.tests/caddy-crs-anomaly-score/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/calibre-web-bf/parser.assert b/.tests/calibre-web-bf/parser.assert deleted file mode 100644 index 8b137891791..00000000000 --- a/.tests/calibre-web-bf/parser.assert +++ /dev/null @@ -1 +0,0 @@ - diff --git a/.tests/calibre-web-bf/scenario.assert b/.tests/calibre-web-bf/scenario.assert index 60d645c7877..b60afa7bfc5 100644 --- a/.tests/calibre-web-bf/scenario.assert +++ b/.tests/calibre-web-bf/scenario.assert @@ -4,48 +4,48 @@ results[0].Overflow.Sources["127.0.0.1"].IP == "127.0.0.1" results[0].Overflow.Sources["127.0.0.1"].Range == "" results[0].Overflow.Sources["127.0.0.1"].GetScope() == "Ip" results[0].Overflow.Sources["127.0.0.1"].GetValue() == "127.0.0.1" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "calibre-web-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "calibre-web_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "calibre-web" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "test4@example.org" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-07-17T13:17:11.562Z" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "test4@example.org" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "calibre-web-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "calibre-web_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "calibre-web" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "test5" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-07-17T13:17:13.861Z" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "test5" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "calibre-web-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "calibre-web_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "calibre-web" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "test6" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-07-17T13:17:16.148Z" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "test6" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "calibre-web-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "calibre-web_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "calibre-web" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "test7@example.net" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-07-17T13:17:20.401Z" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "test7@example.net" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "calibre-web-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "calibre-web_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "calibre-web" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "test8" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-07-17T13:17:23.493Z" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "test8" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "calibre-web-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "calibre-web_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "calibre-web" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "test9" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-07-17T13:17:26.291Z" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "test9" results[0].Overflow.Alert.GetScenario() == "Jgigantino31/calibre-web-bf_user-enum" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 @@ -54,48 +54,48 @@ results[1].Overflow.Sources["127.0.0.1"].IP == "127.0.0.1" results[1].Overflow.Sources["127.0.0.1"].Range == "" results[1].Overflow.Sources["127.0.0.1"].GetScope() == "Ip" results[1].Overflow.Sources["127.0.0.1"].GetValue() == "127.0.0.1" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "calibre-web-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "calibre-web_failed_auth" results[1].Overflow.Alert.Events[0].GetMeta("service") == "calibre-web" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "test4@example.org" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-07-17T13:17:11.562Z" -results[1].Overflow.Alert.Events[0].GetMeta("user") == "test4@example.org" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "calibre-web-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "calibre-web_failed_auth" results[1].Overflow.Alert.Events[1].GetMeta("service") == "calibre-web" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.1" +results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "test5" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-07-17T13:17:13.861Z" -results[1].Overflow.Alert.Events[1].GetMeta("user") == "test5" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "calibre-web-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "calibre-web_failed_auth" results[1].Overflow.Alert.Events[2].GetMeta("service") == "calibre-web" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.1" +results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "test6" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-07-17T13:17:16.148Z" -results[1].Overflow.Alert.Events[2].GetMeta("user") == "test6" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "calibre-web-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "calibre-web_failed_auth" results[1].Overflow.Alert.Events[3].GetMeta("service") == "calibre-web" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.1" +results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "test7@example.net" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-07-17T13:17:20.401Z" -results[1].Overflow.Alert.Events[3].GetMeta("user") == "test7@example.net" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "calibre-web-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "calibre-web_failed_auth" results[1].Overflow.Alert.Events[4].GetMeta("service") == "calibre-web" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.1" +results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "test8" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-07-17T13:17:23.493Z" -results[1].Overflow.Alert.Events[4].GetMeta("user") == "test8" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "calibre-web-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "calibre-web_failed_auth" results[1].Overflow.Alert.Events[5].GetMeta("service") == "calibre-web" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.1" +results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "test9" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-07-17T13:17:26.291Z" -results[1].Overflow.Alert.Events[5].GetMeta("user") == "test9" results[1].Overflow.Alert.GetScenario() == "Jgigantino31/calibre-web-bf" results[1].Overflow.Alert.Remediation == true results[1].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/calibre-web-logs/calibre-web-logs.log b/.tests/calibre-web-logs/calibre-web-logs.log index d31ddd7cc63..f5fc7e1f24c 100644 --- a/.tests/calibre-web-logs/calibre-web-logs.log +++ b/.tests/calibre-web-logs/calibre-web-logs.log @@ -4,3 +4,4 @@ [2025-07-17 13:17:20,401] WARN {cps.web:1475} Login failed for user "test7@example.net" IP-address: 127.0.0.1 [2025-07-17 13:17:23,493] WARN {cps.web:1475} Login failed for user "test8" IP-address: 127.0.0.1 [2025-07-17 13:17:26,291] WARN {cps.web:1475} Login failed for user "test9" IP-address: 127.0.0.1 +[2025-07-17 13:18:00,000] WARN {cps.web:1475} Login failed for user "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" IP-address: 127.0.0.1 diff --git a/.tests/calibre-web-logs/parser.assert b/.tests/calibre-web-logs/parser.assert index 44958474980..38b319d543f 100644 --- a/.tests/calibre-web-logs/parser.assert +++ b/.tests/calibre-web-logs/parser.assert @@ -1,5 +1,5 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 6 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 7 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "[2025-07-17 13:17:11,562] WARN {cps.web:1475} Login failed for user \"test4@example.org\" IP-address: 127.0.0.1" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "calibre-web" @@ -36,26 +36,33 @@ results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "cali basename(results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"]) == "calibre-web-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Whitelisted == false -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 6 +results["s00-raw"]["crowdsecurity/non-syslog"][6].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["message"] == "[2025-07-17 13:18:00,000] WARN {cps.web:1475} Login failed for user \"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\" IP-address: 127.0.0.1" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "calibre-web" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"]) == "calibre-web-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 7 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == false -len(results["s01-parse"]["Jgigantino31/calibre-web-logs"]) == 6 +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == false +len(results["s01-parse"]["Jgigantino31/calibre-web-logs"]) == 7 results["s01-parse"]["Jgigantino31/calibre-web-logs"][0].Success == true results["s01-parse"]["Jgigantino31/calibre-web-logs"][0].Evt.Parsed["message"] == "[2025-07-17 13:17:11,562] WARN {cps.web:1475} Login failed for user \"test4@example.org\" IP-address: 127.0.0.1" results["s01-parse"]["Jgigantino31/calibre-web-logs"][0].Evt.Parsed["program"] == "calibre-web" results["s01-parse"]["Jgigantino31/calibre-web-logs"][0].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["Jgigantino31/calibre-web-logs"][0].Evt.Parsed["timestamp"] == "2025-07-17 13:17:11,562" results["s01-parse"]["Jgigantino31/calibre-web-logs"][0].Evt.Parsed["username"] == "test4@example.org" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][0].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Jgigantino31/calibre-web-logs"][0].Evt.Meta["datasource_path"]) == "calibre-web-logs.log" results["s01-parse"]["Jgigantino31/calibre-web-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Jgigantino31/calibre-web-logs"][0].Evt.Meta["log_type"] == "calibre-web_failed_auth" results["s01-parse"]["Jgigantino31/calibre-web-logs"][0].Evt.Meta["service"] == "calibre-web" results["s01-parse"]["Jgigantino31/calibre-web-logs"][0].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["Jgigantino31/calibre-web-logs"][0].Evt.Meta["user"] == "test4@example.org" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][0].Evt.Meta["target_user"] == "test4@example.org" results["s01-parse"]["Jgigantino31/calibre-web-logs"][0].Evt.Whitelisted == false results["s01-parse"]["Jgigantino31/calibre-web-logs"][1].Success == true results["s01-parse"]["Jgigantino31/calibre-web-logs"][1].Evt.Parsed["message"] == "[2025-07-17 13:17:13,861] WARN {cps.web:1475} Login failed for user \"test5\" IP-address: 127.0.0.1" @@ -63,12 +70,12 @@ results["s01-parse"]["Jgigantino31/calibre-web-logs"][1].Evt.Parsed["program"] = results["s01-parse"]["Jgigantino31/calibre-web-logs"][1].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["Jgigantino31/calibre-web-logs"][1].Evt.Parsed["timestamp"] == "2025-07-17 13:17:13,861" results["s01-parse"]["Jgigantino31/calibre-web-logs"][1].Evt.Parsed["username"] == "test5" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][1].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Jgigantino31/calibre-web-logs"][1].Evt.Meta["datasource_path"]) == "calibre-web-logs.log" results["s01-parse"]["Jgigantino31/calibre-web-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Jgigantino31/calibre-web-logs"][1].Evt.Meta["log_type"] == "calibre-web_failed_auth" results["s01-parse"]["Jgigantino31/calibre-web-logs"][1].Evt.Meta["service"] == "calibre-web" results["s01-parse"]["Jgigantino31/calibre-web-logs"][1].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["Jgigantino31/calibre-web-logs"][1].Evt.Meta["user"] == "test5" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][1].Evt.Meta["target_user"] == "test5" results["s01-parse"]["Jgigantino31/calibre-web-logs"][1].Evt.Whitelisted == false results["s01-parse"]["Jgigantino31/calibre-web-logs"][2].Success == true results["s01-parse"]["Jgigantino31/calibre-web-logs"][2].Evt.Parsed["message"] == "[2025-07-17 13:17:16,148] WARN {cps.web:1475} Login failed for user \"test6\" IP-address: 127.0.0.1" @@ -76,12 +83,12 @@ results["s01-parse"]["Jgigantino31/calibre-web-logs"][2].Evt.Parsed["program"] = results["s01-parse"]["Jgigantino31/calibre-web-logs"][2].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["Jgigantino31/calibre-web-logs"][2].Evt.Parsed["timestamp"] == "2025-07-17 13:17:16,148" results["s01-parse"]["Jgigantino31/calibre-web-logs"][2].Evt.Parsed["username"] == "test6" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][2].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Jgigantino31/calibre-web-logs"][2].Evt.Meta["datasource_path"]) == "calibre-web-logs.log" results["s01-parse"]["Jgigantino31/calibre-web-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Jgigantino31/calibre-web-logs"][2].Evt.Meta["log_type"] == "calibre-web_failed_auth" results["s01-parse"]["Jgigantino31/calibre-web-logs"][2].Evt.Meta["service"] == "calibre-web" results["s01-parse"]["Jgigantino31/calibre-web-logs"][2].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["Jgigantino31/calibre-web-logs"][2].Evt.Meta["user"] == "test6" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][2].Evt.Meta["target_user"] == "test6" results["s01-parse"]["Jgigantino31/calibre-web-logs"][2].Evt.Whitelisted == false results["s01-parse"]["Jgigantino31/calibre-web-logs"][3].Success == true results["s01-parse"]["Jgigantino31/calibre-web-logs"][3].Evt.Parsed["message"] == "[2025-07-17 13:17:20,401] WARN {cps.web:1475} Login failed for user \"test7@example.net\" IP-address: 127.0.0.1" @@ -89,12 +96,12 @@ results["s01-parse"]["Jgigantino31/calibre-web-logs"][3].Evt.Parsed["program"] = results["s01-parse"]["Jgigantino31/calibre-web-logs"][3].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["Jgigantino31/calibre-web-logs"][3].Evt.Parsed["timestamp"] == "2025-07-17 13:17:20,401" results["s01-parse"]["Jgigantino31/calibre-web-logs"][3].Evt.Parsed["username"] == "test7@example.net" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][3].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Jgigantino31/calibre-web-logs"][3].Evt.Meta["datasource_path"]) == "calibre-web-logs.log" results["s01-parse"]["Jgigantino31/calibre-web-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Jgigantino31/calibre-web-logs"][3].Evt.Meta["log_type"] == "calibre-web_failed_auth" results["s01-parse"]["Jgigantino31/calibre-web-logs"][3].Evt.Meta["service"] == "calibre-web" results["s01-parse"]["Jgigantino31/calibre-web-logs"][3].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["Jgigantino31/calibre-web-logs"][3].Evt.Meta["user"] == "test7@example.net" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][3].Evt.Meta["target_user"] == "test7@example.net" results["s01-parse"]["Jgigantino31/calibre-web-logs"][3].Evt.Whitelisted == false results["s01-parse"]["Jgigantino31/calibre-web-logs"][4].Success == true results["s01-parse"]["Jgigantino31/calibre-web-logs"][4].Evt.Parsed["message"] == "[2025-07-17 13:17:23,493] WARN {cps.web:1475} Login failed for user \"test8\" IP-address: 127.0.0.1" @@ -102,12 +109,12 @@ results["s01-parse"]["Jgigantino31/calibre-web-logs"][4].Evt.Parsed["program"] = results["s01-parse"]["Jgigantino31/calibre-web-logs"][4].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["Jgigantino31/calibre-web-logs"][4].Evt.Parsed["timestamp"] == "2025-07-17 13:17:23,493" results["s01-parse"]["Jgigantino31/calibre-web-logs"][4].Evt.Parsed["username"] == "test8" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][4].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Jgigantino31/calibre-web-logs"][4].Evt.Meta["datasource_path"]) == "calibre-web-logs.log" results["s01-parse"]["Jgigantino31/calibre-web-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Jgigantino31/calibre-web-logs"][4].Evt.Meta["log_type"] == "calibre-web_failed_auth" results["s01-parse"]["Jgigantino31/calibre-web-logs"][4].Evt.Meta["service"] == "calibre-web" results["s01-parse"]["Jgigantino31/calibre-web-logs"][4].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["Jgigantino31/calibre-web-logs"][4].Evt.Meta["user"] == "test8" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][4].Evt.Meta["target_user"] == "test8" results["s01-parse"]["Jgigantino31/calibre-web-logs"][4].Evt.Whitelisted == false results["s01-parse"]["Jgigantino31/calibre-web-logs"][5].Success == true results["s01-parse"]["Jgigantino31/calibre-web-logs"][5].Evt.Parsed["message"] == "[2025-07-17 13:17:26,291] WARN {cps.web:1475} Login failed for user \"test9\" IP-address: 127.0.0.1" @@ -115,27 +122,40 @@ results["s01-parse"]["Jgigantino31/calibre-web-logs"][5].Evt.Parsed["program"] = results["s01-parse"]["Jgigantino31/calibre-web-logs"][5].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["Jgigantino31/calibre-web-logs"][5].Evt.Parsed["timestamp"] == "2025-07-17 13:17:26,291" results["s01-parse"]["Jgigantino31/calibre-web-logs"][5].Evt.Parsed["username"] == "test9" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][5].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Jgigantino31/calibre-web-logs"][5].Evt.Meta["datasource_path"]) == "calibre-web-logs.log" results["s01-parse"]["Jgigantino31/calibre-web-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Jgigantino31/calibre-web-logs"][5].Evt.Meta["log_type"] == "calibre-web_failed_auth" results["s01-parse"]["Jgigantino31/calibre-web-logs"][5].Evt.Meta["service"] == "calibre-web" results["s01-parse"]["Jgigantino31/calibre-web-logs"][5].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["Jgigantino31/calibre-web-logs"][5].Evt.Meta["user"] == "test9" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][5].Evt.Meta["target_user"] == "test9" results["s01-parse"]["Jgigantino31/calibre-web-logs"][5].Evt.Whitelisted == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6 +results["s01-parse"]["Jgigantino31/calibre-web-logs"][6].Success == true +results["s01-parse"]["Jgigantino31/calibre-web-logs"][6].Evt.Parsed["message"] == "[2025-07-17 13:18:00,000] WARN {cps.web:1475} Login failed for user \"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\" IP-address: 127.0.0.1" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][6].Evt.Parsed["program"] == "calibre-web" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][6].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][6].Evt.Parsed["timestamp"] == "2025-07-17 13:18:00,000" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][6].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][6].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["Jgigantino31/calibre-web-logs"][6].Evt.Meta["datasource_path"]) == "calibre-web-logs.log" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][6].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][6].Evt.Meta["service"] == "calibre-web" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][6].Evt.Meta["source_ip"] == "127.0.0.1" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][6].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["Jgigantino31/calibre-web-logs"][6].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 7 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "[2025-07-17 13:17:11,562] WARN {cps.web:1475} Login failed for user \"test4@example.org\" IP-address: 127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "calibre-web" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2025-07-17 13:17:11,562" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "test4@example.org" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "calibre-web-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "calibre-web_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "calibre-web" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "test4@example.org" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-07-17T13:17:11.562Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "test4@example.org" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-07-17T13:17:11.562Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true @@ -144,13 +164,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2025-07-17 13:17:13,861" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "test5" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "calibre-web-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "calibre-web_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "calibre-web" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "test5" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-07-17T13:17:13.861Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "test5" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-07-17T13:17:13.861Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true @@ -159,13 +179,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "2025-07-17 13:17:16,148" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "test6" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "calibre-web-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "calibre-web_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "calibre-web" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "test6" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-07-17T13:17:16.148Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["user"] == "test6" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2025-07-17T13:17:16.148Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true @@ -174,13 +194,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "2025-07-17 13:17:20,401" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "test7@example.net" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "calibre-web-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "calibre-web_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "calibre-web" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "test7@example.net" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2025-07-17T13:17:20.401Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["user"] == "test7@example.net" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2025-07-17T13:17:20.401Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true @@ -189,13 +209,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "2025-07-17 13:17:23,493" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username"] == "test8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "calibre-web-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "calibre-web_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "calibre-web" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_user"] == "test8" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2025-07-17T13:17:23.493Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["user"] == "test8" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2025-07-17T13:17:23.493Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true @@ -204,13 +224,28 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "2025-07-17 13:17:26,291" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["username"] == "test9" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "calibre-web-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "calibre-web_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "calibre-web" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_user"] == "test9" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2025-07-17T13:17:26.291Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["user"] == "test9" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2025-07-17T13:17:26.291Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "[2025-07-17 13:18:00,000] WARN {cps.web:1475} Login failed for user \"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\" IP-address: 127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "calibre-web" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["timestamp"] == "2025-07-17 13:18:00,000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "calibre-web-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "calibre-web" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2025-07-17T13:18:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2025-07-17T13:18:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/cowrie-logs/parser.assert b/.tests/cowrie-logs/parser.assert index 93378b062df..b3698cb32fc 100644 --- a/.tests/cowrie-logs/parser.assert +++ b/.tests/cowrie-logs/parser.assert @@ -1,3 +1,20 @@ +len(results) == 3 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 2 +results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "Dec 8 06:28:43 ip.compute.internal cowrie[2806]: 2020-12-08T06:28:43+0000 [cowrie.ssh.factory.CowrieSSHFactory] New connection: 4.2.3.1:47630 (1.2.3.4:2222) [session: 3e5a9212b91f]" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "cowrie" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "cowrie-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "Dec 8 06:28:44 ip.compute.internal cowrie[2806]: 2020-12-08T06:28:44+0000 [cowrie.ssh.factory.CowrieSSHFactory] New connection: 1.1.1.1:47631 (1.2.3.4:2222) [session: 3e5a9212s1f]" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "cowrie" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "cowrie-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false len(results["s01-parse"]["cowrie-logs"]) == 2 results["s01-parse"]["cowrie-logs"][0].Success == true results["s01-parse"]["cowrie-logs"][0].Evt.Parsed["dest_ip"] == "1.2.3.4" @@ -6,13 +23,14 @@ results["s01-parse"]["cowrie-logs"][0].Evt.Parsed["message"] == "Dec 8 06:28:43 results["s01-parse"]["cowrie-logs"][0].Evt.Parsed["program"] == "cowrie" results["s01-parse"]["cowrie-logs"][0].Evt.Parsed["source_ip"] == "4.2.3.1" results["s01-parse"]["cowrie-logs"][0].Evt.Parsed["telnet_session"] == "3e5a9212b91f" -results["s01-parse"]["cowrie-logs"][0].Evt.Meta["source_ip"] == "4.2.3.1" -results["s01-parse"]["cowrie-logs"][0].Evt.Meta["datasource_path"] == "cowrie-logs.log" +basename(results["s01-parse"]["cowrie-logs"][0].Evt.Meta["datasource_path"]) == "cowrie-logs.log" results["s01-parse"]["cowrie-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["cowrie-logs"][0].Evt.Meta["dest_ip"] == "1.2.3.4" results["s01-parse"]["cowrie-logs"][0].Evt.Meta["dest_port"] == "2222" results["s01-parse"]["cowrie-logs"][0].Evt.Meta["log_type"] == "telnet_new_session" results["s01-parse"]["cowrie-logs"][0].Evt.Meta["service"] == "telnet" +results["s01-parse"]["cowrie-logs"][0].Evt.Meta["source_ip"] == "4.2.3.1" +results["s01-parse"]["cowrie-logs"][0].Evt.Whitelisted == false results["s01-parse"]["cowrie-logs"][1].Success == true results["s01-parse"]["cowrie-logs"][1].Evt.Parsed["dest_ip"] == "1.2.3.4" results["s01-parse"]["cowrie-logs"][1].Evt.Parsed["dest_port"] == "2222" @@ -20,11 +38,12 @@ results["s01-parse"]["cowrie-logs"][1].Evt.Parsed["message"] == "Dec 8 06:28:44 results["s01-parse"]["cowrie-logs"][1].Evt.Parsed["program"] == "cowrie" results["s01-parse"]["cowrie-logs"][1].Evt.Parsed["source_ip"] == "1.1.1.1" results["s01-parse"]["cowrie-logs"][1].Evt.Parsed["telnet_session"] == "3e5a9212s1f" +basename(results["s01-parse"]["cowrie-logs"][1].Evt.Meta["datasource_path"]) == "cowrie-logs.log" results["s01-parse"]["cowrie-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["cowrie-logs"][1].Evt.Meta["dest_ip"] == "1.2.3.4" results["s01-parse"]["cowrie-logs"][1].Evt.Meta["dest_port"] == "2222" results["s01-parse"]["cowrie-logs"][1].Evt.Meta["log_type"] == "telnet_new_session" results["s01-parse"]["cowrie-logs"][1].Evt.Meta["service"] == "telnet" results["s01-parse"]["cowrie-logs"][1].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["cowrie-logs"][1].Evt.Meta["datasource_path"] == "cowrie-logs.log" - +results["s01-parse"]["cowrie-logs"][1].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/cpanel-bf/scenario.assert b/.tests/cpanel-bf/scenario.assert index ddf04ef04f2..a7c8cf6db0e 100644 --- a/.tests/cpanel-bf/scenario.assert +++ b/.tests/cpanel-bf/scenario.assert @@ -4,60 +4,60 @@ results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" results[0].Overflow.Sources["1.2.3.4"].Range == "" results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "cpanel-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "cpanel-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("http_path") == "/login/?login_only=1" results[0].Overflow.Alert.Events[0].GetMeta("http_verb") == "POST" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_bf_log" results[0].Overflow.Alert.Events[0].GetMeta("service") == "http" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "Root" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-06-29T14:06:40Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "Root" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "cpanel-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "cpanel-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("http_path") == "/login/?login_only=1" results[0].Overflow.Alert.Events[1].GetMeta("http_verb") == "POST" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_bf_log" results[0].Overflow.Alert.Events[1].GetMeta("service") == "http" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "Root" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-06-29T14:06:41Z" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "Root" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "cpanel-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "cpanel-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("http_path") == "/login/?login_only=1" results[0].Overflow.Alert.Events[2].GetMeta("http_verb") == "POST" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_bf_log" results[0].Overflow.Alert.Events[2].GetMeta("service") == "http" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "Root" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-06-29T14:06:41Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "Root" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "cpanel-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "cpanel-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("http_path") == "/login/?login_only=1" results[0].Overflow.Alert.Events[3].GetMeta("http_verb") == "POST" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_bf_log" results[0].Overflow.Alert.Events[3].GetMeta("service") == "http" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "root" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-06-29T14:06:42Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "root" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "cpanel-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "cpanel-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[4].GetMeta("http_path") == "/json-api/batch" results[0].Overflow.Alert.Events[4].GetMeta("http_verb") == "POST" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_bf_log" results[0].Overflow.Alert.Events[4].GetMeta("service") == "http" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "toto" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-06-29T14:06:44Z" -results[0].Overflow.Alert.Events[4].GetMeta("username") == "toto" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "cpanel-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "cpanel-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[5].GetMeta("http_path") == "/login/?login_only=1" results[0].Overflow.Alert.Events[5].GetMeta("http_verb") == "POST" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_bf_log" results[0].Overflow.Alert.Events[5].GetMeta("service") == "http" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "toto@toto.com" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-06-29T14:06:45Z" -results[0].Overflow.Alert.Events[5].GetMeta("username") == "toto@toto.com" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/cpanel-bf" results[0].Overflow.Alert.Remediation == true -results[0].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/cpanel-logs/parser.assert b/.tests/cpanel-logs/parser.assert index 07e2f32d0fb..8c67f82f7c6 100644 --- a/.tests/cpanel-logs/parser.assert +++ b/.tests/cpanel-logs/parser.assert @@ -74,7 +74,7 @@ results["s01-parse"]["crowdsecurity/cpanel-logs"][0].Evt.Meta["source_ip"] == "1 results["s01-parse"]["crowdsecurity/cpanel-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/cpanel-logs"][0].Evt.Meta["http_path"] == "/.__cpanel__service__check__./serviceauth?sendkey=__HIDDEN__&version=1.2" results["s01-parse"]["crowdsecurity/cpanel-logs"][0].Evt.Meta["http_status"] == "200" -results["s01-parse"]["crowdsecurity/cpanel-logs"][0].Evt.Meta["username"] == "-" +results["s01-parse"]["crowdsecurity/cpanel-logs"][0].Evt.Meta["target_user"] == "-" results["s01-parse"]["crowdsecurity/cpanel-logs"][1].Success == true results["s01-parse"]["crowdsecurity/cpanel-logs"][1].Evt.Parsed["request"] == "/etc/shadow" results["s01-parse"]["crowdsecurity/cpanel-logs"][1].Evt.Parsed["x_forwarded_for"] == "-" @@ -93,7 +93,7 @@ results["s01-parse"]["crowdsecurity/cpanel-logs"][1].Evt.Parsed["message"] == "1 results["s01-parse"]["crowdsecurity/cpanel-logs"][1].Evt.Meta["log_type"] == "http_access-log" results["s01-parse"]["crowdsecurity/cpanel-logs"][1].Evt.Meta["service"] == "http" results["s01-parse"]["crowdsecurity/cpanel-logs"][1].Evt.Meta["source_ip"] == "103.139.170.232" -results["s01-parse"]["crowdsecurity/cpanel-logs"][1].Evt.Meta["username"] == "-" +results["s01-parse"]["crowdsecurity/cpanel-logs"][1].Evt.Meta["target_user"] == "-" results["s01-parse"]["crowdsecurity/cpanel-logs"][1].Evt.Meta["datasource_path"] == "cpanel-logs.log" results["s01-parse"]["crowdsecurity/cpanel-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/cpanel-logs"][1].Evt.Meta["http_path"] == "/etc/shadow" @@ -119,7 +119,7 @@ results["s01-parse"]["crowdsecurity/cpanel-logs"][2].Evt.Meta["datasource_path"] results["s01-parse"]["crowdsecurity/cpanel-logs"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/cpanel-logs"][2].Evt.Meta["log_type"] == "http_access-log" results["s01-parse"]["crowdsecurity/cpanel-logs"][2].Evt.Meta["source_ip"] == "103.139.170.232" -results["s01-parse"]["crowdsecurity/cpanel-logs"][2].Evt.Meta["username"] == "-" +results["s01-parse"]["crowdsecurity/cpanel-logs"][2].Evt.Meta["target_user"] == "-" results["s01-parse"]["crowdsecurity/cpanel-logs"][2].Evt.Meta["http_path"] == "/etc/shadow" results["s01-parse"]["crowdsecurity/cpanel-logs"][2].Evt.Meta["http_status"] == "200" results["s01-parse"]["crowdsecurity/cpanel-logs"][2].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" @@ -138,10 +138,10 @@ results["s01-parse"]["crowdsecurity/cpanel-logs"][3].Evt.Meta["datasource_path"] results["s01-parse"]["crowdsecurity/cpanel-logs"][3].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/cpanel-logs"][3].Evt.Meta["http_path"] == "/login/?login_only=1" results["s01-parse"]["crowdsecurity/cpanel-logs"][3].Evt.Meta["http_verb"] == "POST" -results["s01-parse"]["crowdsecurity/cpanel-logs"][3].Evt.Meta["log_type"] == "auth_bf_log" +results["s01-parse"]["crowdsecurity/cpanel-logs"][3].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/cpanel-logs"][3].Evt.Meta["service"] == "http" results["s01-parse"]["crowdsecurity/cpanel-logs"][3].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/cpanel-logs"][3].Evt.Meta["username"] == "Root" +results["s01-parse"]["crowdsecurity/cpanel-logs"][3].Evt.Meta["target_user"] == "Root" results["s01-parse"]["crowdsecurity/cpanel-logs"][4].Success == true results["s01-parse"]["crowdsecurity/cpanel-logs"][4].Evt.Parsed["http_version"] == "1.1" results["s01-parse"]["crowdsecurity/cpanel-logs"][4].Evt.Parsed["message"] == "[2022-06-29 13:40:15 +1000] info [cpaneld] 1.2.3.4 - root \"POST /login/?login_only=1 HTTP/1.1\" FAILED LOGIN cpaneld: root login is not permitted to cpaneld" @@ -154,10 +154,10 @@ results["s01-parse"]["crowdsecurity/cpanel-logs"][4].Evt.Parsed["username"] == " results["s01-parse"]["crowdsecurity/cpanel-logs"][4].Evt.Parsed["remote_addr"] == "1.2.3.4" results["s01-parse"]["crowdsecurity/cpanel-logs"][4].Evt.Meta["http_path"] == "/login/?login_only=1" results["s01-parse"]["crowdsecurity/cpanel-logs"][4].Evt.Meta["http_verb"] == "POST" -results["s01-parse"]["crowdsecurity/cpanel-logs"][4].Evt.Meta["log_type"] == "auth_bf_log" +results["s01-parse"]["crowdsecurity/cpanel-logs"][4].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/cpanel-logs"][4].Evt.Meta["service"] == "http" results["s01-parse"]["crowdsecurity/cpanel-logs"][4].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/cpanel-logs"][4].Evt.Meta["username"] == "root" +results["s01-parse"]["crowdsecurity/cpanel-logs"][4].Evt.Meta["target_user"] == "root" results["s01-parse"]["crowdsecurity/cpanel-logs"][4].Evt.Meta["datasource_path"] == "cpanel-logs.log" results["s01-parse"]["crowdsecurity/cpanel-logs"][4].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/cpanel-logs"][5].Success == true @@ -171,10 +171,10 @@ results["s01-parse"]["crowdsecurity/cpanel-logs"][5].Evt.Parsed["date"] == "2022 results["s01-parse"]["crowdsecurity/cpanel-logs"][5].Evt.Parsed["http_version"] == "1.1" results["s01-parse"]["crowdsecurity/cpanel-logs"][5].Evt.Meta["http_path"] == "/json-api/batch" results["s01-parse"]["crowdsecurity/cpanel-logs"][5].Evt.Meta["http_verb"] == "POST" -results["s01-parse"]["crowdsecurity/cpanel-logs"][5].Evt.Meta["log_type"] == "auth_bf_log" +results["s01-parse"]["crowdsecurity/cpanel-logs"][5].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/cpanel-logs"][5].Evt.Meta["service"] == "http" results["s01-parse"]["crowdsecurity/cpanel-logs"][5].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/cpanel-logs"][5].Evt.Meta["username"] == "toto" +results["s01-parse"]["crowdsecurity/cpanel-logs"][5].Evt.Meta["target_user"] == "toto" results["s01-parse"]["crowdsecurity/cpanel-logs"][5].Evt.Meta["datasource_path"] == "cpanel-logs.log" results["s01-parse"]["crowdsecurity/cpanel-logs"][5].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/cpanel-logs"][6].Success == true @@ -187,12 +187,12 @@ results["s01-parse"]["crowdsecurity/cpanel-logs"][6].Evt.Parsed["date"] == "2022 results["s01-parse"]["crowdsecurity/cpanel-logs"][6].Evt.Parsed["http_version"] == "1.1" results["s01-parse"]["crowdsecurity/cpanel-logs"][6].Evt.Parsed["message"] == "[2022-06-29 15:29:06 +1000] info [whostmgrd] 1.2.3.4 - toto@toto.com \"POST /login/?login_only=1 HTTP/1.1\" FAILED LOGIN whostmgrd: user password incorrect" results["s01-parse"]["crowdsecurity/cpanel-logs"][6].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/cpanel-logs"][6].Evt.Meta["username"] == "toto@toto.com" +results["s01-parse"]["crowdsecurity/cpanel-logs"][6].Evt.Meta["target_user"] == "toto@toto.com" results["s01-parse"]["crowdsecurity/cpanel-logs"][6].Evt.Meta["datasource_path"] == "cpanel-logs.log" results["s01-parse"]["crowdsecurity/cpanel-logs"][6].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/cpanel-logs"][6].Evt.Meta["http_path"] == "/login/?login_only=1" results["s01-parse"]["crowdsecurity/cpanel-logs"][6].Evt.Meta["http_verb"] == "POST" -results["s01-parse"]["crowdsecurity/cpanel-logs"][6].Evt.Meta["log_type"] == "auth_bf_log" +results["s01-parse"]["crowdsecurity/cpanel-logs"][6].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/cpanel-logs"][6].Evt.Meta["service"] == "http" results["s01-parse"]["crowdsecurity/cpanel-logs"][7].Success == true results["s01-parse"]["crowdsecurity/cpanel-logs"][7].Evt.Parsed["remote_addr"] == "1.2.3.4" @@ -205,9 +205,9 @@ results["s01-parse"]["crowdsecurity/cpanel-logs"][7].Evt.Parsed["message"] == "[ results["s01-parse"]["crowdsecurity/cpanel-logs"][7].Evt.Parsed["program"] == "cpanel" results["s01-parse"]["crowdsecurity/cpanel-logs"][7].Evt.Meta["service"] == "http" results["s01-parse"]["crowdsecurity/cpanel-logs"][7].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/cpanel-logs"][7].Evt.Meta["username"] == "cscpanel" +results["s01-parse"]["crowdsecurity/cpanel-logs"][7].Evt.Meta["target_user"] == "cscpanel" results["s01-parse"]["crowdsecurity/cpanel-logs"][7].Evt.Meta["datasource_path"] == "cpanel-logs.log" results["s01-parse"]["crowdsecurity/cpanel-logs"][7].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/cpanel-logs"][7].Evt.Meta["http_path"] == "/login/?login_only=1" results["s01-parse"]["crowdsecurity/cpanel-logs"][7].Evt.Meta["http_verb"] == "POST" -results["s01-parse"]["crowdsecurity/cpanel-logs"][7].Evt.Meta["log_type"] == "auth_bf_attempt" \ No newline at end of file +results["s01-parse"]["crowdsecurity/cpanel-logs"][7].Evt.Meta["auth_status"] == "failed" \ No newline at end of file diff --git a/.tests/cpanel_bf_attempt/scenario.assert b/.tests/cpanel_bf_attempt/scenario.assert index 9e1f68b9761..d92f47f0a4a 100644 --- a/.tests/cpanel_bf_attempt/scenario.assert +++ b/.tests/cpanel_bf_attempt/scenario.assert @@ -8,11 +8,11 @@ results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "cpanel_bf_att results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("http_path") == "/login/?login_only=1" results[0].Overflow.Alert.Events[0].GetMeta("http_verb") == "POST" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_bf_attempt" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[0].GetMeta("service") == "http" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "213.44.59.93" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2021-06-10T12:07:01Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "cscpanel" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "cscpanel" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/cpanel-bf-attempt" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 1 \ No newline at end of file diff --git a/.tests/cve-2023-23397/parser.assert b/.tests/cve-2023-23397/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/cve-2023-49103/parser.assert b/.tests/cve-2023-49103/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/dockge-bf/scenario.assert b/.tests/dockge-bf/scenario.assert index 88a975c4018..c16baf67208 100644 --- a/.tests/dockge-bf/scenario.assert +++ b/.tests/dockge-bf/scenario.assert @@ -4,48 +4,48 @@ results[0].Overflow.Sources["192.168.1.1"].IP == "192.168.1.1" results[0].Overflow.Sources["192.168.1.1"].Range == "" results[0].Overflow.Sources["192.168.1.1"].GetScope() == "Ip" results[0].Overflow.Sources["192.168.1.1"].GetValue() == "192.168.1.1" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "dockge.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "dockge.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "dockge_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "dockge" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.1" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "example_username" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-03-12T04:31:44Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "example_username" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "dockge.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "dockge.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "dockge_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "dockge" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.1" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "test@example.com" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-03-12T04:31:44Z" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "test@example.com" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "dockge.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "dockge.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "dockge_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "dockge" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.1" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "test@example.com" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-03-12T04:31:44Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "test@example.com" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "dockge.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "dockge.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "dockge_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "dockge" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.1" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "test@example.com" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-03-12T04:31:44Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "test@example.com" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "dockge.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "dockge.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "dockge_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "dockge" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.1" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "test@example.com" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2024-03-12T04:31:44Z" -results[0].Overflow.Alert.Events[4].GetMeta("username") == "test@example.com" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "dockge.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "dockge.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "dockge_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "dockge" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.1" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "test@example.com" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2024-03-12T04:31:44Z" -results[0].Overflow.Alert.Events[5].GetMeta("username") == "test@example.com" results[0].Overflow.Alert.GetScenario() == "LearningSpot/dockge-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/dockge-logs/parser.assert b/.tests/dockge-logs/parser.assert index ee7313e0a87..a6271680e37 100644 --- a/.tests/dockge-logs/parser.assert +++ b/.tests/dockge-logs/parser.assert @@ -3,13 +3,13 @@ len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 2 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2024-03-12T04:31:44Z [AUTH] WARN: Incorrect username or password for user example_username. IP=192.168.1.1" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "dockge" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "dockge.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "dockge.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2024-03-12T04:31:44Z [AUTH] WARN: Incorrect username or password for user test@example.com. IP=192.168.1.1" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "dockge" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "dockge.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "dockge.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2 @@ -22,12 +22,12 @@ results["s01-parse"]["LearningSpot/dockge-logs"][0].Evt.Parsed["program"] == "do results["s01-parse"]["LearningSpot/dockge-logs"][0].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["LearningSpot/dockge-logs"][0].Evt.Parsed["timestamp"] == "2024-03-12T04:31:44Z" results["s01-parse"]["LearningSpot/dockge-logs"][0].Evt.Parsed["username"] == "example_username" -results["s01-parse"]["LearningSpot/dockge-logs"][0].Evt.Meta["datasource_path"] == "dockge.log" +results["s01-parse"]["LearningSpot/dockge-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LearningSpot/dockge-logs"][0].Evt.Meta["datasource_path"]) == "dockge.log" results["s01-parse"]["LearningSpot/dockge-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LearningSpot/dockge-logs"][0].Evt.Meta["log_type"] == "dockge_failed_auth" results["s01-parse"]["LearningSpot/dockge-logs"][0].Evt.Meta["service"] == "dockge" results["s01-parse"]["LearningSpot/dockge-logs"][0].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["LearningSpot/dockge-logs"][0].Evt.Meta["username"] == "example_username" +results["s01-parse"]["LearningSpot/dockge-logs"][0].Evt.Meta["target_user"] == "example_username" results["s01-parse"]["LearningSpot/dockge-logs"][0].Evt.Whitelisted == false results["s01-parse"]["LearningSpot/dockge-logs"][1].Success == true results["s01-parse"]["LearningSpot/dockge-logs"][1].Evt.Parsed["message"] == "2024-03-12T04:31:44Z [AUTH] WARN: Incorrect username or password for user test@example.com. IP=192.168.1.1" @@ -35,12 +35,12 @@ results["s01-parse"]["LearningSpot/dockge-logs"][1].Evt.Parsed["program"] == "do results["s01-parse"]["LearningSpot/dockge-logs"][1].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["LearningSpot/dockge-logs"][1].Evt.Parsed["timestamp"] == "2024-03-12T04:31:44Z" results["s01-parse"]["LearningSpot/dockge-logs"][1].Evt.Parsed["username"] == "test@example.com" -results["s01-parse"]["LearningSpot/dockge-logs"][1].Evt.Meta["datasource_path"] == "dockge.log" +results["s01-parse"]["LearningSpot/dockge-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LearningSpot/dockge-logs"][1].Evt.Meta["datasource_path"]) == "dockge.log" results["s01-parse"]["LearningSpot/dockge-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LearningSpot/dockge-logs"][1].Evt.Meta["log_type"] == "dockge_failed_auth" results["s01-parse"]["LearningSpot/dockge-logs"][1].Evt.Meta["service"] == "dockge" results["s01-parse"]["LearningSpot/dockge-logs"][1].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["LearningSpot/dockge-logs"][1].Evt.Meta["username"] == "test@example.com" +results["s01-parse"]["LearningSpot/dockge-logs"][1].Evt.Meta["target_user"] == "test@example.com" results["s01-parse"]["LearningSpot/dockge-logs"][1].Evt.Whitelisted == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true @@ -49,13 +49,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2024-03-12T04:31:44Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "example_username" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "dockge.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "dockge.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "dockge_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "dockge" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "example_username" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2024-03-12T04:31:44Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "example_username" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2024-03-12T04:31:44Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true @@ -64,13 +64,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2024-03-12T04:31:44Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "test@example.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "dockge.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "dockge.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "dockge_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "dockge" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2024-03-12T04:31:44Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2024-03-12T04:31:44Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/dovecot-logs/parser.assert b/.tests/dovecot-logs/parser.assert index a1b5e8f177a..b3afb1dd9cc 100644 --- a/.tests/dovecot-logs/parser.assert +++ b/.tests/dovecot-logs/parser.assert @@ -148,7 +148,7 @@ results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Parsed["program"] == " results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Parsed["timestamp"] == "Sep 8 07:46:30" results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Meta["dovecot_login_result"] == "auth_failed" +results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Meta["machine"] == "canyon" results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Meta["source_ip"] == "1.1.1.1" @@ -165,7 +165,7 @@ results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Parsed["program"] == " results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Parsed["timestamp"] == "Sep 8 07:16:29" results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Meta["dovecot_login_result"] == "auth_failed" +results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Meta["machine"] == "canyon" results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Meta["source_ip"] == "1.1.1.1" @@ -183,7 +183,7 @@ results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Parsed["protocol"] == results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Parsed["timestamp"] == "Sep 8 07:16:27" results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Meta["dovecot_login_result"] == "auth_failed" +results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Meta["machine"] == "canyon" results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Meta["source_ip"] == "1.1.1.1" @@ -200,7 +200,7 @@ results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Parsed["protocol"] == results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Parsed["timestamp"] == "Oct 12 15:44:43" results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Meta["dovecot_login_result"] == "auth_failed" +results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Meta["machine"] == "canyon" results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Meta["source_ip"] == "172.17.0.1" @@ -217,7 +217,7 @@ results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Parsed["protocol"] == results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Parsed["timestamp"] == "Oct 12 15:46:28" results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Meta["dovecot_login_result"] == "auth_failed" +results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Meta["machine"] == "canyon" results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Meta["source_ip"] == "172.17.0.1" @@ -234,7 +234,7 @@ results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Parsed["protocol"] == results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Parsed["timestamp"] == "Oct 12 15:53:32" results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Meta["dovecot_login_result"] == "auth_failed" +results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Meta["machine"] == "canyon" results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Meta["source_ip"] == "172.17.0.1" @@ -251,7 +251,7 @@ results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Parsed["protocol"] == results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Parsed["timestamp"] == "Oct 12 15:54:33" results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Meta["dovecot_login_result"] == "auth_failed" +results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Meta["machine"] == "canyon" results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Meta["source_ip"] == "172.17.0.1" @@ -299,7 +299,7 @@ results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Parsed["program"] == " results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Parsed["timestamp"] == "Apr 29 15:54:19" results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Meta["dovecot_login_result"] == "auth_failed" +results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Meta["machine"] == "mail" results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Meta["source_ip"] == "5.34.207.151" @@ -316,7 +316,7 @@ results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Parsed["program"] == results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Parsed["timestamp"] == "Apr 29 15:54:21" results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Meta["dovecot_login_result"] == "auth_failed" +results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Meta["machine"] == "mail" results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Meta["source_ip"] == "5.34.207.161" @@ -332,7 +332,7 @@ results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Parsed["program"] == results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Parsed["timestamp"] == "Apr 18 08:31:30" results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Meta["dovecot_login_result"] == "auth_failed" +results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Meta["machine"] == "mail" results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Meta["source_ip"] == "220.169.110.101" @@ -348,7 +348,7 @@ results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Parsed["program"] == results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Parsed["timestamp"] == "Apr 18 08:31:30" results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Meta["dovecot_login_result"] == "auth_failed" +results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Meta["machine"] == "mail" results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Meta["source_ip"] == "220.169.110.101" @@ -364,7 +364,7 @@ results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Parsed["program"] == results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Parsed["timestamp8601"] == "2024-12-31T06:56:17.784598+01:00" results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Meta["dovecot_login_result"] == "auth_failed" +results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Meta["machine"] == "mail" results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Meta["source_ip"] == "192.168.1.1" @@ -379,7 +379,7 @@ results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Parsed["program"] == results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Parsed["timestamp8601"] == "2025-01-01T17:05:06.533969+01:00" results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Meta["dovecot_login_result"] == "auth_failed" +results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Meta["machine"] == "mail2" results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Meta["source_ip"] == "192.168.1.1" diff --git a/.tests/dovecot-spam/parser.assert b/.tests/dovecot-spam/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/dovecot-spam/scenario.assert b/.tests/dovecot-spam/scenario.assert index 90ba5029c30..9e78c99afdb 100644 --- a/.tests/dovecot-spam/scenario.assert +++ b/.tests/dovecot-spam/scenario.assert @@ -4,34 +4,42 @@ results[0].Overflow.Sources["2.2.2.2"].IP == "2.2.2.2" results[0].Overflow.Sources["2.2.2.2"].Range == "" results[0].Overflow.Sources["2.2.2.2"].GetScope() == "Ip" results[0].Overflow.Sources["2.2.2.2"].GetValue() == "2.2.2.2" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "dovecot-spam.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "dovecot-spam.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("dovecot_login_result") == "auth_failed" results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "dovecot_logs" results[0].Overflow.Alert.Events[0].GetMeta("machine") == "mail" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "dovecot" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "2.2.2.2" -results[0].Overflow.Alert.Events[0].GetMeta("timestamp")[4:] == "-04-29T15:54:18Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "dovecot-spam.log" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "california@customdomaine.com" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-04-29T15:54:18Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "dovecot-spam.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("dovecot_login_result") == "auth_failed" results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "dovecot_logs" results[0].Overflow.Alert.Events[1].GetMeta("machine") == "mail" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "dovecot" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "2.2.2.2" -results[0].Overflow.Alert.Events[1].GetMeta("timestamp")[4:] == "-04-29T15:54:19Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "dovecot-spam.log" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "caliph@customdomaine.com" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-04-29T15:54:19Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "dovecot-spam.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("dovecot_login_result") == "auth_failed" results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "dovecot_logs" results[0].Overflow.Alert.Events[2].GetMeta("machine") == "mail" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "dovecot" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "2.2.2.2" -results[0].Overflow.Alert.Events[2].GetMeta("timestamp")[4:] == "-04-29T15:54:20Z" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "dovecot-spam.log" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "needle" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-04-29T15:54:20Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "dovecot-spam.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("dovecot_login_result") == "auth_failed" results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "dovecot_logs" results[0].Overflow.Alert.Events[3].GetMeta("machine") == "mail" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "dovecot" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "2.2.2.2" -results[0].Overflow.Alert.Events[3].GetMeta("timestamp")[4:] == "-04-29T15:54:21Z" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "neem" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-04-29T15:54:21Z" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/dovecot-spam" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 4 @@ -40,34 +48,42 @@ results[1].Overflow.Sources["172.17.0.1"].IP == "172.17.0.1" results[1].Overflow.Sources["172.17.0.1"].Range == "" results[1].Overflow.Sources["172.17.0.1"].GetScope() == "Ip" results[1].Overflow.Sources["172.17.0.1"].GetValue() == "172.17.0.1" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "dovecot-spam.log" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "dovecot-spam.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("dovecot_login_result") == "auth_failed" results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "dovecot_logs" results[1].Overflow.Alert.Events[0].GetMeta("machine") == "canyon" +results[1].Overflow.Alert.Events[0].GetMeta("service") == "dovecot" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.17.0.1" -results[1].Overflow.Alert.Events[0].GetMeta("timestamp")[4:] == "-10-12T15:44:47Z" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "dovecot-spam.log" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "hess@lol.fr" +results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-10-12T15:44:47Z" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "dovecot-spam.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("dovecot_login_result") == "auth_failed" results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "dovecot_logs" results[1].Overflow.Alert.Events[1].GetMeta("machine") == "canyon" +results[1].Overflow.Alert.Events[1].GetMeta("service") == "dovecot" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "172.17.0.1" -results[1].Overflow.Alert.Events[1].GetMeta("timestamp")[4:] == "-10-12T15:46:28Z" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "dovecot-spam.log" +results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "hess@test.fr" +results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-10-12T15:46:28Z" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "dovecot-spam.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("dovecot_login_result") == "auth_failed" results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "dovecot_logs" results[1].Overflow.Alert.Events[2].GetMeta("machine") == "canyon" +results[1].Overflow.Alert.Events[2].GetMeta("service") == "dovecot" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "172.17.0.1" -results[1].Overflow.Alert.Events[2].GetMeta("timestamp")[4:] == "-10-12T15:46:32Z" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "dovecot-spam.log" +results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "hess@testnew.fr" +results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-10-12T15:46:32Z" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "dovecot-spam.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("dovecot_login_result") == "auth_failed" results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "dovecot_logs" results[1].Overflow.Alert.Events[3].GetMeta("machine") == "canyon" +results[1].Overflow.Alert.Events[3].GetMeta("service") == "dovecot" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "172.17.0.1" -results[1].Overflow.Alert.Events[3].GetMeta("timestamp")[4:] == "-10-12T15:46:33Z" +results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "test@yourdomain.net" +results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-10-12T15:46:33Z" results[1].Overflow.Alert.GetScenario() == "crowdsecurity/dovecot-spam" results[1].Overflow.Alert.Remediation == true results[1].Overflow.Alert.GetEventsCount() == 4 @@ -76,34 +92,42 @@ results[2].Overflow.Sources["1.1.1.1"].IP == "1.1.1.1" results[2].Overflow.Sources["1.1.1.1"].Range == "" results[2].Overflow.Sources["1.1.1.1"].GetScope() == "Ip" results[2].Overflow.Sources["1.1.1.1"].GetValue() == "1.1.1.1" -results[2].Overflow.Alert.Events[0].GetMeta("datasource_path") == "dovecot-spam.log" +results[2].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "dovecot-spam.log" results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[0].GetMeta("dovecot_login_result") == "auth_failed" results[2].Overflow.Alert.Events[0].GetMeta("log_type") == "dovecot_logs" results[2].Overflow.Alert.Events[0].GetMeta("machine") == "canyon" +results[2].Overflow.Alert.Events[0].GetMeta("service") == "dovecot" results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.1" -results[2].Overflow.Alert.Events[0].GetMeta("timestamp")[4:] == "-10-12T15:44:43Z" -results[2].Overflow.Alert.Events[1].GetMeta("datasource_path") == "dovecot-spam.log" +results[2].Overflow.Alert.Events[0].GetMeta("target_user") == "toto" +results[2].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-10-12T15:44:43Z" +results[2].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "dovecot-spam.log" results[2].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[1].GetMeta("dovecot_login_result") == "auth_failed" results[2].Overflow.Alert.Events[1].GetMeta("log_type") == "dovecot_logs" results[2].Overflow.Alert.Events[1].GetMeta("machine") == "canyon" +results[2].Overflow.Alert.Events[1].GetMeta("service") == "dovecot" results[2].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.1" -results[2].Overflow.Alert.Events[1].GetMeta("timestamp")[4:] == "-10-12T15:44:44Z" -results[2].Overflow.Alert.Events[2].GetMeta("datasource_path") == "dovecot-spam.log" +results[2].Overflow.Alert.Events[1].GetMeta("target_user") == "toto" +results[2].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-10-12T15:44:44Z" +results[2].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "dovecot-spam.log" results[2].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[2].GetMeta("dovecot_login_result") == "auth_failed" results[2].Overflow.Alert.Events[2].GetMeta("log_type") == "dovecot_logs" results[2].Overflow.Alert.Events[2].GetMeta("machine") == "canyon" +results[2].Overflow.Alert.Events[2].GetMeta("service") == "dovecot" results[2].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.1" -results[2].Overflow.Alert.Events[2].GetMeta("timestamp")[4:] == "-10-12T15:44:45Z" -results[2].Overflow.Alert.Events[3].GetMeta("datasource_path") == "dovecot-spam.log" +results[2].Overflow.Alert.Events[2].GetMeta("target_user") == "toto@toto.com" +results[2].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-10-12T15:44:45Z" +results[2].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "dovecot-spam.log" results[2].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[3].GetMeta("dovecot_login_result") == "auth_failed" results[2].Overflow.Alert.Events[3].GetMeta("log_type") == "dovecot_logs" results[2].Overflow.Alert.Events[3].GetMeta("machine") == "canyon" +results[2].Overflow.Alert.Events[3].GetMeta("service") == "dovecot" results[2].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.1" -results[2].Overflow.Alert.Events[3].GetMeta("timestamp")[4:] == "-10-12T15:44:46Z" +results[2].Overflow.Alert.Events[3].GetMeta("target_user") == "toto@toto.com" +results[2].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-10-12T15:44:46Z" results[2].Overflow.Alert.GetScenario() == "crowdsecurity/dovecot-spam" results[2].Overflow.Alert.Remediation == true results[2].Overflow.Alert.GetEventsCount() == 4 diff --git a/.tests/dropbear-logs/parser.assert b/.tests/dropbear-logs/parser.assert index a838fde775f..267bf1649bb 100644 --- a/.tests/dropbear-logs/parser.assert +++ b/.tests/dropbear-logs/parser.assert @@ -3,25 +3,25 @@ len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 4 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "Exit (root): Disconnect received" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "dropbear" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "dropbear-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "dropbear-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "Bad PAM password attempt for 'foobar' from 192.168.9.163:49242" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "dropbear" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "dropbear-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "dropbear-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "Login attempt for nonexistent user from 192.168.9.163:49906" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "dropbear" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "dropbear-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "dropbear-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "Exit before auth from <192.168.1.1:35928>: Bad buf_getptr" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "dropbear" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "dropbear-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "dropbear-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4 @@ -37,9 +37,9 @@ results["s01-parse"]["crowdsecurity/dropbear-logs"][1].Evt.Parsed["port"] == "49 results["s01-parse"]["crowdsecurity/dropbear-logs"][1].Evt.Parsed["program"] == "dropbear" results["s01-parse"]["crowdsecurity/dropbear-logs"][1].Evt.Parsed["source_ip"] == "192.168.9.163" results["s01-parse"]["crowdsecurity/dropbear-logs"][1].Evt.Parsed["user"] == "foobar" -results["s01-parse"]["crowdsecurity/dropbear-logs"][1].Evt.Meta["datasource_path"] == "dropbear-logs.log" +results["s01-parse"]["crowdsecurity/dropbear-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/dropbear-logs"][1].Evt.Meta["datasource_path"]) == "dropbear-logs.log" results["s01-parse"]["crowdsecurity/dropbear-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/dropbear-logs"][1].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/dropbear-logs"][1].Evt.Meta["service"] == "dropbear" results["s01-parse"]["crowdsecurity/dropbear-logs"][1].Evt.Meta["source_ip"] == "192.168.9.163" results["s01-parse"]["crowdsecurity/dropbear-logs"][1].Evt.Meta["target_user"] == "foobar" @@ -49,9 +49,9 @@ results["s01-parse"]["crowdsecurity/dropbear-logs"][2].Evt.Parsed["message"] == results["s01-parse"]["crowdsecurity/dropbear-logs"][2].Evt.Parsed["port"] == "49906" results["s01-parse"]["crowdsecurity/dropbear-logs"][2].Evt.Parsed["program"] == "dropbear" results["s01-parse"]["crowdsecurity/dropbear-logs"][2].Evt.Parsed["source_ip"] == "192.168.9.163" -results["s01-parse"]["crowdsecurity/dropbear-logs"][2].Evt.Meta["datasource_path"] == "dropbear-logs.log" +results["s01-parse"]["crowdsecurity/dropbear-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/dropbear-logs"][2].Evt.Meta["datasource_path"]) == "dropbear-logs.log" results["s01-parse"]["crowdsecurity/dropbear-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/dropbear-logs"][2].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/dropbear-logs"][2].Evt.Meta["service"] == "dropbear" results["s01-parse"]["crowdsecurity/dropbear-logs"][2].Evt.Meta["source_ip"] == "192.168.9.163" results["s01-parse"]["crowdsecurity/dropbear-logs"][2].Evt.Whitelisted == false @@ -60,9 +60,9 @@ results["s01-parse"]["crowdsecurity/dropbear-logs"][3].Evt.Parsed["message"] == results["s01-parse"]["crowdsecurity/dropbear-logs"][3].Evt.Parsed["port"] == "35928" results["s01-parse"]["crowdsecurity/dropbear-logs"][3].Evt.Parsed["program"] == "dropbear" results["s01-parse"]["crowdsecurity/dropbear-logs"][3].Evt.Parsed["source_ip"] == "192.168.1.1" -results["s01-parse"]["crowdsecurity/dropbear-logs"][3].Evt.Meta["datasource_path"] == "dropbear-logs.log" +results["s01-parse"]["crowdsecurity/dropbear-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/dropbear-logs"][3].Evt.Meta["datasource_path"]) == "dropbear-logs.log" results["s01-parse"]["crowdsecurity/dropbear-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/dropbear-logs"][3].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/dropbear-logs"][3].Evt.Meta["service"] == "dropbear" results["s01-parse"]["crowdsecurity/dropbear-logs"][3].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["crowdsecurity/dropbear-logs"][3].Evt.Whitelisted == false diff --git a/.tests/emby-bf/parser.assert b/.tests/emby-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/emby-bf/scenario.assert b/.tests/emby-bf/scenario.assert index b14d6ffb798..4257ca28734 100644 --- a/.tests/emby-bf/scenario.assert +++ b/.tests/emby-bf/scenario.assert @@ -4,42 +4,42 @@ results[0].Overflow.Sources["1.1.1.1"].IP == "1.1.1.1" results[0].Overflow.Sources["1.1.1.1"].Range == "" results[0].Overflow.Sources["1.1.1.1"].GetScope() == "Ip" results[0].Overflow.Sources["1.1.1.1"].GetValue() == "1.1.1.1" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "emby-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "emby-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "emby_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "emby" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.1" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-14T18:01:07.092Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "emby-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "emby-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "emby_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "emby" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.1" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-14T18:01:07.092Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "emby-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "emby-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "emby_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "emby" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.1" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-14T18:01:07.092Z" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "emby-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "emby-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "emby_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "emby" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.1" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-14T18:01:07.092Z" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "emby-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "emby-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "emby_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "emby" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.1.1.1" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-14T18:01:07.092Z" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "emby-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "emby-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "emby_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "emby" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.1.1.1" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-14T18:01:07.092Z" results[0].Overflow.Alert.GetScenario() == "LePresidente/emby-bf" results[0].Overflow.Alert.Remediation == true -results[0].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/emby-logs/parser.assert b/.tests/emby-logs/parser.assert index c51344fc4b0..8f8aeb2b47d 100644 --- a/.tests/emby-logs/parser.assert +++ b/.tests/emby-logs/parser.assert @@ -1,11 +1,29 @@ -len(results["s01-parse"]["LePresidente/emby-logs"]) == 1 +len(results) == 4 +results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2022-02-14 18:01:07.092 Warn Server: AUTH-ERROR: 1.1.1.1 - Invalid username or password entered." +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "emby" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s01-parse"]["LePresidente/emby-logs"][0].Success == true results["s01-parse"]["LePresidente/emby-logs"][0].Evt.Parsed["message"] == "2022-02-14 18:01:07.092 Warn Server: AUTH-ERROR: 1.1.1.1 - Invalid username or password entered." results["s01-parse"]["LePresidente/emby-logs"][0].Evt.Parsed["program"] == "emby" results["s01-parse"]["LePresidente/emby-logs"][0].Evt.Parsed["source_ip"] == "1.1.1.1" results["s01-parse"]["LePresidente/emby-logs"][0].Evt.Parsed["timestamp"] == "2022-02-14 18:01:07.092" -results["s01-parse"]["LePresidente/emby-logs"][0].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/emby-logs"][0].Evt.Meta["datasource_path"] == "emby-logs.log" +results["s01-parse"]["LePresidente/emby-logs"][0].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["LePresidente/emby-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/emby-logs"][0].Evt.Meta["log_type"] == "emby_failed_auth" -results["s01-parse"]["LePresidente/emby-logs"][0].Evt.Meta["service"] == "emby" \ No newline at end of file +results["s01-parse"]["LePresidente/emby-logs"][0].Evt.Meta["service"] == "emby" +results["s01-parse"]["LePresidente/emby-logs"][0].Evt.Meta["source_ip"] == "1.1.1.1" +results["s01-parse"]["LePresidente/emby-logs"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2022-02-14 18:01:07.092 Warn Server: AUTH-ERROR: 1.1.1.1 - Invalid username or password entered." +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "emby" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2022-02-14 18:01:07.092" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "emby" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-02-14T18:01:07.092Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-02-14T18:01:07.092Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false diff --git a/.tests/endlessh-syslogs/parser.assert b/.tests/endlessh-syslogs/parser.assert deleted file mode 100644 index 9709666b6d9..00000000000 --- a/.tests/endlessh-syslogs/parser.assert +++ /dev/null @@ -1,99 +0,0 @@ -len(results) == 4 -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4 -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "ACCEPT host=::ffff:124.222.66.99 port=43202 fd=5 n=1/4096" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "34256" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "endlessh" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp8601"] == "2023-08-17T16:55:35.689651+02:00" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"] == "endlessh-logs.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "mono" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "endlessh" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp8601"] == "2023-08-17T16:55:55.709713+02:00" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "CLOSE host=::ffff:124.222.66.99 port=43202 fd=5 time=20.020 bytes=32" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "34256" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"] == "endlessh-logs.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "mono" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "ACCEPT host=::ffff:65.49.1.109 port=39917 fd=5 n=1/4096" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "34256" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "endlessh" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp8601"] == "2023-08-17T17:01:29.754473+02:00" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"] == "endlessh-logs.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "mono" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "CLOSE host=::ffff:65.49.1.109 port=39917 fd=5 time=20.014 bytes=31" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "34256" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "endlessh" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp8601"] == "2023-08-17T17:01:49.769219+02:00" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"] == "endlessh-logs.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "mono" -len(results["s01-parse"]["crowdsecurity/endlessh-logs"]) == 4 -results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Success == true -results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Parsed["pid"] == "34256" -results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Parsed["message"] == "ACCEPT host=::ffff:124.222.66.99 port=43202 fd=5 n=1/4096" -results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Parsed["program"] == "endlessh" -results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Parsed["source_ip"] == "124.222.66.99" -results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Parsed["timestamp8601"] == "2023-08-17T16:55:35.689651+02:00" -results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Meta["source_ip"] == "124.222.66.99" -results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Meta["datasource_path"] == "endlessh-logs.log" -results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Meta["log_type"] == "endlessh_accept" -results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Meta["machine"] == "mono" -results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Meta["service"] == "endlessh" -results["s01-parse"]["crowdsecurity/endlessh-logs"][1].Success == false -results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Success == true -results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Parsed["message"] == "ACCEPT host=::ffff:65.49.1.109 port=39917 fd=5 n=1/4096" -results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Parsed["pid"] == "34256" -results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Parsed["program"] == "endlessh" -results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Parsed["source_ip"] == "65.49.1.109" -results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Parsed["timestamp8601"] == "2023-08-17T17:01:29.754473+02:00" -results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Meta["log_type"] == "endlessh_accept" -results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Meta["machine"] == "mono" -results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Meta["service"] == "endlessh" -results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Meta["source_ip"] == "65.49.1.109" -results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Meta["datasource_path"] == "endlessh-logs.log" -results["s01-parse"]["crowdsecurity/endlessh-logs"][3].Success == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "endlessh" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp8601"] == "2023-08-17T16:55:35.689651+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "ACCEPT host=::ffff:124.222.66.99 port=43202 fd=5 n=1/4096" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "34256" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "124.222.66.99" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-08-17T16:55:35.689651+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "endlessh-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "endlessh_accept" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "mono" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "endlessh" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "124.222.66.99" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-08-17T16:55:35.689651+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "ACCEPT host=::ffff:65.49.1.109 port=39917 fd=5 n=1/4096" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "34256" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "endlessh" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "65.49.1.109" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp8601"] == "2023-08-17T17:01:29.754473+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "endlessh_accept" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "mono" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "endlessh" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "65.49.1.109" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-08-17T17:01:29.754473+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "endlessh-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-08-17T17:01:29.754473+02:00" -len(results["success"][""]) == 0 diff --git a/.tests/exchange-imap-bf/parser.assert b/.tests/exchange-imap-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/exchange-pop-bf/parser.assert b/.tests/exchange-pop-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/exchange-smtp-bf/parser.assert b/.tests/exchange-smtp-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/exim-bf/parser.assert b/.tests/exim-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/exim-bf/scenario.assert b/.tests/exim-bf/scenario.assert index bcebfa56e0b..cabd935ce36 100644 --- a/.tests/exim-bf/scenario.assert +++ b/.tests/exim-bf/scenario.assert @@ -1,121 +1,55 @@ -len(results) == 2 +len(results) == 1 "1.2.3.4" in results[0].Overflow.GetSources() results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" results[0].Overflow.Sources["1.2.3.4"].Range == "" results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "exim-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "exim-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "exim_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "exim" -results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[0].GetMeta("source_helo") == "[1.2.3.5]" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-06-29T16:04:05Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "info@test.com" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "exim-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "exim-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "exim_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "exim" -results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[1].GetMeta("source_dns") == "ppp-1-2-3-4.test.test.co.th" results[0].Overflow.Alert.Events[1].GetMeta("source_helo") == "[1.2.3.5]" +results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-06-29T16:04:08Z" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "info1@test.com" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "exim-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "exim-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "exim_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "exim" -results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[2].GetMeta("source_dns") == "ppp-1-2-3-4.test.test.co.th" results[0].Overflow.Alert.Events[2].GetMeta("source_helo") == "[1.2.3.5]" +results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-06-29T16:04:10Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "info2@test.com" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "exim-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "exim-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "exim_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "exim" -results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[3].GetMeta("source_dns") == "ppp-1-2-3-4.test.test.co.th" results[0].Overflow.Alert.Events[3].GetMeta("source_helo") == "[1.2.3.5]" +results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-06-29T16:04:10Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "info3@test.com" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "exim-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "exim-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "exim_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "exim" -results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[4].GetMeta("source_helo") == "[1.2.3.5]" +results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-06-29T16:04:14Z" -results[0].Overflow.Alert.Events[4].GetMeta("username") == "info5@test.com" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "exim-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "exim-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "exim_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "exim" results[0].Overflow.Alert.Events[5].GetMeta("source_dns") == "imfo.test.com" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[5].GetMeta("source_user") == "info6@test.com" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "info6@test.com" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-06-29T16:04:14Z" -results[0].Overflow.Alert.Events[5].GetMeta("username") == "sales@toto.com.au" -results[0].Overflow.Alert.GetScenario() == "crowdsecurity/exim-user-bf" +results[0].Overflow.Alert.GetScenario() == "crowdsecurity/exim-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 -"1.2.3.4" in results[1].Overflow.GetSources() -results[1].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" -results[1].Overflow.Sources["1.2.3.4"].Range == "" -results[1].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" -results[1].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "exim-bf.log" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "exim_failed_auth" -results[1].Overflow.Alert.Events[0].GetMeta("service") == "exim" -results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" -results[1].Overflow.Alert.Events[0].GetMeta("source_helo") == "[1.2.3.5]" -results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-06-29T16:04:05Z" -results[1].Overflow.Alert.Events[0].GetMeta("username") == "info@test.com" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "exim-bf.log" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "exim_failed_auth" -results[1].Overflow.Alert.Events[1].GetMeta("service") == "exim" -results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.4" -results[1].Overflow.Alert.Events[1].GetMeta("source_dns") == "ppp-1-2-3-4.test.test.co.th" -results[1].Overflow.Alert.Events[1].GetMeta("source_helo") == "[1.2.3.5]" -results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-06-29T16:04:08Z" -results[1].Overflow.Alert.Events[1].GetMeta("username") == "info1@test.com" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "exim-bf.log" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "exim_failed_auth" -results[1].Overflow.Alert.Events[2].GetMeta("service") == "exim" -results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.4" -results[1].Overflow.Alert.Events[2].GetMeta("source_dns") == "ppp-1-2-3-4.test.test.co.th" -results[1].Overflow.Alert.Events[2].GetMeta("source_helo") == "[1.2.3.5]" -results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-06-29T16:04:10Z" -results[1].Overflow.Alert.Events[2].GetMeta("username") == "info2@test.com" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "exim-bf.log" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "exim_failed_auth" -results[1].Overflow.Alert.Events[3].GetMeta("service") == "exim" -results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.4" -results[1].Overflow.Alert.Events[3].GetMeta("source_dns") == "ppp-1-2-3-4.test.test.co.th" -results[1].Overflow.Alert.Events[3].GetMeta("source_helo") == "[1.2.3.5]" -results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-06-29T16:04:10Z" -results[1].Overflow.Alert.Events[3].GetMeta("username") == "info3@test.com" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "exim-bf.log" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "exim_failed_auth" -results[1].Overflow.Alert.Events[4].GetMeta("service") == "exim" -results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.2.3.4" -results[1].Overflow.Alert.Events[4].GetMeta("source_helo") == "[1.2.3.5]" -results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-06-29T16:04:14Z" -results[1].Overflow.Alert.Events[4].GetMeta("username") == "info5@test.com" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "exim-bf.log" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "exim_failed_auth" -results[1].Overflow.Alert.Events[5].GetMeta("service") == "exim" -results[1].Overflow.Alert.Events[5].GetMeta("source_dns") == "imfo.test.com" -results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.2.3.4" -results[1].Overflow.Alert.Events[5].GetMeta("source_user") == "info6@test.com" -results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-06-29T16:04:14Z" -results[1].Overflow.Alert.Events[5].GetMeta("username") == "sales@toto.com.au" -results[1].Overflow.Alert.GetScenario() == "crowdsecurity/exim-bf" -results[1].Overflow.Alert.Remediation == true -results[1].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/exim-logs/parser.assert b/.tests/exim-logs/parser.assert index e361d30dd4a..ab332faa9bb 100644 --- a/.tests/exim-logs/parser.assert +++ b/.tests/exim-logs/parser.assert @@ -1,65 +1,78 @@ + len(results) == 4 len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 12 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2022-06-29 16:04:19 dovecot_login authenticator failed for ([1.2.3.5]) [1.2.3.4]:55379: 535 Incorrect authentication data (set_id=abuse@test.com)" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "exim" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2022-06-29 16:04:05 dovecot_plain authenticator failed for (mail.test.com) [202.137.142.181]:47807: 535 Incorrect authentication data (set_id=dave)" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "exim" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "2022-06-29 16:07:05 dovecot_login authenticator failed for ppp-1-2-3-4.test.test.co.th ([127.0.0.1]) [1.2.3.4]:51451: 535 Incorrect authentication data (set_id=info@test.com)" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "exim" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "2022-06-29 15:33:46 H=test.com [1.2.3.4]:53343 F= rejected RCPT : \"JunkMail rejected - test.com [1.2.3.4]:53343 is in an RBL: https://www.spamhaus.org/sbl/query/SBLCSS\"" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "exim" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "2022-06-29 14:34:58 H=imfo.test.biz [1.2.3.4]:35328 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F= rejected RCPT : No Such User Here" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "exim" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "2022-06-29 14:33:43 H=test.sa.com [1.2.3.4]:18146 temporarily rejected connection in \"connect\" ACL: \"Host is ratelimited (1.9/1h max:1.2)\"" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "exim" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][6].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "exim" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["message"] == "2022-06-29 15:47:21 H=tata.test.biz [1.2.3.4]:41584 sender verify fail for : The mail server does not recognize toto@test.biz as a valid sender." -results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"] == "exim-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "exim" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][7].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["message"] == "2022-06-29 15:47:21 H=tata.test.biz [1.2.3.4]:41584 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F= rejected RCPT : Sender verify failed" results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["program"] == "exim" -results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][8].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["message"] == "2022-06-29 13:54:29 H=(smtpclient.test) [1.136.28.14]:17125 X=TLS1.3:TLS_AES_128_GCM_SHA256:128 CV=no F= rejected RCPT : SMTP AUTH is required for message submission on port 587" results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["program"] == "exim" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_path"] == "exim-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][9].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["message"] == "2023-05-30 06:10:12 login authenticator failed for no-helo.example.org [192.0.2.11]:5432: 535 Incorrect authentication data (set_id=user)" results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["program"] == "exim" -results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][10].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Parsed["message"] == "2023-05-30 06:10:13.345 login authenticator failed for millis.example.org [192.0.2.12]:5432: 535 Incorrect authentication data (set_id=user)" results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Parsed["program"] == "exim" -results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][11].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Parsed["message"] == "2023-05-30 06:10:14 login authenticator failed for no-port.example.org [192.0.2.13]: 535 Incorrect authentication data (set_id=user)" results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Parsed["program"] == "exim" -results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Whitelisted == false len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 12 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false @@ -75,450 +88,533 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][10].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][11].Success == false len(results["s01-parse"]["crowdsecurity/exim-logs"]) == 12 results["s01-parse"]["crowdsecurity/exim-logs"][0].Success == true -results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["source_helo"] == "[1.2.3.5]" -results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["target_user"] == "abuse@test.com" results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["date"] == "2022-06-29 16:04:19" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["exim_auth"] == "dovecot_login" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["exim_day"] == "29" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["exim_month"] == "06" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["exim_time"] == "16:04:19" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["exim_year"] == "2022" results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["message"] == "2022-06-29 16:04:19 dovecot_login authenticator failed for ([1.2.3.5]) [1.2.3.4]:55379: 535 Incorrect authentication data (set_id=abuse@test.com)" results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["program"] == "exim" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["source_helo"] == "[1.2.3.5]" results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["source_port"] == "55379" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["target_user"] == "abuse@test.com" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["datasource_path"]) == "exim-logs.log" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["service"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["source_helo"] == "[1.2.3.5]" -results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["username"] == "abuse@test.com" -results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["log_type"] == "exim_failed_auth" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/exim-logs"][1].Success == true results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["date"] == "2022-06-29 16:04:05" +results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["exim_auth"] == "dovecot_plain" +results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["exim_day"] == "29" +results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["exim_month"] == "06" +results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["exim_time"] == "16:04:05" +results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["exim_year"] == "2022" results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["message"] == "2022-06-29 16:04:05 dovecot_plain authenticator failed for (mail.test.com) [202.137.142.181]:47807: 535 Incorrect authentication data (set_id=dave)" results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["program"] == "exim" +results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["source_helo"] == "mail.test.com" results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["source_ip"] == "202.137.142.181" results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["source_port"] == "47807" -results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["source_helo"] == "mail.test.com" results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["target_user"] == "dave" -results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["username"] == "dave" -results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["datasource_path"] == "exim-logs.log" +results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["log_type"] == "exim_failed_auth" results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["service"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["source_ip"] == "202.137.142.181" results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["source_helo"] == "mail.test.com" +results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["source_ip"] == "202.137.142.181" +results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/exim-logs"][2].Success == true results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["date"] == "2022-06-29 16:07:05" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["exim_auth"] == "dovecot_login" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["exim_day"] == "29" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["exim_month"] == "06" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["exim_time"] == "16:07:05" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["exim_year"] == "2022" results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["message"] == "2022-06-29 16:07:05 dovecot_login authenticator failed for ppp-1-2-3-4.test.test.co.th ([127.0.0.1]) [1.2.3.4]:51451: 535 Incorrect authentication data (set_id=info@test.com)" results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["program"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["source_port"] == "51451" results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["source_dns"] == "ppp-1-2-3-4.test.test.co.th" results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["source_helo"] == "[127.0.0.1]" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["source_port"] == "51451" results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["target_user"] == "info@test.com" -results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["log_type"] == "exim_failed_auth" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["datasource_path"]) == "exim-logs.log" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["service"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["source_ip"] == "1.2.3.4" results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["source_dns"] == "ppp-1-2-3-4.test.test.co.th" results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["source_helo"] == "[127.0.0.1]" -results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["username"] == "info@test.com" -results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/exim-logs"][3].Success == true -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["message"] == "2022-06-29 15:33:46 H=test.com [1.2.3.4]:53343 F= rejected RCPT : \"JunkMail rejected - test.com [1.2.3.4]:53343 is in an RBL: https://www.spamhaus.org/sbl/query/SBLCSS\"" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["source_port"] == "53343" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["target_user"] == "toto@toto.com" results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["date"] == "2022-06-29 15:33:46" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["exim_day"] == "29" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["exim_month"] == "06" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["exim_time"] == "15:33:46" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["exim_year"] == "2022" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["message"] == "2022-06-29 15:33:46 H=test.com [1.2.3.4]:53343 F= rejected RCPT : \"JunkMail rejected - test.com [1.2.3.4]:53343 is in an RBL: https://www.spamhaus.org/sbl/query/SBLCSS\"" results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["program"] == "exim" results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["rbl_url"] == "https://www.spamhaus.org/sbl/query/SBLCSS" results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["source_dns"] == "test.com" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["source_port"] == "53343" results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["source_user"] == "info@test.com" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["rbl_url"] == "https://www.spamhaus.org/sbl/query/SBLCSS" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["source_dns"] == "test.com" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["target_user"] == "toto@toto.com" +basename(results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["datasource_path"]) == "exim-logs.log" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["log_type"] == "spam-attempt" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["rbl_url"] == "https://www.spamhaus.org/sbl/query/SBLCSS" results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["service"] == "exim" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["source_dns"] == "test.com" results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["source_user"] == "info@test.com" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["username"] == "toto@toto.com" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["target_user"] == "info@test.com" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/exim-logs"][4].Success == true results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["date"] == "2022-06-29 14:34:58" +results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["exim_day"] == "29" +results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["exim_month"] == "06" +results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["exim_time"] == "14:34:58" +results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["exim_year"] == "2022" results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["message"] == "2022-06-29 14:34:58 H=imfo.test.biz [1.2.3.4]:35328 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F= rejected RCPT : No Such User Here" +results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["program"] == "exim" results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["source_dns"] == "imfo.test.biz" +results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["source_port"] == "35328" results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["source_user"] == "jack@test.biz" results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["target_user"] == "sales@toto.com.au" results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["tls_cipher"] == "TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["program"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["source_port"] == "35328" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["source_user"] == "jack@test.biz" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["username"] == "sales@toto.com.au" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["datasource_path"] == "exim-logs.log" +results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["log_type"] == "exim_failed_auth" results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["service"] == "exim" results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["source_dns"] == "imfo.test.biz" results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["target_user"] == "jack@test.biz" +results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/exim-logs"][5].Success == true +results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["acl"] == "connect" +results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["date"] == "2022-06-29 14:33:43" +results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["exim_day"] == "29" +results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["exim_month"] == "06" +results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["exim_time"] == "14:33:43" +results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["exim_year"] == "2022" results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["message"] == "2022-06-29 14:33:43 H=test.sa.com [1.2.3.4]:18146 temporarily rejected connection in \"connect\" ACL: \"Host is ratelimited (1.9/1h max:1.2)\"" results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["program"] == "exim" results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["rate_limit"] == "1.9/1h max:1.2" results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["source_dns"] == "test.sa.com" results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["source_port"] == "18146" -results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["acl"] == "connect" -results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["date"] == "2022-06-29 14:33:43" -results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Meta["log_type"] == "spam-attempt" results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Meta["service"] == "exim" results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Meta["source_dns"] == "test.sa.com" results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/exim-logs"][6].Success == true +results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["date"] == "2022-06-29 15:47:21" +results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["exim_day"] == "29" +results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["exim_month"] == "06" +results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["exim_time"] == "15:47:21" +results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["exim_year"] == "2022" results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["message"] == "2022-06-29 15:47:21 H=tata.test.biz [1.2.3.4]:41584 sender verify fail for : The mail server does not recognize toto@test.biz as a valid sender." results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["program"] == "exim" results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["source_dns"] == "tata.test.biz" results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["source_port"] == "41584" results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["source_user"] == "toto@test.biz" -results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["date"] == "2022-06-29 15:47:21" -results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Meta["source_user"] == "toto@test.biz" -results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Meta["log_type"] == "spam-attempt" results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Meta["service"] == "exim" results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Meta["source_dns"] == "tata.test.biz" results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Meta["target_user"] == "toto@test.biz" +results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/exim-logs"][7].Success == true +results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["date"] == "2022-06-29 15:47:21" +results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["exim_day"] == "29" +results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["exim_month"] == "06" +results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["exim_time"] == "15:47:21" +results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["exim_year"] == "2022" results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["message"] == "2022-06-29 15:47:21 H=tata.test.biz [1.2.3.4]:41584 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F= rejected RCPT : Sender verify failed" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["target_user"] == "titi@alpacas.com.au" +results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["program"] == "exim" results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["source_dns"] == "tata.test.biz" results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["source_port"] == "41584" results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["source_user"] == "nico@test.biz" +results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["target_user"] == "titi@alpacas.com.au" results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["tls_cipher"] == "TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["date"] == "2022-06-29 15:47:21" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["program"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["source_dns"] == "tata.test.biz" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["source_user"] == "nico@test.biz" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["username"] == "titi@alpacas.com.au" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["log_type"] == "spam-attempt" results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["service"] == "exim" +results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["source_dns"] == "tata.test.biz" +results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["target_user"] == "nico@test.biz" +results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/exim-logs"][8].Success == true results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["date"] == "2022-06-29 13:54:29" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["source_helo"] == "smtpclient.test" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["source_ip"] == "1.136.28.14" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["source_user"] == "info@toto.com.au" +results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["exim_day"] == "29" +results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["exim_month"] == "06" +results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["exim_time"] == "13:54:29" +results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["exim_year"] == "2022" results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["message"] == "2022-06-29 13:54:29 H=(smtpclient.test) [1.136.28.14]:17125 X=TLS1.3:TLS_AES_128_GCM_SHA256:128 CV=no F= rejected RCPT : SMTP AUTH is required for message submission on port 587" results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["program"] == "exim" +results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["source_helo"] == "smtpclient.test" +results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["source_ip"] == "1.136.28.14" results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["source_port"] == "17125" +results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["source_user"] == "info@toto.com.au" results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["target_port"] == "587" results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["target_user"] == "tutu@titi.com.au" results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["tls_cipher"] == "TLS1.3:TLS_AES_128_GCM_SHA256:128" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["source_user"] == "info@toto.com.au" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["target_port"] == "587" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["source_helo"] == "smtpclient.test" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["source_ip"] == "1.136.28.14" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["username"] == "tutu@titi.com.au" +basename(results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["log_type"] == "spam-attempt" results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["service"] == "exim" +results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["source_helo"] == "smtpclient.test" +results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["source_ip"] == "1.136.28.14" +results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["target_port"] == "587" +results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["target_user"] == "info@toto.com.au" +results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/exim-logs"][9].Success == true -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["source_dns"] == "no-helo.example.org" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["source_port"] == "5432" results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["date"] == "2023-05-30 06:10:12" +results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["exim_auth"] == "login" +results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["exim_day"] == "30" results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["exim_month"] == "05" results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["exim_time"] == "06:10:12" results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["exim_year"] == "2023" results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["message"] == "2023-05-30 06:10:12 login authenticator failed for no-helo.example.org [192.0.2.11]:5432: 535 Incorrect authentication data (set_id=user)" results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["program"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["exim_auth"] == "login" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["exim_day"] == "30" +results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["source_dns"] == "no-helo.example.org" results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["source_ip"] == "192.0.2.11" +results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["source_port"] == "5432" results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["target_user"] == "user" +results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Meta["datasource_path"]) == "exim-logs.log" +results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Meta["service"] == "exim" results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Meta["source_dns"] == "no-helo.example.org" results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Meta["source_ip"] == "192.0.2.11" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Meta["username"] == "user" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Meta["log_type"] == "exim_failed_auth" +results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/exim-logs"][10].Success == true -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["source_port"] == "5432" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["target_user"] == "user" results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["date"] == "2023-05-30 06:10:13.345" results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["exim_auth"] == "login" +results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["exim_day"] == "30" results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["exim_month"] == "05" results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["exim_time"] == "06:10:13.345" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["program"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["exim_day"] == "30" results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["exim_year"] == "2023" results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["message"] == "2023-05-30 06:10:13.345 login authenticator failed for millis.example.org [192.0.2.12]:5432: 535 Incorrect authentication data (set_id=user)" +results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["program"] == "exim" results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["source_dns"] == "millis.example.org" results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["source_ip"] == "192.0.2.12" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Meta["source_dns"] == "millis.example.org" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Meta["source_ip"] == "192.0.2.12" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Meta["username"] == "user" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Meta["datasource_path"] == "exim-logs.log" +results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["source_port"] == "5432" +results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["target_user"] == "user" +results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Meta["log_type"] == "exim_failed_auth" results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Meta["service"] == "exim" +results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Meta["source_dns"] == "millis.example.org" +results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Meta["source_ip"] == "192.0.2.12" +results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/exim-logs"][11].Success == true +results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Parsed["date"] == "2023-05-30 06:10:14" +results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Parsed["exim_auth"] == "login" results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Parsed["exim_day"] == "30" +results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Parsed["exim_month"] == "05" results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Parsed["exim_time"] == "06:10:14" results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Parsed["exim_year"] == "2023" results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Parsed["message"] == "2023-05-30 06:10:14 login authenticator failed for no-port.example.org [192.0.2.13]: 535 Incorrect authentication data (set_id=user)" -results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Parsed["source_dns"] == "no-port.example.org" -results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Parsed["target_user"] == "user" -results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Parsed["date"] == "2023-05-30 06:10:14" -results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Parsed["exim_auth"] == "login" -results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Parsed["exim_month"] == "05" results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Parsed["program"] == "exim" +results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Parsed["source_dns"] == "no-port.example.org" results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Parsed["source_ip"] == "192.0.2.13" +results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Parsed["target_user"] == "user" +results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Meta["log_type"] == "exim_failed_auth" results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Meta["service"] == "exim" results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Meta["source_dns"] == "no-port.example.org" results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Meta["source_ip"] == "192.0.2.13" -results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Meta["username"] == "user" -results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Meta["datasource_path"] == "exim-logs.log" +results["s01-parse"]["crowdsecurity/exim-logs"][11].Evt.Whitelisted == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 12 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_port"] == "55379" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_helo"] == "[1.2.3.5]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["target_user"] == "abuse@test.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["date"] == "2022-06-29 16:04:19" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["exim_auth"] == "dovecot_login" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["exim_day"] == "29" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["exim_month"] == "06" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["exim_time"] == "16:04:19" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["exim_year"] == "2022" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2022-06-29 16:04:19 dovecot_login authenticator failed for ([1.2.3.5]) [1.2.3.4]:55379: 535 Incorrect authentication data (set_id=abuse@test.com)" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "exim_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_helo"] == "[1.2.3.5]" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_port"] == "55379" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["target_user"] == "abuse@test.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "exim-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_helo"] == "[1.2.3.5]" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-06-29T16:04:19Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "abuse@test.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-06-29T16:04:19Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["date"] == "2022-06-29 16:04:05" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["exim_auth"] == "dovecot_plain" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["exim_day"] == "29" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["exim_month"] == "06" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["exim_time"] == "16:04:05" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["exim_year"] == "2022" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "2022-06-29 16:04:05 dovecot_plain authenticator failed for (mail.test.com) [202.137.142.181]:47807: 535 Incorrect authentication data (set_id=dave)" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "exim" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_helo"] == "mail.test.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "202.137.142.181" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_port"] == "47807" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_helo"] == "mail.test.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["target_user"] == "dave" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["date"] == "2022-06-29 16:04:05" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "2022-06-29 16:04:05 dovecot_plain authenticator failed for (mail.test.com) [202.137.142.181]:47807: 535 Incorrect authentication data (set_id=dave)" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "exim-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "exim_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "202.137.142.181" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_helo"] == "mail.test.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "202.137.142.181" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-06-29T16:04:05Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "dave" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-06-29T16:04:05Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["target_user"] == "info@test.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["date"] == "2022-06-29 16:07:05" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["exim_auth"] == "dovecot_login" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["exim_day"] == "29" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["exim_month"] == "06" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["exim_time"] == "16:07:05" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["exim_year"] == "2022" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "2022-06-29 16:07:05 dovecot_login authenticator failed for ppp-1-2-3-4.test.test.co.th ([127.0.0.1]) [1.2.3.4]:51451: 535 Incorrect authentication data (set_id=info@test.com)" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_port"] == "51451" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_dns"] == "ppp-1-2-3-4.test.test.co.th" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_helo"] == "[127.0.0.1]" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_port"] == "51451" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["target_user"] == "info@test.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "exim_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "exim" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_dns"] == "ppp-1-2-3-4.test.test.co.th" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_helo"] == "[127.0.0.1]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2022-06-29T16:07:05Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "exim-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["username"] == "info@test.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2022-06-29T16:07:05Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2022-06-29T16:07:05Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["date"] == "2022-06-29 15:33:46" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["exim_day"] == "29" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["exim_month"] == "06" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["exim_time"] == "15:33:46" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["exim_year"] == "2022" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "2022-06-29 15:33:46 H=test.com [1.2.3.4]:53343 F= rejected RCPT : \"JunkMail rejected - test.com [1.2.3.4]:53343 is in an RBL: https://www.spamhaus.org/sbl/query/SBLCSS\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "exim" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["rbl_url"] == "https://www.spamhaus.org/sbl/query/SBLCSS" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["target_user"] == "toto@toto.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "2022-06-29 15:33:46 H=test.com [1.2.3.4]:53343 F= rejected RCPT : \"JunkMail rejected - test.com [1.2.3.4]:53343 is in an RBL: https://www.spamhaus.org/sbl/query/SBLCSS\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_dns"] == "test.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_port"] == "53343" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_user"] == "info@test.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["date"] == "2022-06-29 15:33:46" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["target_user"] == "toto@toto.com" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "exim-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "spam-attempt" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["rbl_url"] == "https://www.spamhaus.org/sbl/query/SBLCSS" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "exim" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_dns"] == "test.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2022-06-29T15:33:46Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_user"] == "info@test.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["username"] == "toto@toto.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "spam-attempt" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "info@test.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2022-06-29T15:33:46Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2022-06-29T15:33:46Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["date"] == "2022-06-29 14:34:58" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "exim" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["exim_day"] == "29" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["exim_month"] == "06" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["exim_time"] == "14:34:58" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["exim_year"] == "2022" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "2022-06-29 14:34:58 H=imfo.test.biz [1.2.3.4]:35328 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F= rejected RCPT : No Such User Here" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "exim" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_dns"] == "imfo.test.biz" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_port"] == "35328" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_user"] == "jack@test.biz" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["target_user"] == "sales@toto.com.au" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["tls_cipher"] == "TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_user"] == "jack@test.biz" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2022-06-29T14:34:58Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["username"] == "sales@toto.com.au" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "exim-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "exim" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_dns"] == "imfo.test.biz" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "exim_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_user"] == "jack@test.biz" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2022-06-29T14:34:58Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2022-06-29T14:34:58Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_dns"] == "test.sa.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_port"] == "18146" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["acl"] == "connect" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["date"] == "2022-06-29 14:33:43" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["exim_day"] == "29" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["exim_month"] == "06" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["exim_time"] == "14:33:43" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["exim_year"] == "2022" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "2022-06-29 14:33:43 H=test.sa.com [1.2.3.4]:18146 temporarily rejected connection in \"connect\" ACL: \"Host is ratelimited (1.9/1h max:1.2)\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "exim" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["rate_limit"] == "1.9/1h max:1.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2022-06-29T14:33:43Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "exim-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_dns"] == "test.sa.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_port"] == "18146" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "spam-attempt" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "exim" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_dns"] == "test.sa.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2022-06-29T14:33:43Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2022-06-29T14:33:43Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_port"] == "41584" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_user"] == "toto@test.biz" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["date"] == "2022-06-29 15:47:21" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["exim_day"] == "29" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["exim_month"] == "06" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["exim_time"] == "15:47:21" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["exim_year"] == "2022" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "2022-06-29 15:47:21 H=tata.test.biz [1.2.3.4]:41584 sender verify fail for : The mail server does not recognize toto@test.biz as a valid sender." results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "exim" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_dns"] == "tata.test.biz" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_user"] == "toto@test.biz" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2022-06-29T15:47:21Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"] == "exim-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_port"] == "41584" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_user"] == "toto@test.biz" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "spam-attempt" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "exim" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_dns"] == "tata.test.biz" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["target_user"] == "toto@test.biz" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2022-06-29T15:47:21Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2022-06-29T15:47:21Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["date"] == "2022-06-29 15:47:21" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["exim_day"] == "29" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["exim_month"] == "06" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["exim_time"] == "15:47:21" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["exim_year"] == "2022" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "2022-06-29 15:47:21 H=tata.test.biz [1.2.3.4]:41584 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F= rejected RCPT : Sender verify failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["target_user"] == "titi@alpacas.com.au" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["date"] == "2022-06-29 15:47:21" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_dns"] == "tata.test.biz" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_port"] == "41584" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_user"] == "nico@test.biz" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["target_user"] == "titi@alpacas.com.au" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["tls_cipher"] == "TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_dns"] == "tata.test.biz" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "spam-attempt" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["username"] == "titi@alpacas.com.au" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"] == "exim-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_dns"] == "tata.test.biz" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_user"] == "nico@test.biz" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["target_user"] == "nico@test.biz" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2022-06-29T15:47:21Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2022-06-29T15:47:21Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["source_port"] == "17125" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["target_port"] == "587" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["tls_cipher"] == "TLS1.3:TLS_AES_128_GCM_SHA256:128" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["date"] == "2022-06-29 13:54:29" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["exim_day"] == "29" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["exim_month"] == "06" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["exim_time"] == "13:54:29" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["exim_year"] == "2022" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["message"] == "2022-06-29 13:54:29 H=(smtpclient.test) [1.136.28.14]:17125 X=TLS1.3:TLS_AES_128_GCM_SHA256:128 CV=no F= rejected RCPT : SMTP AUTH is required for message submission on port 587" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["program"] == "exim" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["source_helo"] == "smtpclient.test" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["target_user"] == "tutu@titi.com.au" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["date"] == "2022-06-29 13:54:29" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["source_ip"] == "1.136.28.14" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["source_port"] == "17125" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["source_user"] == "info@toto.com.au" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["target_port"] == "587" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["target_user"] == "tutu@titi.com.au" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["tls_cipher"] == "TLS1.3:TLS_AES_128_GCM_SHA256:128" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "1.136.28.14" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["target_port"] == "587" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2022-06-29T13:54:29Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"] == "exim-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "spam-attempt" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "exim" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_helo"] == "smtpclient.test" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_user"] == "info@toto.com.au" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["username"] == "tutu@titi.com.au" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "1.136.28.14" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["target_port"] == "587" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["target_user"] == "info@toto.com.au" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2022-06-29T13:54:29Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Enriched["MarshaledTime"] == "2022-06-29T13:54:29Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_port"] == "5432" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["date"] == "2023-05-30 06:10:12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["exim_auth"] == "login" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_dns"] == "no-helo.example.org" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["message"] == "2023-05-30 06:10:12 login authenticator failed for no-helo.example.org [192.0.2.11]:5432: 535 Incorrect authentication data (set_id=user)" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["program"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_ip"] == "192.0.2.11" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["target_user"] == "user" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["exim_day"] == "30" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["exim_month"] == "05" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["exim_time"] == "06:10:12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["exim_year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2023-05-30T06:10:12Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["username"] == "user" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"] == "exim-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["message"] == "2023-05-30 06:10:12 login authenticator failed for no-helo.example.org [192.0.2.11]:5432: 535 Incorrect authentication data (set_id=user)" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["program"] == "exim" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_dns"] == "no-helo.example.org" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_ip"] == "192.0.2.11" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_port"] == "5432" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["target_user"] == "user" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_type"] == "exim_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "exim" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_dns"] == "no-helo.example.org" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "192.0.2.11" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2023-05-30T06:10:12Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Enriched["MarshaledTime"] == "2023-05-30T06:10:12Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["date"] == "2023-05-30 06:10:13.345" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["exim_auth"] == "login" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["exim_day"] == "30" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["exim_month"] == "05" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["exim_time"] == "06:10:13.345" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["exim_year"] == "2023" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["message"] == "2023-05-30 06:10:13.345 login authenticator failed for millis.example.org [192.0.2.12]:5432: 535 Incorrect authentication data (set_id=user)" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["program"] == "exim" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["source_dns"] == "millis.example.org" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["source_ip"] == "192.0.2.12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["source_port"] == "5432" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["target_user"] == "user" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["exim_auth"] == "login" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["exim_day"] == "30" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["exim_time"] == "06:10:13.345" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["exim_year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["program"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["username"] == "user" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"] == "exim-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["log_type"] == "exim_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["service"] == "exim" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["source_dns"] == "millis.example.org" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["source_ip"] == "192.0.2.12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["timestamp"] == "2023-05-30T06:10:13.345Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Enriched["MarshaledTime"] == "2023-05-30T06:10:13.345Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["exim_time"] == "06:10:14" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["exim_year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["program"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["source_dns"] == "no-port.example.org" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["date"] == "2023-05-30 06:10:14" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["exim_auth"] == "login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["exim_day"] == "30" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["exim_month"] == "05" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["exim_time"] == "06:10:14" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["exim_year"] == "2023" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["message"] == "2023-05-30 06:10:14 login authenticator failed for no-port.example.org [192.0.2.13]: 535 Incorrect authentication data (set_id=user)" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["program"] == "exim" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["source_dns"] == "no-port.example.org" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["source_ip"] == "192.0.2.13" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["target_user"] == "user" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["message"] == "2023-05-30 06:10:14 login authenticator failed for no-port.example.org [192.0.2.13]: 535 Incorrect authentication data (set_id=user)" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["log_type"] == "exim_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["service"] == "exim" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_dns"] == "no-port.example.org" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_ip"] == "192.0.2.13" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["timestamp"] == "2023-05-30T06:10:14Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["username"] == "user" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_path"] == "exim-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Enriched["MarshaledTime"] == "2023-05-30T06:10:14Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Whitelisted == false len(results["success"][""]) == 0 + diff --git a/.tests/exim-logs/scenario.assert b/.tests/exim-logs/scenario.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/exim-spam/parser.assert b/.tests/exim-spam/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/exim-spam/scenario.assert b/.tests/exim-spam/scenario.assert index 38e1c8d5b70..1ec8748f79d 100644 --- a/.tests/exim-spam/scenario.assert +++ b/.tests/exim-spam/scenario.assert @@ -1,43 +1,42 @@ + len(results) == 2 "1.2.3.5" in results[0].Overflow.GetSources() results[0].Overflow.Sources["1.2.3.5"].IP == "1.2.3.5" results[0].Overflow.Sources["1.2.3.5"].Range == "" results[0].Overflow.Sources["1.2.3.5"].GetScope() == "Ip" results[0].Overflow.Sources["1.2.3.5"].GetValue() == "1.2.3.5" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "exim-spam.log" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "exim-spam.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "spam-attempt" results[0].Overflow.Alert.Events[0].GetMeta("service") == "exim" results[0].Overflow.Alert.Events[0].GetMeta("source_dns") == "test.sa.com" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.5" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-06-29T18:35:43Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "exim-spam.log" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "exim-spam.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "spam-attempt" results[0].Overflow.Alert.Events[1].GetMeta("service") == "exim" results[0].Overflow.Alert.Events[1].GetMeta("source_dns") == "tata.test.biz" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.5" -results[0].Overflow.Alert.Events[1].GetMeta("source_user") == "toto@test.biz" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "toto@test.biz" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-06-29T18:37:43Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "exim-spam.log" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "exim-spam.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "spam-attempt" results[0].Overflow.Alert.Events[2].GetMeta("service") == "exim" results[0].Overflow.Alert.Events[2].GetMeta("source_dns") == "tata.test.biz" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.5" -results[0].Overflow.Alert.Events[2].GetMeta("source_user") == "nico@test.biz" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "nico@test.biz" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-06-29T18:38:43Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "titi@alpacas.com.au" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "exim-spam.log" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "exim-spam.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "spam-attempt" results[0].Overflow.Alert.Events[3].GetMeta("service") == "exim" results[0].Overflow.Alert.Events[3].GetMeta("source_helo") == "smtpclient.test" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.5" -results[0].Overflow.Alert.Events[3].GetMeta("source_user") == "info@toto.com.au" results[0].Overflow.Alert.Events[3].GetMeta("target_port") == "587" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "info@toto.com.au" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-06-29T18:39:43Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "tutu@titi.com.au" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/exim-spam" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 4 @@ -46,39 +45,39 @@ results[1].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" results[1].Overflow.Sources["1.2.3.4"].Range == "" results[1].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" results[1].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "exim-spam.log" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "exim-spam.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "spam-attempt" results[1].Overflow.Alert.Events[0].GetMeta("rbl_url") == "https://www.spamhaus.org/sbl/query/SBLCSS" results[1].Overflow.Alert.Events[0].GetMeta("service") == "exim" results[1].Overflow.Alert.Events[0].GetMeta("source_dns") == "test.com" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" -results[1].Overflow.Alert.Events[0].GetMeta("source_user") == "info@test.com" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "info@test.com" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-06-29T15:33:46Z" -results[1].Overflow.Alert.Events[0].GetMeta("username") == "toto@toto.com" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "exim-spam.log" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "exim-spam.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "spam-attempt" results[1].Overflow.Alert.Events[1].GetMeta("service") == "exim" results[1].Overflow.Alert.Events[1].GetMeta("source_dns") == "test.sa.com" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.4" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-06-29T15:35:46Z" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "exim-spam.log" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "exim-spam.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "spam-attempt" results[1].Overflow.Alert.Events[2].GetMeta("service") == "exim" results[1].Overflow.Alert.Events[2].GetMeta("source_dns") == "tata.test.biz" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.4" -results[1].Overflow.Alert.Events[2].GetMeta("source_user") == "toto@test.biz" +results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "toto@test.biz" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-06-29T15:36:46Z" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "exim-spam.log" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "exim-spam.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "spam-attempt" results[1].Overflow.Alert.Events[3].GetMeta("service") == "exim" results[1].Overflow.Alert.Events[3].GetMeta("source_dns") == "tata.test.biz" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.4" -results[1].Overflow.Alert.Events[3].GetMeta("source_user") == "toto@test.biz" +results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "toto@test.biz" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-06-29T15:37:46Z" results[1].Overflow.Alert.GetScenario() == "crowdsecurity/exim-spam" results[1].Overflow.Alert.Remediation == true results[1].Overflow.Alert.GetEventsCount() == 4 + diff --git a/.tests/exim-syslog-logs/parser.assert b/.tests/exim-syslog-logs/parser.assert index 0a0a8d76005..7d767d996c2 100644 --- a/.tests/exim-syslog-logs/parser.assert +++ b/.tests/exim-syslog-logs/parser.assert @@ -1,470 +1,200 @@ -len(results) == 4 -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 11 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "exim" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jun 29 16:04:19" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "dovecot_login authenticator failed for ([1.2.3.5]) [1.2.3.4]:55379: 535 Incorrect authentication data (set_id=abuse@test.com)" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "1234" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"] == "exim-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "exim" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jun 29 16:04:19" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "dovecot_plain authenticator failed for (mail.test.com) [202.137.142.181]:47807: 535 Incorrect authentication data (set_id=dave)" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "1234" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "exim" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Jun 29 16:04:05" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "dovecot_login authenticator failed for ppp-1-2-3-4.test.test.co.th ([127.0.0.1]) [1.2.3.4]:51451: 535 Incorrect authentication data (set_id=info@test.com)" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "1234" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "exim" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jun 29 16:07:05" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "dovecot_login authenticator failed for ppp-1-2-3-4.test.test.co.th ([127.0.0.1]) [1.2.3.4]:51451: 535 Incorrect authentication data (set_id=info@test.com)" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "server" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "H=test.com [1.2.3.4]:53343 F= rejected RCPT : \"JunkMail rejected - test.com [1.2.3.4]:53343 is in an RBL: https://www.spamhaus.org/sbl/query/SBLCSS\"" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "1234" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "exim" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Jun 29 15:33:46" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "H=test.com [1.2.3.4]:53343 F= rejected RCPT : \"JunkMail rejected - test.com [1.2.3.4]:53343 is in an RBL: https://www.spamhaus.org/sbl/query/SBLCSS\"" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Jun 29 14:34:58" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "H=imfo.test.biz [1.2.3.4]:35328 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F= rejected RCPT : No Such User Here" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "1234" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "exim" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"] == "exim-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Jun 29 14:34:58" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "H=test.sa.com [1.2.3.4]:18146 temporarily rejected connection in \"connect\" ACL: \"Host is ratelimited (1.9/1h max:1.2)\"" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["pid"] == "1234" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "exim" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Jun 29 14:33:43" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["message"] == "H=tata.test.biz [1.2.3.4]:41584 sender verify fail for : The mail server does not recognize toto@test.biz as a valid sender." results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["pid"] == "1234" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["program"] == "exim" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["timestamp"] == "Jun 29 15:47:21" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["message"] == "H=tata.test.biz [1.2.3.4]:41584 sender verify fail for : The mail server does not recognize toto@test.biz as a valid sender." -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["message"] == "H=tata.test.biz [1.2.3.4]:41584 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F= rejected RCPT : Sender verify failed" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["pid"] == "1234" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["program"] == "exim" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["timestamp"] == "Jun 29 15:47:21" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][8].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["message"] == "H=(smtpclient.test) [1.136.28.14]:17125 X=TLS1.3:TLS_AES_128_GCM_SHA256:128 CV=no F= rejected RCPT : SMTP AUTH is required for message submission on port 587" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["pid"] == "1234" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["program"] == "exim" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["timestamp"] == "Jun 29 13:54:29" -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][9].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["message"] == "login authenticator failed for no-helo.example.org [192.0.2.11]:5432: 535 Incorrect authentication data (set_id=user)" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["pid"] == "1234" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["program"] == "exim" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["timestamp"] == "May 30 06:10:12" -results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["message"] == "login authenticator failed for no-helo.example.org [192.0.2.11]:5432: 535 Incorrect authentication data (set_id=user)" -results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["datasource_path"] == "exim-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][10].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["program"] == "exim" -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["timestamp"] == "May 30 06:10:14" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["message"] == "login authenticator failed for no-port.example.org [192.0.2.13]: 535 Incorrect authentication data (set_id=user)" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["pid"] == "1234" -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["datasource_path"] == "exim-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["program"] == "exim" +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["timestamp"] == "May 30 06:10:14" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["machine"] == "server" -len(results["s01-parse"]["crowdsecurity/exim-logs"]) == 11 +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/exim-logs"][0].Success == true -results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["source_helo"] == "[1.2.3.5]" -results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["target_user"] == "abuse@test.com" -results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["timestamp"] == "Jun 29 16:04:19" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["exim_auth"] == "dovecot_login" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["message"] == "dovecot_login authenticator failed for ([1.2.3.5]) [1.2.3.4]:55379: 535 Incorrect authentication data (set_id=abuse@test.com)" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["pid"] == "1234" results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["program"] == "exim" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["source_helo"] == "[1.2.3.5]" results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["source_port"] == "55379" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["target_user"] == "abuse@test.com" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Parsed["timestamp"] == "Jun 29 16:04:19" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["datasource_path"]) == "exim-logs.log" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["machine"] == "server" results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["service"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["source_helo"] == "[1.2.3.5]" -results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["username"] == "abuse@test.com" -results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["log_type"] == "exim_failed_auth" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/exim-logs"][0].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/exim-logs"][1].Success == true -results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["timestamp"] == "Jun 29 16:04:05" +results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["exim_auth"] == "dovecot_plain" +results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["message"] == "dovecot_plain authenticator failed for (mail.test.com) [202.137.142.181]:47807: 535 Incorrect authentication data (set_id=dave)" +results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["pid"] == "1234" results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["program"] == "exim" +results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["source_helo"] == "mail.test.com" results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["source_ip"] == "202.137.142.181" results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["source_port"] == "47807" -results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["source_helo"] == "mail.test.com" results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["target_user"] == "dave" -results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["username"] == "dave" -results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["datasource_path"] == "exim-logs.log" +results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Parsed["timestamp"] == "Jun 29 16:04:05" +results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["datasource_path"]) == "exim-logs.log" results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["log_type"] == "exim_failed_auth" +results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["machine"] == "server" results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["service"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["source_ip"] == "202.137.142.181" results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["source_helo"] == "mail.test.com" +results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Meta["source_ip"] == "202.137.142.181" +results["s01-parse"]["crowdsecurity/exim-logs"][1].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/exim-logs"][2].Success == true -results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["timestamp"] == "Jun 29 16:07:05" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["exim_auth"] == "dovecot_login" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["message"] == "dovecot_login authenticator failed for ppp-1-2-3-4.test.test.co.th ([127.0.0.1]) [1.2.3.4]:51451: 535 Incorrect authentication data (set_id=info@test.com)" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["pid"] == "1234" results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["program"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["source_port"] == "51451" results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["source_dns"] == "ppp-1-2-3-4.test.test.co.th" results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["source_helo"] == "[127.0.0.1]" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["source_port"] == "51451" results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["target_user"] == "info@test.com" -results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["log_type"] == "exim_failed_auth" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Parsed["timestamp"] == "Jun 29 16:07:05" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["datasource_path"]) == "exim-logs.log" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["machine"] == "server" results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["service"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["source_ip"] == "1.2.3.4" results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["source_dns"] == "ppp-1-2-3-4.test.test.co.th" results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["source_helo"] == "[127.0.0.1]" -results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["username"] == "info@test.com" -results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/exim-logs"][2].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/exim-logs"][3].Success == true +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["message"] == "H=test.com [1.2.3.4]:53343 F= rejected RCPT : \"JunkMail rejected - test.com [1.2.3.4]:53343 is in an RBL: https://www.spamhaus.org/sbl/query/SBLCSS\"" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["source_port"] == "53343" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["target_user"] == "toto@toto.com" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["timestamp"] == "Jun 29 15:33:46" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["pid"] == "1234" results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["program"] == "exim" results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["rbl_url"] == "https://www.spamhaus.org/sbl/query/SBLCSS" results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["source_dns"] == "test.com" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["source_port"] == "53343" results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["source_user"] == "info@test.com" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["rbl_url"] == "https://www.spamhaus.org/sbl/query/SBLCSS" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["source_dns"] == "test.com" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["target_user"] == "toto@toto.com" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Parsed["timestamp"] == "Jun 29 15:33:46" +basename(results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["datasource_path"]) == "exim-logs.log" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["log_type"] == "spam-attempt" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["rbl_url"] == "https://www.spamhaus.org/sbl/query/SBLCSS" results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["service"] == "exim" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["source_dns"] == "test.com" results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["source_user"] == "info@test.com" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["username"] == "toto@toto.com" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Meta["target_user"] == "info@test.com" +results["s01-parse"]["crowdsecurity/exim-logs"][3].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/exim-logs"][4].Success == true -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["timestamp"] == "Jun 29 14:34:58" +results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["message"] == "H=imfo.test.biz [1.2.3.4]:35328 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F= rejected RCPT : No Such User Here" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["source_dns"] == "imfo.test.biz" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["source_user"] == "jack@test.biz" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["target_user"] == "sales@toto.com.au" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["tls_cipher"] == "TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256" +results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["pid"] == "1234" results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["program"] == "exim" +results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["source_dns"] == "imfo.test.biz" results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["source_port"] == "35328" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["source_user"] == "jack@test.biz" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["username"] == "sales@toto.com.au" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["log_type"] == "exim_failed_auth" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["service"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["source_dns"] == "imfo.test.biz" -results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/exim-logs"][5].Success == true -results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["message"] == "H=test.sa.com [1.2.3.4]:18146 temporarily rejected connection in \"connect\" ACL: \"Host is ratelimited (1.9/1h max:1.2)\"" -results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["program"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["rate_limit"] == "1.9/1h max:1.2" -results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["source_dns"] == "test.sa.com" -results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["source_port"] == "18146" -results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["acl"] == "connect" -results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Parsed["timestamp"] == "Jun 29 14:33:43" -results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Meta["log_type"] == "spam-attempt" -results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Meta["service"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Meta["source_dns"] == "test.sa.com" -results["s01-parse"]["crowdsecurity/exim-logs"][5].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/exim-logs"][6].Success == true -results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["message"] == "H=tata.test.biz [1.2.3.4]:41584 sender verify fail for : The mail server does not recognize toto@test.biz as a valid sender." -results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["program"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["source_dns"] == "tata.test.biz" -results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["source_port"] == "41584" -results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["source_user"] == "toto@test.biz" -results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Parsed["timestamp"] == "Jun 29 15:47:21" -results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Meta["source_user"] == "toto@test.biz" -results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Meta["log_type"] == "spam-attempt" -results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Meta["service"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Meta["source_dns"] == "tata.test.biz" -results["s01-parse"]["crowdsecurity/exim-logs"][6].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Success == true -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["message"] == "H=tata.test.biz [1.2.3.4]:41584 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F= rejected RCPT : Sender verify failed" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["target_user"] == "titi@alpacas.com.au" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["source_dns"] == "tata.test.biz" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["source_port"] == "41584" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["source_user"] == "nico@test.biz" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["tls_cipher"] == "TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["timestamp"] == "Jun 29 15:47:21" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Parsed["program"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["source_dns"] == "tata.test.biz" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["source_user"] == "nico@test.biz" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["username"] == "titi@alpacas.com.au" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["log_type"] == "spam-attempt" -results["s01-parse"]["crowdsecurity/exim-logs"][7].Evt.Meta["service"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Success == true -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["timestamp"] == "Jun 29 13:54:29" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["source_helo"] == "smtpclient.test" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["source_ip"] == "1.136.28.14" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["source_user"] == "info@toto.com.au" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["message"] == "H=(smtpclient.test) [1.136.28.14]:17125 X=TLS1.3:TLS_AES_128_GCM_SHA256:128 CV=no F= rejected RCPT : SMTP AUTH is required for message submission on port 587" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["program"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["source_port"] == "17125" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["target_port"] == "587" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["target_user"] == "tutu@titi.com.au" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Parsed["tls_cipher"] == "TLS1.3:TLS_AES_128_GCM_SHA256:128" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["source_user"] == "info@toto.com.au" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["target_port"] == "587" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["source_helo"] == "smtpclient.test" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["source_ip"] == "1.136.28.14" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["username"] == "tutu@titi.com.au" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["log_type"] == "spam-attempt" -results["s01-parse"]["crowdsecurity/exim-logs"][8].Evt.Meta["service"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Success == true -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["source_dns"] == "no-helo.example.org" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["source_port"] == "5432" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["timestamp"] == "May 30 06:10:12" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["message"] == "login authenticator failed for no-helo.example.org [192.0.2.11]:5432: 535 Incorrect authentication data (set_id=user)" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["program"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["exim_auth"] == "login" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["source_ip"] == "192.0.2.11" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Parsed["target_user"] == "user" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Meta["service"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Meta["source_dns"] == "no-helo.example.org" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Meta["source_ip"] == "192.0.2.11" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Meta["username"] == "user" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/exim-logs"][9].Evt.Meta["log_type"] == "exim_failed_auth" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Success == true -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["message"] == "login authenticator failed for no-port.example.org [192.0.2.13]: 535 Incorrect authentication data (set_id=user)" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["source_dns"] == "no-port.example.org" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["target_user"] == "user" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["timestamp"] == "May 30 06:10:14" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["exim_auth"] == "login" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["program"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Parsed["source_ip"] == "192.0.2.13" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Meta["log_type"] == "exim_failed_auth" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Meta["service"] == "exim" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Meta["source_dns"] == "no-port.example.org" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Meta["source_ip"] == "192.0.2.13" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Meta["username"] == "user" -results["s01-parse"]["crowdsecurity/exim-logs"][10].Evt.Meta["datasource_path"] == "exim-logs.log" -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 11 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_port"] == "55379" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_helo"] == "[1.2.3.5]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["target_user"] == "abuse@test.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Jun 29 16:04:19" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "dovecot_login authenticator failed for ([1.2.3.5]) [1.2.3.4]:55379: 535 Incorrect authentication data (set_id=abuse@test.com)" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "exim_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_helo"] == "[1.2.3.5]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "abuse@test.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "202.137.142.181" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_port"] == "47807" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_helo"] == "mail.test.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["target_user"] == "dave" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Jun 29 16:04:05" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "dovecot_plain authenticator failed for (mail.test.com) [202.137.142.181]:47807: 535 Incorrect authentication data (set_id=dave)" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "exim_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "202.137.142.181" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_helo"] == "mail.test.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "dave" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["target_user"] == "info@test.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Jun 29 16:07:05" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "dovecot_login authenticator failed for ppp-1-2-3-4.test.test.co.th ([127.0.0.1]) [1.2.3.4]:51451: 535 Incorrect authentication data (set_id=info@test.com)" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_port"] == "51451" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_dns"] == "ppp-1-2-3-4.test.test.co.th" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_helo"] == "[127.0.0.1]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "exim_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_dns"] == "ppp-1-2-3-4.test.test.co.th" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_helo"] == "[127.0.0.1]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["username"] == "info@test.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["rbl_url"] == "https://www.spamhaus.org/sbl/query/SBLCSS" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["target_user"] == "toto@toto.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "H=test.com [1.2.3.4]:53343 F= rejected RCPT : \"JunkMail rejected - test.com [1.2.3.4]:53343 is in an RBL: https://www.spamhaus.org/sbl/query/SBLCSS\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_dns"] == "test.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_port"] == "53343" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_user"] == "info@test.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Jun 29 15:33:46" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["rbl_url"] == "https://www.spamhaus.org/sbl/query/SBLCSS" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_dns"] == "test.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_user"] == "info@test.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["username"] == "toto@toto.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "spam-attempt" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "Jun 29 14:34:58" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "H=imfo.test.biz [1.2.3.4]:35328 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F= rejected RCPT : No Such User Here" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_dns"] == "imfo.test.biz" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_port"] == "35328" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_user"] == "jack@test.biz" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["target_user"] == "sales@toto.com.au" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["tls_cipher"] == "TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_user"] == "jack@test.biz" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["username"] == "sales@toto.com.au" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_dns"] == "imfo.test.biz" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "exim_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_dns"] == "test.sa.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_port"] == "18146" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["acl"] == "connect" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "Jun 29 14:33:43" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "H=test.sa.com [1.2.3.4]:18146 temporarily rejected connection in \"connect\" ACL: \"Host is ratelimited (1.9/1h max:1.2)\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["rate_limit"] == "1.9/1h max:1.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "spam-attempt" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_dns"] == "test.sa.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_port"] == "41584" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_user"] == "toto@test.biz" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["timestamp"] == "Jun 29 15:47:21" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "H=tata.test.biz [1.2.3.4]:41584 sender verify fail for : The mail server does not recognize toto@test.biz as a valid sender." -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_dns"] == "tata.test.biz" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_user"] == "toto@test.biz" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "spam-attempt" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_dns"] == "tata.test.biz" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "H=tata.test.biz [1.2.3.4]:41584 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F= rejected RCPT : Sender verify failed" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["target_user"] == "titi@alpacas.com.au" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["timestamp"] == "Jun 29 15:47:21" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_port"] == "41584" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_user"] == "nico@test.biz" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["tls_cipher"] == "TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_dns"] == "tata.test.biz" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "spam-attempt" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["username"] == "titi@alpacas.com.au" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_dns"] == "tata.test.biz" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_user"] == "nico@test.biz" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["source_port"] == "17125" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["target_port"] == "587" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["tls_cipher"] == "TLS1.3:TLS_AES_128_GCM_SHA256:128" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["message"] == "H=(smtpclient.test) [1.136.28.14]:17125 X=TLS1.3:TLS_AES_128_GCM_SHA256:128 CV=no F= rejected RCPT : SMTP AUTH is required for message submission on port 587" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["program"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["source_helo"] == "smtpclient.test" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["target_user"] == "tutu@titi.com.au" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["timestamp"] == "Jun 29 13:54:29" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["source_ip"] == "1.136.28.14" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["source_user"] == "info@toto.com.au" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "1.136.28.14" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["target_port"] == "587" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "spam-attempt" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_helo"] == "smtpclient.test" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_user"] == "info@toto.com.au" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["username"] == "tutu@titi.com.au" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_port"] == "5432" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["timestamp"] == "May 30 06:10:12" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["exim_auth"] == "login" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_dns"] == "no-helo.example.org" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["message"] == "login authenticator failed for no-helo.example.org [192.0.2.11]:5432: 535 Incorrect authentication data (set_id=user)" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["program"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_ip"] == "192.0.2.11" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["target_user"] == "user" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["username"] == "user" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"] == "exim-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_type"] == "exim_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_dns"] == "no-helo.example.org" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "192.0.2.11" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["program"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["source_dns"] == "no-port.example.org" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["timestamp"] == "May 30 06:10:14" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["exim_auth"] == "login" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["source_ip"] == "192.0.2.13" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["target_user"] == "user" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["message"] == "login authenticator failed for no-port.example.org [192.0.2.13]: 535 Incorrect authentication data (set_id=user)" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["log_type"] == "exim_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["service"] == "exim" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["source_dns"] == "no-port.example.org" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["source_ip"] == "192.0.2.13" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["username"] == "user" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"] == "exim-logs.log" -len(results["success"][""]) == 0 +results["s01-parse"]["crowdsecurity/exim-logs"][4].Evt.Parsed["source_user"] == "jack@test.biz" diff --git a/.tests/f5-big-ip-cve-2020-5902/parser.assert b/.tests/f5-big-ip-cve-2020-5902/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/filebrowser-logs/parser.assert b/.tests/filebrowser-logs/parser.assert index 65143acd142..9d62ab96bd8 100644 --- a/.tests/filebrowser-logs/parser.assert +++ b/.tests/filebrowser-logs/parser.assert @@ -753,10 +753,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][46].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][46].Evt.Parsed["message"] == "2025/03/31 17:30:02 /api/login: 403 192.168.1.2 " results["s01-parse"]["MrShippeR/filebrowser-logs"][46].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][46].Evt.Parsed["source_ip"] == "192.168.1.2" +results["s01-parse"]["MrShippeR/filebrowser-logs"][46].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][46].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][46].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][46].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][46].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][46].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][46].Evt.Meta["source_ip"] == "192.168.1.2" results["s01-parse"]["MrShippeR/filebrowser-logs"][46].Evt.Meta["timestamp"] == "2025/03/31 17:30:02" @@ -766,10 +766,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][47].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][47].Evt.Parsed["message"] == "2025/03/31 17:30:07 /api/login: 403 192.168.1.2 " results["s01-parse"]["MrShippeR/filebrowser-logs"][47].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][47].Evt.Parsed["source_ip"] == "192.168.1.2" +results["s01-parse"]["MrShippeR/filebrowser-logs"][47].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][47].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][47].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][47].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][47].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][47].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][47].Evt.Meta["source_ip"] == "192.168.1.2" results["s01-parse"]["MrShippeR/filebrowser-logs"][47].Evt.Meta["timestamp"] == "2025/03/31 17:30:07" @@ -779,10 +779,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][48].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][48].Evt.Parsed["message"] == "2025/03/31 17:31:15 /api/login: 403 192.168.1.2 " results["s01-parse"]["MrShippeR/filebrowser-logs"][48].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][48].Evt.Parsed["source_ip"] == "192.168.1.2" +results["s01-parse"]["MrShippeR/filebrowser-logs"][48].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][48].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][48].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][48].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][48].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][48].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][48].Evt.Meta["source_ip"] == "192.168.1.2" results["s01-parse"]["MrShippeR/filebrowser-logs"][48].Evt.Meta["timestamp"] == "2025/03/31 17:31:15" @@ -792,10 +792,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][49].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][49].Evt.Parsed["message"] == "2025/03/31 19:07:03 /api/login: 403 192.168.1.2 " results["s01-parse"]["MrShippeR/filebrowser-logs"][49].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][49].Evt.Parsed["source_ip"] == "192.168.1.2" +results["s01-parse"]["MrShippeR/filebrowser-logs"][49].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][49].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][49].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][49].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][49].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][49].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][49].Evt.Meta["source_ip"] == "192.168.1.2" results["s01-parse"]["MrShippeR/filebrowser-logs"][49].Evt.Meta["timestamp"] == "2025/03/31 19:07:03" @@ -815,10 +815,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][60].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][60].Evt.Parsed["message"] == "2025/04/03 23:39:21 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][60].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][60].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][60].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][60].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][60].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][60].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][60].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][60].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][60].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][60].Evt.Meta["timestamp"] == "2025/04/03 23:39:21" @@ -828,10 +828,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][61].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][61].Evt.Parsed["message"] == "2025/04/03 23:39:37 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][61].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][61].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][61].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][61].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][61].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][61].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][61].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][61].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][61].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][61].Evt.Meta["timestamp"] == "2025/04/03 23:39:37" @@ -841,10 +841,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][62].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][62].Evt.Parsed["message"] == "2025/04/03 23:39:38 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][62].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][62].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][62].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][62].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][62].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][62].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][62].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][62].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][62].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][62].Evt.Meta["timestamp"] == "2025/04/03 23:39:38" @@ -854,10 +854,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][63].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][63].Evt.Parsed["message"] == "2025/04/03 23:39:39 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][63].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][63].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][63].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][63].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][63].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][63].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][63].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][63].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][63].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][63].Evt.Meta["timestamp"] == "2025/04/03 23:39:39" @@ -867,10 +867,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][64].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][64].Evt.Parsed["message"] == "2025/04/03 23:39:40 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][64].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][64].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][64].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][64].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][64].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][64].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][64].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][64].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][64].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][64].Evt.Meta["timestamp"] == "2025/04/03 23:39:40" @@ -880,10 +880,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][65].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][65].Evt.Parsed["message"] == "2025/04/03 23:39:40 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][65].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][65].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][65].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][65].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][65].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][65].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][65].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][65].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][65].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][65].Evt.Meta["timestamp"] == "2025/04/03 23:39:40" @@ -893,10 +893,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][66].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][66].Evt.Parsed["message"] == "2025/04/03 23:39:43 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][66].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][66].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][66].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][66].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][66].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][66].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][66].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][66].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][66].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][66].Evt.Meta["timestamp"] == "2025/04/03 23:39:43" @@ -906,10 +906,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][67].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][67].Evt.Parsed["message"] == "2025/04/03 23:39:44 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][67].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][67].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][67].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][67].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][67].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][67].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][67].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][67].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][67].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][67].Evt.Meta["timestamp"] == "2025/04/03 23:39:44" @@ -919,10 +919,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][68].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][68].Evt.Parsed["message"] == "2025/04/03 23:39:44 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][68].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][68].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][68].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][68].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][68].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][68].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][68].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][68].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][68].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][68].Evt.Meta["timestamp"] == "2025/04/03 23:39:44" @@ -932,10 +932,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][69].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][69].Evt.Parsed["message"] == "2025/04/03 23:39:45 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][69].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][69].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][69].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][69].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][69].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][69].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][69].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][69].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][69].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][69].Evt.Meta["timestamp"] == "2025/04/03 23:39:45" @@ -945,10 +945,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][70].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][70].Evt.Parsed["message"] == "2025/04/03 23:39:45 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][70].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][70].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][70].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][70].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][70].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][70].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][70].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][70].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][70].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][70].Evt.Meta["timestamp"] == "2025/04/03 23:39:45" @@ -958,10 +958,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][71].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][71].Evt.Parsed["message"] == "2025/04/03 23:39:46 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][71].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][71].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][71].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][71].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][71].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][71].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][71].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][71].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][71].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][71].Evt.Meta["timestamp"] == "2025/04/03 23:39:46" @@ -971,10 +971,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][72].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][72].Evt.Parsed["message"] == "2025/04/03 23:39:46 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][72].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][72].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][72].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][72].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][72].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][72].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][72].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][72].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][72].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][72].Evt.Meta["timestamp"] == "2025/04/03 23:39:46" @@ -984,10 +984,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][73].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][73].Evt.Parsed["message"] == "2025/04/03 23:39:47 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][73].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][73].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][73].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][73].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][73].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][73].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][73].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][73].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][73].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][73].Evt.Meta["timestamp"] == "2025/04/03 23:39:47" @@ -997,10 +997,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][74].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][74].Evt.Parsed["message"] == "2025/04/03 23:39:47 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][74].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][74].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][74].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][74].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][74].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][74].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][74].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][74].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][74].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][74].Evt.Meta["timestamp"] == "2025/04/03 23:39:47" @@ -1010,10 +1010,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][75].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][75].Evt.Parsed["message"] == "2025/04/03 23:39:48 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][75].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][75].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][75].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][75].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][75].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][75].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][75].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][75].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][75].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][75].Evt.Meta["timestamp"] == "2025/04/03 23:39:48" @@ -1023,10 +1023,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][76].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][76].Evt.Parsed["message"] == "2025/04/03 23:39:48 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][76].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][76].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][76].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][76].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][76].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][76].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][76].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][76].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][76].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][76].Evt.Meta["timestamp"] == "2025/04/03 23:39:48" @@ -1036,10 +1036,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][77].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][77].Evt.Parsed["message"] == "2025/04/03 23:39:49 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][77].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][77].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][77].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][77].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][77].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][77].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][77].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][77].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][77].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][77].Evt.Meta["timestamp"] == "2025/04/03 23:39:49" @@ -1049,10 +1049,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][78].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][78].Evt.Parsed["message"] == "2025/04/03 23:39:49 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][78].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][78].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][78].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][78].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][78].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][78].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][78].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][78].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][78].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][78].Evt.Meta["timestamp"] == "2025/04/03 23:39:49" @@ -1062,10 +1062,10 @@ results["s01-parse"]["MrShippeR/filebrowser-logs"][79].Evt.Parsed["event_timesta results["s01-parse"]["MrShippeR/filebrowser-logs"][79].Evt.Parsed["message"] == "2025/04/03 23:39:50 /api/login: 403 192.168.1.1 " results["s01-parse"]["MrShippeR/filebrowser-logs"][79].Evt.Parsed["program"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][79].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["MrShippeR/filebrowser-logs"][79].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["MrShippeR/filebrowser-logs"][79].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s01-parse"]["MrShippeR/filebrowser-logs"][79].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["MrShippeR/filebrowser-logs"][79].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s01-parse"]["MrShippeR/filebrowser-logs"][79].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s01-parse"]["MrShippeR/filebrowser-logs"][79].Evt.Meta["service"] == "filebrowser" results["s01-parse"]["MrShippeR/filebrowser-logs"][79].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["MrShippeR/filebrowser-logs"][79].Evt.Meta["timestamp"] == "2025/04/03 23:39:50" @@ -1096,10 +1096,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["event_tim results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2025/03/31 17:30:02 /api/login: 403 192.168.1.2 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "192.168.1.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.1.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-03-31T17:30:02Z" @@ -1110,10 +1110,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["event_tim results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "2025/03/31 17:30:07 /api/login: 403 192.168.1.2 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "192.168.1.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.1.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-03-31T17:30:07Z" @@ -1124,10 +1124,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["event_tim results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "2025/03/31 17:31:15 /api/login: 403 192.168.1.2 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "192.168.1.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "192.168.1.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-03-31T17:31:15Z" @@ -1138,10 +1138,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["event_tim results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "2025/03/31 19:07:03 /api/login: 403 192.168.1.2 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "192.168.1.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "192.168.1.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2025-03-31T19:07:03Z" @@ -1152,10 +1152,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["event_tim results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "2025/04/03 23:39:21 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2025-04-03T23:39:21Z" @@ -1166,10 +1166,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["event_tim results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "2025/04/03 23:39:37 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2025-04-03T23:39:37Z" @@ -1180,10 +1180,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["event_tim results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "2025/04/03 23:39:38 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2025-04-03T23:39:38Z" @@ -1194,10 +1194,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["event_tim results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "2025/04/03 23:39:39 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2025-04-03T23:39:39Z" @@ -1208,10 +1208,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["event_tim results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["message"] == "2025/04/03 23:39:40 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2025-04-03T23:39:40Z" @@ -1222,10 +1222,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["event_tim results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["message"] == "2025/04/03 23:39:40 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2025-04-03T23:39:40Z" @@ -1236,10 +1236,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["event_ti results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["message"] == "2025/04/03 23:39:43 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["timestamp"] == "2025-04-03T23:39:43Z" @@ -1250,10 +1250,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["event_ti results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["message"] == "2025/04/03 23:39:44 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["timestamp"] == "2025-04-03T23:39:44Z" @@ -1264,10 +1264,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["event_ti results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["message"] == "2025/04/03 23:39:44 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["timestamp"] == "2025-04-03T23:39:44Z" @@ -1278,10 +1278,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["event_ti results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["message"] == "2025/04/03 23:39:45 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["timestamp"] == "2025-04-03T23:39:45Z" @@ -1292,10 +1292,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["event_ti results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["message"] == "2025/04/03 23:39:45 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["timestamp"] == "2025-04-03T23:39:45Z" @@ -1306,10 +1306,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["event_ti results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["message"] == "2025/04/03 23:39:46 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["timestamp"] == "2025-04-03T23:39:46Z" @@ -1320,10 +1320,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["event_ti results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["message"] == "2025/04/03 23:39:46 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["timestamp"] == "2025-04-03T23:39:46Z" @@ -1334,10 +1334,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["event_ti results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["message"] == "2025/04/03 23:39:47 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["timestamp"] == "2025-04-03T23:39:47Z" @@ -1348,10 +1348,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["event_ti results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["message"] == "2025/04/03 23:39:47 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["timestamp"] == "2025-04-03T23:39:47Z" @@ -1362,10 +1362,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["event_ti results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["message"] == "2025/04/03 23:39:48 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["timestamp"] == "2025-04-03T23:39:48Z" @@ -1376,10 +1376,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["event_ti results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["message"] == "2025/04/03 23:39:48 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["timestamp"] == "2025-04-03T23:39:48Z" @@ -1390,10 +1390,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["event_ti results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["message"] == "2025/04/03 23:39:49 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["timestamp"] == "2025-04-03T23:39:49Z" @@ -1404,10 +1404,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["event_ti results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["message"] == "2025/04/03 23:39:49 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["timestamp"] == "2025-04-03T23:39:49Z" @@ -1418,10 +1418,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["event_ti results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["message"] == "2025/04/03 23:39:50 /api/login: 403 192.168.1.1 " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["program"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["datasource_path"]) == "filebrowser.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["log_subtype"] == "filebrowser_invalid_credentials" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["log_type"] == "filebrowser_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["service"] == "filebrowser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["timestamp"] == "2025-04-03T23:39:50Z" diff --git a/.tests/fortinet-cve-2018-13379/parser.assert b/.tests/fortinet-cve-2018-13379/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/freeswitch-acl-reject/parser.assert b/.tests/freeswitch-acl-reject/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/freeswitch-bf/parser.assert b/.tests/freeswitch-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/freeswitch-user-enumeration/parser.assert b/.tests/freeswitch-user-enumeration/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/geoip-enrich/parser.assert b/.tests/geoip-enrich/parser.assert index f5de0669f7e..9381baa3a02 100644 --- a/.tests/geoip-enrich/parser.assert +++ b/.tests/geoip-enrich/parser.assert @@ -41,7 +41,7 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["sshd_invalid_user results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["datasource_path"] == "ssh-bf.log" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["machine"] == "sd-126005" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" @@ -57,7 +57,7 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["sshd_invalid_user results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["datasource_path"] == "ssh-bf.log" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["machine"] == "sd-126005" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["source_ip"] == "127.0.0.1" @@ -73,7 +73,7 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["sshd_invalid_user results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["datasource_path"] == "ssh-bf.log" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["machine"] == "sd-126005" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["source_ip"] == "192.168.1.1" @@ -90,7 +90,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["sshd_inva results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "ssh-bf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "sd-126005" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4" @@ -108,7 +108,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["sshd_inva results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "ssh-bf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "sd-126005" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "127.0.0.1" @@ -126,7 +126,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["sshd_inva results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "ssh-bf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "sd-126005" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "192.168.1.1" @@ -150,7 +150,7 @@ results["s02-enrich"]["crowdsecurity/geoip-enrich"][0].Evt.Meta["IsoCode"] == "F results["s02-enrich"]["crowdsecurity/geoip-enrich"][0].Evt.Meta["SourceRange"] == "1.2.3.0/24" results["s02-enrich"]["crowdsecurity/geoip-enrich"][0].Evt.Meta["datasource_path"] == "ssh-bf.log" results["s02-enrich"]["crowdsecurity/geoip-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/geoip-enrich"][0].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s02-enrich"]["crowdsecurity/geoip-enrich"][0].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/geoip-enrich"][0].Evt.Meta["machine"] == "sd-126005" results["s02-enrich"]["crowdsecurity/geoip-enrich"][0].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/geoip-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4" diff --git a/.tests/gitea-bf/parser.assert b/.tests/gitea-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/gitea-bf/scenario.assert b/.tests/gitea-bf/scenario.assert index 8b264ae3db0..29a6afeae12 100644 --- a/.tests/gitea-bf/scenario.assert +++ b/.tests/gitea-bf/scenario.assert @@ -4,48 +4,48 @@ results[0].Overflow.Sources["4.4.4.4"].IP == "4.4.4.4" results[0].Overflow.Sources["4.4.4.4"].Range == "" results[0].Overflow.Sources["4.4.4.4"].GetScope() == "Ip" results[0].Overflow.Sources["4.4.4.4"].GetValue() == "4.4.4.4" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "gitea-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "gitea_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "gitea" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "4.4.4.4" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "test1@example.com" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-03-01T13:57:58Z" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "test1@example.com" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "gitea-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "gitea_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "gitea" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "4.4.4.4" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "test2@example.com" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-03-01T13:57:59Z" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "test2@example.com" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "gitea-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "gitea_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "gitea" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "4.4.4.4" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "test3@example.com" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-03-01T13:58:00Z" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "test3@example.com" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "gitea-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "gitea_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "gitea" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "4.4.4.4" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "test4@example.com" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-03-01T13:58:01Z" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "test4@example.com" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "gitea-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "gitea_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "gitea" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "4.4.4.4" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "test5@example.com" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-03-01T13:58:02Z" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "test5@example.com" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "gitea-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "gitea_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "gitea" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "4.4.4.4" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "test6@example.com" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-03-01T13:58:03Z" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "test6@example.com" results[0].Overflow.Alert.GetScenario() == "LePresidente/gitea-bf_user-enum" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 @@ -54,48 +54,48 @@ results[1].Overflow.Sources["2.2.2.2"].IP == "2.2.2.2" results[1].Overflow.Sources["2.2.2.2"].Range == "" results[1].Overflow.Sources["2.2.2.2"].GetScope() == "Ip" results[1].Overflow.Sources["2.2.2.2"].GetValue() == "2.2.2.2" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "gitea-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "gitea_failed_auth" results[1].Overflow.Alert.Events[0].GetMeta("service") == "gitea" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "2.2.2.2" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "test1" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-03-01T12:59:58Z" -results[1].Overflow.Alert.Events[0].GetMeta("user") == "test1" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "gitea-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "gitea_failed_auth" results[1].Overflow.Alert.Events[1].GetMeta("service") == "gitea" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "2.2.2.2" +results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "test2" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-03-01T12:59:59Z" -results[1].Overflow.Alert.Events[1].GetMeta("user") == "test2" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "gitea-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "gitea_failed_auth" results[1].Overflow.Alert.Events[2].GetMeta("service") == "gitea" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "2.2.2.2" +results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "test3" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-03-01T13:00:00Z" -results[1].Overflow.Alert.Events[2].GetMeta("user") == "test3" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "gitea-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "gitea_failed_auth" results[1].Overflow.Alert.Events[3].GetMeta("service") == "gitea" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "2.2.2.2" +results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "test4" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-03-01T12:00:01Z" -results[1].Overflow.Alert.Events[3].GetMeta("user") == "test4" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "gitea-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "gitea_failed_auth" results[1].Overflow.Alert.Events[4].GetMeta("service") == "gitea" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "2.2.2.2" +results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "test5" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-03-01T12:00:02Z" -results[1].Overflow.Alert.Events[4].GetMeta("user") == "test5" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "gitea-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "gitea_failed_auth" results[1].Overflow.Alert.Events[5].GetMeta("service") == "gitea" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "2.2.2.2" +results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "test6" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-03-01T12:00:03Z" -results[1].Overflow.Alert.Events[5].GetMeta("user") == "test6" results[1].Overflow.Alert.GetScenario() == "LePresidente/gitea-bf_user-enum" results[1].Overflow.Alert.Remediation == true results[1].Overflow.Alert.GetEventsCount() == 6 @@ -104,48 +104,48 @@ results[2].Overflow.Sources["1234::5678"].IP == "1234::5678" results[2].Overflow.Sources["1234::5678"].Range == "" results[2].Overflow.Sources["1234::5678"].GetScope() == "Ip" results[2].Overflow.Sources["1234::5678"].GetValue() == "1234::5678" +results[2].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "gitea-bf.log" results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[0].GetMeta("log_type") == "gitea_failed_auth" results[2].Overflow.Alert.Events[0].GetMeta("service") == "gitea" results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "1234::5678" +results[2].Overflow.Alert.Events[0].GetMeta("target_user") == "test" results[2].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-05-12T12:17:34Z" -results[2].Overflow.Alert.Events[0].GetMeta("user") == "test" +results[2].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "gitea-bf.log" results[2].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[1].GetMeta("log_type") == "gitea_failed_auth" results[2].Overflow.Alert.Events[1].GetMeta("service") == "gitea" results[2].Overflow.Alert.Events[1].GetMeta("source_ip") == "1234::5678" +results[2].Overflow.Alert.Events[1].GetMeta("target_user") == "test1" results[2].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-05-12T12:17:34Z" -results[2].Overflow.Alert.Events[1].GetMeta("user") == "test1" +results[2].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "gitea-bf.log" results[2].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[2].GetMeta("log_type") == "gitea_failed_auth" results[2].Overflow.Alert.Events[2].GetMeta("service") == "gitea" results[2].Overflow.Alert.Events[2].GetMeta("source_ip") == "1234::5678" +results[2].Overflow.Alert.Events[2].GetMeta("target_user") == "test2" results[2].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-05-12T12:17:34Z" -results[2].Overflow.Alert.Events[2].GetMeta("user") == "test2" +results[2].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "gitea-bf.log" results[2].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[3].GetMeta("log_type") == "gitea_failed_auth" results[2].Overflow.Alert.Events[3].GetMeta("service") == "gitea" results[2].Overflow.Alert.Events[3].GetMeta("source_ip") == "1234::5678" +results[2].Overflow.Alert.Events[3].GetMeta("target_user") == "test3" results[2].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-05-12T12:17:34Z" -results[2].Overflow.Alert.Events[3].GetMeta("user") == "test3" +results[2].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "gitea-bf.log" results[2].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[4].GetMeta("log_type") == "gitea_failed_auth" results[2].Overflow.Alert.Events[4].GetMeta("service") == "gitea" results[2].Overflow.Alert.Events[4].GetMeta("source_ip") == "1234::5678" +results[2].Overflow.Alert.Events[4].GetMeta("target_user") == "test4" results[2].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-05-12T12:17:34Z" -results[2].Overflow.Alert.Events[4].GetMeta("user") == "test4" +results[2].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "gitea-bf.log" results[2].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[5].GetMeta("log_type") == "gitea_failed_auth" results[2].Overflow.Alert.Events[5].GetMeta("service") == "gitea" results[2].Overflow.Alert.Events[5].GetMeta("source_ip") == "1234::5678" +results[2].Overflow.Alert.Events[5].GetMeta("target_user") == "test5" results[2].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-05-12T12:17:34Z" -results[2].Overflow.Alert.Events[5].GetMeta("user") == "test5" results[2].Overflow.Alert.GetScenario() == "LePresidente/gitea-bf_user-enum" results[2].Overflow.Alert.Remediation == true results[2].Overflow.Alert.GetEventsCount() == 6 @@ -154,48 +154,48 @@ results[3].Overflow.Sources["6.6.6.6"].IP == "6.6.6.6" results[3].Overflow.Sources["6.6.6.6"].Range == "" results[3].Overflow.Sources["6.6.6.6"].GetScope() == "Ip" results[3].Overflow.Sources["6.6.6.6"].GetValue() == "6.6.6.6" +results[3].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "gitea-bf.log" results[3].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[0].GetMeta("log_type") == "gitea_failed_auth" results[3].Overflow.Alert.Events[0].GetMeta("service") == "gitea" results[3].Overflow.Alert.Events[0].GetMeta("source_ip") == "6.6.6.6" +results[3].Overflow.Alert.Events[0].GetMeta("target_user") == "test" results[3].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-04-29T12:35:50Z" -results[3].Overflow.Alert.Events[0].GetMeta("user") == "test" +results[3].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "gitea-bf.log" results[3].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[1].GetMeta("log_type") == "gitea_failed_auth" results[3].Overflow.Alert.Events[1].GetMeta("service") == "gitea" results[3].Overflow.Alert.Events[1].GetMeta("source_ip") == "6.6.6.6" +results[3].Overflow.Alert.Events[1].GetMeta("target_user") == "test" results[3].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-04-29T12:35:50Z" -results[3].Overflow.Alert.Events[1].GetMeta("user") == "test" +results[3].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "gitea-bf.log" results[3].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[2].GetMeta("log_type") == "gitea_failed_auth" results[3].Overflow.Alert.Events[2].GetMeta("service") == "gitea" results[3].Overflow.Alert.Events[2].GetMeta("source_ip") == "6.6.6.6" +results[3].Overflow.Alert.Events[2].GetMeta("target_user") == "test" results[3].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-04-29T12:35:50Z" -results[3].Overflow.Alert.Events[2].GetMeta("user") == "test" +results[3].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "gitea-bf.log" results[3].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[3].GetMeta("log_type") == "gitea_failed_auth" results[3].Overflow.Alert.Events[3].GetMeta("service") == "gitea" results[3].Overflow.Alert.Events[3].GetMeta("source_ip") == "6.6.6.6" +results[3].Overflow.Alert.Events[3].GetMeta("target_user") == "test" results[3].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-04-29T12:35:50Z" -results[3].Overflow.Alert.Events[3].GetMeta("user") == "test" +results[3].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "gitea-bf.log" results[3].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[4].GetMeta("log_type") == "gitea_failed_auth" results[3].Overflow.Alert.Events[4].GetMeta("service") == "gitea" results[3].Overflow.Alert.Events[4].GetMeta("source_ip") == "6.6.6.6" +results[3].Overflow.Alert.Events[4].GetMeta("target_user") == "test" results[3].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-04-29T12:35:50Z" -results[3].Overflow.Alert.Events[4].GetMeta("user") == "test" +results[3].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "gitea-bf.log" results[3].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[5].GetMeta("log_type") == "gitea_failed_auth" results[3].Overflow.Alert.Events[5].GetMeta("service") == "gitea" results[3].Overflow.Alert.Events[5].GetMeta("source_ip") == "6.6.6.6" +results[3].Overflow.Alert.Events[5].GetMeta("target_user") == "test" results[3].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-04-29T12:35:50Z" -results[3].Overflow.Alert.Events[5].GetMeta("user") == "test" results[3].Overflow.Alert.GetScenario() == "LePresidente/gitea-bf" results[3].Overflow.Alert.Remediation == true results[3].Overflow.Alert.GetEventsCount() == 6 @@ -204,48 +204,48 @@ results[4].Overflow.Sources["5.5.5.5"].IP == "5.5.5.5" results[4].Overflow.Sources["5.5.5.5"].Range == "" results[4].Overflow.Sources["5.5.5.5"].GetScope() == "Ip" results[4].Overflow.Sources["5.5.5.5"].GetValue() == "5.5.5.5" +results[4].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[4].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "gitea-bf.log" results[4].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[0].GetMeta("log_type") == "gitea_failed_auth" results[4].Overflow.Alert.Events[0].GetMeta("service") == "gitea" results[4].Overflow.Alert.Events[0].GetMeta("source_ip") == "5.5.5.5" +results[4].Overflow.Alert.Events[0].GetMeta("target_user") == "test@example.com" results[4].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-04-29T12:33:54Z" -results[4].Overflow.Alert.Events[0].GetMeta("user") == "test@example.com" +results[4].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[4].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "gitea-bf.log" results[4].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[1].GetMeta("log_type") == "gitea_failed_auth" results[4].Overflow.Alert.Events[1].GetMeta("service") == "gitea" results[4].Overflow.Alert.Events[1].GetMeta("source_ip") == "5.5.5.5" +results[4].Overflow.Alert.Events[1].GetMeta("target_user") == "test@example.com" results[4].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-04-29T12:33:54Z" -results[4].Overflow.Alert.Events[1].GetMeta("user") == "test@example.com" +results[4].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[4].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "gitea-bf.log" results[4].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[2].GetMeta("log_type") == "gitea_failed_auth" results[4].Overflow.Alert.Events[2].GetMeta("service") == "gitea" results[4].Overflow.Alert.Events[2].GetMeta("source_ip") == "5.5.5.5" +results[4].Overflow.Alert.Events[2].GetMeta("target_user") == "test@example.com" results[4].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-04-29T12:33:54Z" -results[4].Overflow.Alert.Events[2].GetMeta("user") == "test@example.com" +results[4].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[4].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "gitea-bf.log" results[4].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[3].GetMeta("log_type") == "gitea_failed_auth" results[4].Overflow.Alert.Events[3].GetMeta("service") == "gitea" results[4].Overflow.Alert.Events[3].GetMeta("source_ip") == "5.5.5.5" +results[4].Overflow.Alert.Events[3].GetMeta("target_user") == "test@example.com" results[4].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-04-29T12:33:54Z" -results[4].Overflow.Alert.Events[3].GetMeta("user") == "test@example.com" +results[4].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[4].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "gitea-bf.log" results[4].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[4].GetMeta("log_type") == "gitea_failed_auth" results[4].Overflow.Alert.Events[4].GetMeta("service") == "gitea" results[4].Overflow.Alert.Events[4].GetMeta("source_ip") == "5.5.5.5" +results[4].Overflow.Alert.Events[4].GetMeta("target_user") == "test@example.com" results[4].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-04-29T12:33:54Z" -results[4].Overflow.Alert.Events[4].GetMeta("user") == "test@example.com" +results[4].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[4].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "gitea-bf.log" results[4].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[5].GetMeta("log_type") == "gitea_failed_auth" results[4].Overflow.Alert.Events[5].GetMeta("service") == "gitea" results[4].Overflow.Alert.Events[5].GetMeta("source_ip") == "5.5.5.5" +results[4].Overflow.Alert.Events[5].GetMeta("target_user") == "test@example.com" results[4].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-04-29T12:33:54Z" -results[4].Overflow.Alert.Events[5].GetMeta("user") == "test@example.com" results[4].Overflow.Alert.GetScenario() == "LePresidente/gitea-bf" results[4].Overflow.Alert.Remediation == true results[4].Overflow.Alert.GetEventsCount() == 6 @@ -254,48 +254,48 @@ results[5].Overflow.Sources["4.4.4.4"].IP == "4.4.4.4" results[5].Overflow.Sources["4.4.4.4"].Range == "" results[5].Overflow.Sources["4.4.4.4"].GetScope() == "Ip" results[5].Overflow.Sources["4.4.4.4"].GetValue() == "4.4.4.4" +results[5].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[5].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "gitea-bf.log" results[5].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[5].Overflow.Alert.Events[0].GetMeta("log_type") == "gitea_failed_auth" results[5].Overflow.Alert.Events[0].GetMeta("service") == "gitea" results[5].Overflow.Alert.Events[0].GetMeta("source_ip") == "4.4.4.4" +results[5].Overflow.Alert.Events[0].GetMeta("target_user") == "test1@example.com" results[5].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-03-01T13:57:58Z" -results[5].Overflow.Alert.Events[0].GetMeta("user") == "test1@example.com" +results[5].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[5].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "gitea-bf.log" results[5].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[5].Overflow.Alert.Events[1].GetMeta("log_type") == "gitea_failed_auth" results[5].Overflow.Alert.Events[1].GetMeta("service") == "gitea" results[5].Overflow.Alert.Events[1].GetMeta("source_ip") == "4.4.4.4" +results[5].Overflow.Alert.Events[1].GetMeta("target_user") == "test2@example.com" results[5].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-03-01T13:57:59Z" -results[5].Overflow.Alert.Events[1].GetMeta("user") == "test2@example.com" +results[5].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[5].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "gitea-bf.log" results[5].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[5].Overflow.Alert.Events[2].GetMeta("log_type") == "gitea_failed_auth" results[5].Overflow.Alert.Events[2].GetMeta("service") == "gitea" results[5].Overflow.Alert.Events[2].GetMeta("source_ip") == "4.4.4.4" +results[5].Overflow.Alert.Events[2].GetMeta("target_user") == "test3@example.com" results[5].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-03-01T13:58:00Z" -results[5].Overflow.Alert.Events[2].GetMeta("user") == "test3@example.com" +results[5].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[5].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "gitea-bf.log" results[5].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[5].Overflow.Alert.Events[3].GetMeta("log_type") == "gitea_failed_auth" results[5].Overflow.Alert.Events[3].GetMeta("service") == "gitea" results[5].Overflow.Alert.Events[3].GetMeta("source_ip") == "4.4.4.4" +results[5].Overflow.Alert.Events[3].GetMeta("target_user") == "test4@example.com" results[5].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-03-01T13:58:01Z" -results[5].Overflow.Alert.Events[3].GetMeta("user") == "test4@example.com" +results[5].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[5].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "gitea-bf.log" results[5].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[5].Overflow.Alert.Events[4].GetMeta("log_type") == "gitea_failed_auth" results[5].Overflow.Alert.Events[4].GetMeta("service") == "gitea" results[5].Overflow.Alert.Events[4].GetMeta("source_ip") == "4.4.4.4" +results[5].Overflow.Alert.Events[4].GetMeta("target_user") == "test5@example.com" results[5].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-03-01T13:58:02Z" -results[5].Overflow.Alert.Events[4].GetMeta("user") == "test5@example.com" +results[5].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[5].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "gitea-bf.log" results[5].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[5].Overflow.Alert.Events[5].GetMeta("log_type") == "gitea_failed_auth" results[5].Overflow.Alert.Events[5].GetMeta("service") == "gitea" results[5].Overflow.Alert.Events[5].GetMeta("source_ip") == "4.4.4.4" +results[5].Overflow.Alert.Events[5].GetMeta("target_user") == "test6@example.com" results[5].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-03-01T13:58:03Z" -results[5].Overflow.Alert.Events[5].GetMeta("user") == "test6@example.com" results[5].Overflow.Alert.GetScenario() == "LePresidente/gitea-bf" results[5].Overflow.Alert.Remediation == true results[5].Overflow.Alert.GetEventsCount() == 6 @@ -304,48 +304,48 @@ results[6].Overflow.Sources["3.3.3.3"].IP == "3.3.3.3" results[6].Overflow.Sources["3.3.3.3"].Range == "" results[6].Overflow.Sources["3.3.3.3"].GetScope() == "Ip" results[6].Overflow.Sources["3.3.3.3"].GetValue() == "3.3.3.3" +results[6].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[6].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "gitea-bf.log" results[6].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[6].Overflow.Alert.Events[0].GetMeta("log_type") == "gitea_failed_auth" results[6].Overflow.Alert.Events[0].GetMeta("service") == "gitea" results[6].Overflow.Alert.Events[0].GetMeta("source_ip") == "3.3.3.3" +results[6].Overflow.Alert.Events[0].GetMeta("target_user") == "test@example.com" results[6].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-03-01T13:00:58Z" -results[6].Overflow.Alert.Events[0].GetMeta("user") == "test@example.com" +results[6].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[6].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "gitea-bf.log" results[6].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[6].Overflow.Alert.Events[1].GetMeta("log_type") == "gitea_failed_auth" results[6].Overflow.Alert.Events[1].GetMeta("service") == "gitea" results[6].Overflow.Alert.Events[1].GetMeta("source_ip") == "3.3.3.3" +results[6].Overflow.Alert.Events[1].GetMeta("target_user") == "test@example.com" results[6].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-03-01T13:00:59Z" -results[6].Overflow.Alert.Events[1].GetMeta("user") == "test@example.com" +results[6].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[6].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "gitea-bf.log" results[6].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[6].Overflow.Alert.Events[2].GetMeta("log_type") == "gitea_failed_auth" results[6].Overflow.Alert.Events[2].GetMeta("service") == "gitea" results[6].Overflow.Alert.Events[2].GetMeta("source_ip") == "3.3.3.3" +results[6].Overflow.Alert.Events[2].GetMeta("target_user") == "test@example.com" results[6].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-03-01T13:01:00Z" -results[6].Overflow.Alert.Events[2].GetMeta("user") == "test@example.com" +results[6].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[6].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "gitea-bf.log" results[6].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[6].Overflow.Alert.Events[3].GetMeta("log_type") == "gitea_failed_auth" results[6].Overflow.Alert.Events[3].GetMeta("service") == "gitea" results[6].Overflow.Alert.Events[3].GetMeta("source_ip") == "3.3.3.3" +results[6].Overflow.Alert.Events[3].GetMeta("target_user") == "test@example.com" results[6].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-03-01T13:01:01Z" -results[6].Overflow.Alert.Events[3].GetMeta("user") == "test@example.com" +results[6].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[6].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "gitea-bf.log" results[6].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[6].Overflow.Alert.Events[4].GetMeta("log_type") == "gitea_failed_auth" results[6].Overflow.Alert.Events[4].GetMeta("service") == "gitea" results[6].Overflow.Alert.Events[4].GetMeta("source_ip") == "3.3.3.3" +results[6].Overflow.Alert.Events[4].GetMeta("target_user") == "test@example.com" results[6].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-03-01T13:01:02Z" -results[6].Overflow.Alert.Events[4].GetMeta("user") == "test@example.com" +results[6].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[6].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "gitea-bf.log" results[6].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[6].Overflow.Alert.Events[5].GetMeta("log_type") == "gitea_failed_auth" results[6].Overflow.Alert.Events[5].GetMeta("service") == "gitea" results[6].Overflow.Alert.Events[5].GetMeta("source_ip") == "3.3.3.3" +results[6].Overflow.Alert.Events[5].GetMeta("target_user") == "test@example.com" results[6].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-03-01T13:01:03Z" -results[6].Overflow.Alert.Events[5].GetMeta("user") == "test@example.com" results[6].Overflow.Alert.GetScenario() == "LePresidente/gitea-bf" results[6].Overflow.Alert.Remediation == true results[6].Overflow.Alert.GetEventsCount() == 6 @@ -354,48 +354,48 @@ results[7].Overflow.Sources["2.2.2.2"].IP == "2.2.2.2" results[7].Overflow.Sources["2.2.2.2"].Range == "" results[7].Overflow.Sources["2.2.2.2"].GetScope() == "Ip" results[7].Overflow.Sources["2.2.2.2"].GetValue() == "2.2.2.2" +results[7].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[7].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "gitea-bf.log" results[7].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[7].Overflow.Alert.Events[0].GetMeta("log_type") == "gitea_failed_auth" results[7].Overflow.Alert.Events[0].GetMeta("service") == "gitea" results[7].Overflow.Alert.Events[0].GetMeta("source_ip") == "2.2.2.2" +results[7].Overflow.Alert.Events[0].GetMeta("target_user") == "test1" results[7].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-03-01T12:59:58Z" -results[7].Overflow.Alert.Events[0].GetMeta("user") == "test1" +results[7].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[7].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "gitea-bf.log" results[7].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[7].Overflow.Alert.Events[1].GetMeta("log_type") == "gitea_failed_auth" results[7].Overflow.Alert.Events[1].GetMeta("service") == "gitea" results[7].Overflow.Alert.Events[1].GetMeta("source_ip") == "2.2.2.2" +results[7].Overflow.Alert.Events[1].GetMeta("target_user") == "test2" results[7].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-03-01T12:59:59Z" -results[7].Overflow.Alert.Events[1].GetMeta("user") == "test2" +results[7].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[7].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "gitea-bf.log" results[7].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[7].Overflow.Alert.Events[2].GetMeta("log_type") == "gitea_failed_auth" results[7].Overflow.Alert.Events[2].GetMeta("service") == "gitea" results[7].Overflow.Alert.Events[2].GetMeta("source_ip") == "2.2.2.2" +results[7].Overflow.Alert.Events[2].GetMeta("target_user") == "test3" results[7].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-03-01T13:00:00Z" -results[7].Overflow.Alert.Events[2].GetMeta("user") == "test3" +results[7].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[7].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "gitea-bf.log" results[7].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[7].Overflow.Alert.Events[3].GetMeta("log_type") == "gitea_failed_auth" results[7].Overflow.Alert.Events[3].GetMeta("service") == "gitea" results[7].Overflow.Alert.Events[3].GetMeta("source_ip") == "2.2.2.2" +results[7].Overflow.Alert.Events[3].GetMeta("target_user") == "test4" results[7].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-03-01T12:00:01Z" -results[7].Overflow.Alert.Events[3].GetMeta("user") == "test4" +results[7].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[7].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "gitea-bf.log" results[7].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[7].Overflow.Alert.Events[4].GetMeta("log_type") == "gitea_failed_auth" results[7].Overflow.Alert.Events[4].GetMeta("service") == "gitea" results[7].Overflow.Alert.Events[4].GetMeta("source_ip") == "2.2.2.2" +results[7].Overflow.Alert.Events[4].GetMeta("target_user") == "test5" results[7].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-03-01T12:00:02Z" -results[7].Overflow.Alert.Events[4].GetMeta("user") == "test5" +results[7].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[7].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "gitea-bf.log" results[7].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[7].Overflow.Alert.Events[5].GetMeta("log_type") == "gitea_failed_auth" results[7].Overflow.Alert.Events[5].GetMeta("service") == "gitea" results[7].Overflow.Alert.Events[5].GetMeta("source_ip") == "2.2.2.2" +results[7].Overflow.Alert.Events[5].GetMeta("target_user") == "test6" results[7].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-03-01T12:00:03Z" -results[7].Overflow.Alert.Events[5].GetMeta("user") == "test6" results[7].Overflow.Alert.GetScenario() == "LePresidente/gitea-bf" results[7].Overflow.Alert.Remediation == true results[7].Overflow.Alert.GetEventsCount() == 6 @@ -404,48 +404,48 @@ results[8].Overflow.Sources["1234::5678"].IP == "1234::5678" results[8].Overflow.Sources["1234::5678"].Range == "" results[8].Overflow.Sources["1234::5678"].GetScope() == "Ip" results[8].Overflow.Sources["1234::5678"].GetValue() == "1234::5678" +results[8].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[8].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "gitea-bf.log" results[8].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[8].Overflow.Alert.Events[0].GetMeta("log_type") == "gitea_failed_auth" results[8].Overflow.Alert.Events[0].GetMeta("service") == "gitea" results[8].Overflow.Alert.Events[0].GetMeta("source_ip") == "1234::5678" +results[8].Overflow.Alert.Events[0].GetMeta("target_user") == "test" results[8].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-05-12T12:17:34Z" -results[8].Overflow.Alert.Events[0].GetMeta("user") == "test" +results[8].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[8].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "gitea-bf.log" results[8].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[8].Overflow.Alert.Events[1].GetMeta("log_type") == "gitea_failed_auth" results[8].Overflow.Alert.Events[1].GetMeta("service") == "gitea" results[8].Overflow.Alert.Events[1].GetMeta("source_ip") == "1234::5678" +results[8].Overflow.Alert.Events[1].GetMeta("target_user") == "test" results[8].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-05-12T12:17:34Z" -results[8].Overflow.Alert.Events[1].GetMeta("user") == "test" +results[8].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[8].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "gitea-bf.log" results[8].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[8].Overflow.Alert.Events[2].GetMeta("log_type") == "gitea_failed_auth" results[8].Overflow.Alert.Events[2].GetMeta("service") == "gitea" results[8].Overflow.Alert.Events[2].GetMeta("source_ip") == "1234::5678" +results[8].Overflow.Alert.Events[2].GetMeta("target_user") == "test" results[8].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-05-12T12:17:34Z" -results[8].Overflow.Alert.Events[2].GetMeta("user") == "test" +results[8].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[8].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "gitea-bf.log" results[8].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[8].Overflow.Alert.Events[3].GetMeta("log_type") == "gitea_failed_auth" results[8].Overflow.Alert.Events[3].GetMeta("service") == "gitea" results[8].Overflow.Alert.Events[3].GetMeta("source_ip") == "1234::5678" +results[8].Overflow.Alert.Events[3].GetMeta("target_user") == "test" results[8].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-05-12T12:17:34Z" -results[8].Overflow.Alert.Events[3].GetMeta("user") == "test" +results[8].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[8].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "gitea-bf.log" results[8].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[8].Overflow.Alert.Events[4].GetMeta("log_type") == "gitea_failed_auth" results[8].Overflow.Alert.Events[4].GetMeta("service") == "gitea" results[8].Overflow.Alert.Events[4].GetMeta("source_ip") == "1234::5678" +results[8].Overflow.Alert.Events[4].GetMeta("target_user") == "test" results[8].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-05-12T12:17:34Z" -results[8].Overflow.Alert.Events[4].GetMeta("user") == "test" +results[8].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[8].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "gitea-bf.log" results[8].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[8].Overflow.Alert.Events[5].GetMeta("log_type") == "gitea_failed_auth" results[8].Overflow.Alert.Events[5].GetMeta("service") == "gitea" results[8].Overflow.Alert.Events[5].GetMeta("source_ip") == "1234::5678" +results[8].Overflow.Alert.Events[5].GetMeta("target_user") == "test" results[8].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-05-12T12:17:34Z" -results[8].Overflow.Alert.Events[5].GetMeta("user") == "test" results[8].Overflow.Alert.GetScenario() == "LePresidente/gitea-bf" results[8].Overflow.Alert.Remediation == true results[8].Overflow.Alert.GetEventsCount() == 6 @@ -454,48 +454,48 @@ results[9].Overflow.Sources["1.1.1.1"].IP == "1.1.1.1" results[9].Overflow.Sources["1.1.1.1"].Range == "" results[9].Overflow.Sources["1.1.1.1"].GetScope() == "Ip" results[9].Overflow.Sources["1.1.1.1"].GetValue() == "1.1.1.1" +results[9].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[9].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "gitea-bf.log" results[9].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[9].Overflow.Alert.Events[0].GetMeta("log_type") == "gitea_failed_auth" results[9].Overflow.Alert.Events[0].GetMeta("service") == "gitea" results[9].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.1" +results[9].Overflow.Alert.Events[0].GetMeta("target_user") == "test" results[9].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-03-01T12:57:58Z" -results[9].Overflow.Alert.Events[0].GetMeta("user") == "test" +results[9].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[9].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "gitea-bf.log" results[9].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[9].Overflow.Alert.Events[1].GetMeta("log_type") == "gitea_failed_auth" results[9].Overflow.Alert.Events[1].GetMeta("service") == "gitea" results[9].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.1" +results[9].Overflow.Alert.Events[1].GetMeta("target_user") == "test" results[9].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-03-01T12:57:59Z" -results[9].Overflow.Alert.Events[1].GetMeta("user") == "test" +results[9].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[9].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "gitea-bf.log" results[9].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[9].Overflow.Alert.Events[2].GetMeta("log_type") == "gitea_failed_auth" results[9].Overflow.Alert.Events[2].GetMeta("service") == "gitea" results[9].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.1" +results[9].Overflow.Alert.Events[2].GetMeta("target_user") == "test" results[9].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-03-01T12:58:00Z" -results[9].Overflow.Alert.Events[2].GetMeta("user") == "test" +results[9].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[9].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "gitea-bf.log" results[9].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[9].Overflow.Alert.Events[3].GetMeta("log_type") == "gitea_failed_auth" results[9].Overflow.Alert.Events[3].GetMeta("service") == "gitea" results[9].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.1" +results[9].Overflow.Alert.Events[3].GetMeta("target_user") == "test" results[9].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-03-01T12:58:01Z" -results[9].Overflow.Alert.Events[3].GetMeta("user") == "test" +results[9].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[9].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "gitea-bf.log" results[9].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[9].Overflow.Alert.Events[4].GetMeta("log_type") == "gitea_failed_auth" results[9].Overflow.Alert.Events[4].GetMeta("service") == "gitea" results[9].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.1.1.1" +results[9].Overflow.Alert.Events[4].GetMeta("target_user") == "test" results[9].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-03-01T12:58:02Z" -results[9].Overflow.Alert.Events[4].GetMeta("user") == "test" +results[9].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[9].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "gitea-bf.log" results[9].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[9].Overflow.Alert.Events[5].GetMeta("log_type") == "gitea_failed_auth" results[9].Overflow.Alert.Events[5].GetMeta("service") == "gitea" results[9].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.1.1.1" +results[9].Overflow.Alert.Events[5].GetMeta("target_user") == "test" results[9].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-03-01T12:58:03Z" -results[9].Overflow.Alert.Events[5].GetMeta("user") == "test" results[9].Overflow.Alert.GetScenario() == "LePresidente/gitea-bf" results[9].Overflow.Alert.Remediation == true -results[9].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[9].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/gitea-logs/gitea-logs.log b/.tests/gitea-logs/gitea-logs.log index f69917b46ef..0a5c1cd5469 100644 --- a/.tests/gitea-logs/gitea-logs.log +++ b/.tests/gitea-logs/gitea-logs.log @@ -4,4 +4,5 @@ 2023/05/12 12:17:35 ...ers/web/auth/auth.go:206:SignInPost() [I] [645e123e] Failed authentication attempt for test@example.com from [1234::5678]:0: user does not exist [uid: 0, name: asd, keyid: 0] 2023/10/05 16:48:46 ...ers/web/auth/auth.go:206:SignInPost() [I] Failed authentication attempt for toto from 1.1.1.1:39522: user's password is invalid [uid: 1, name: asd] 2025/04/29 12:33:54 ...ers/web/auth/auth.go:217:SignInPost() [W] Failed authentication attempt for test@example.com from 1.1.1.1:48560: Email address does not exist [email: test@example.com] -2025/04/29 12:35:50 ...ers/web/auth/auth.go:217:SignInPost() [W] Failed authentication attempt for test from 1.1.1.1:48860: user does not exist [uid: 0, name: test] \ No newline at end of file +2025/04/29 12:35:50 ...ers/web/auth/auth.go:217:SignInPost() [W] Failed authentication attempt for test from 1.1.1.1:48860: user does not exist [uid: 0, name: test] +2025/04/29 12:36:00 ...ers/web/auth/auth.go:217:SignInPost() [W] Failed authentication attempt for crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl from 1.1.1.1:48861: user does not exist [uid: 0, name: crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl] \ No newline at end of file diff --git a/.tests/gitea-logs/parser.assert b/.tests/gitea-logs/parser.assert index d6de18d22c2..a0c239c6119 100644 --- a/.tests/gitea-logs/parser.assert +++ b/.tests/gitea-logs/parser.assert @@ -1,5 +1,5 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 7 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 8 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2022/03/01 12:57:58 ...ers/web/auth/auth.go:200:SignInPost() [I] Failed authentication attempt for test from 1.1.1.1:39522: user does not exist [uid: 0, name: test, keyid: 0]" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "gitea" @@ -42,7 +42,13 @@ results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "gite basename(results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"]) == "gitea-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Whitelisted == false -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 7 +results["s00-raw"]["crowdsecurity/non-syslog"][7].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["message"] == "2025/04/29 12:36:00 ...ers/web/auth/auth.go:217:SignInPost() [W] Failed authentication attempt for crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl from 1.1.1.1:48861: user does not exist [uid: 0, name: crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl]" +results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["program"] == "gitea" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"]) == "gitea-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 8 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false @@ -50,7 +56,8 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == false -len(results["s01-parse"]["LePresidente/gitea-logs"]) == 7 +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == false +len(results["s01-parse"]["LePresidente/gitea-logs"]) == 8 results["s01-parse"]["LePresidente/gitea-logs"][0].Success == true results["s01-parse"]["LePresidente/gitea-logs"][0].Evt.Parsed["message"] == "2022/03/01 12:57:58 ...ers/web/auth/auth.go:200:SignInPost() [I] Failed authentication attempt for test from 1.1.1.1:39522: user does not exist [uid: 0, name: test, keyid: 0]" results["s01-parse"]["LePresidente/gitea-logs"][0].Evt.Parsed["program"] == "gitea" @@ -58,12 +65,12 @@ results["s01-parse"]["LePresidente/gitea-logs"][0].Evt.Parsed["remote_ip"] == "1 results["s01-parse"]["LePresidente/gitea-logs"][0].Evt.Parsed["remote_port"] == "39522" results["s01-parse"]["LePresidente/gitea-logs"][0].Evt.Parsed["timestamp"] == "2022/03/01 12:57:58" results["s01-parse"]["LePresidente/gitea-logs"][0].Evt.Parsed["username"] == "test" +results["s01-parse"]["LePresidente/gitea-logs"][0].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/gitea-logs"][0].Evt.Meta["datasource_path"]) == "gitea-logs.log" results["s01-parse"]["LePresidente/gitea-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/gitea-logs"][0].Evt.Meta["log_type"] == "gitea_failed_auth" results["s01-parse"]["LePresidente/gitea-logs"][0].Evt.Meta["service"] == "gitea" results["s01-parse"]["LePresidente/gitea-logs"][0].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/gitea-logs"][0].Evt.Meta["user"] == "test" +results["s01-parse"]["LePresidente/gitea-logs"][0].Evt.Meta["target_user"] == "test" results["s01-parse"]["LePresidente/gitea-logs"][0].Evt.Whitelisted == false results["s01-parse"]["LePresidente/gitea-logs"][1].Success == true results["s01-parse"]["LePresidente/gitea-logs"][1].Evt.Parsed["message"] == "2022/03/01 12:57:59 ...ers/web/auth/auth.go:200:SignInPost() [I] Failed authentication attempt for test@example.com from 1.1.1.1:39522: user does not exist [uid: 1, name: test, keyid: 0]" @@ -72,12 +79,12 @@ results["s01-parse"]["LePresidente/gitea-logs"][1].Evt.Parsed["remote_ip"] == "1 results["s01-parse"]["LePresidente/gitea-logs"][1].Evt.Parsed["remote_port"] == "39522" results["s01-parse"]["LePresidente/gitea-logs"][1].Evt.Parsed["timestamp"] == "2022/03/01 12:57:59" results["s01-parse"]["LePresidente/gitea-logs"][1].Evt.Parsed["username"] == "test@example.com" +results["s01-parse"]["LePresidente/gitea-logs"][1].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/gitea-logs"][1].Evt.Meta["datasource_path"]) == "gitea-logs.log" results["s01-parse"]["LePresidente/gitea-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/gitea-logs"][1].Evt.Meta["log_type"] == "gitea_failed_auth" results["s01-parse"]["LePresidente/gitea-logs"][1].Evt.Meta["service"] == "gitea" results["s01-parse"]["LePresidente/gitea-logs"][1].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/gitea-logs"][1].Evt.Meta["user"] == "test@example.com" +results["s01-parse"]["LePresidente/gitea-logs"][1].Evt.Meta["target_user"] == "test@example.com" results["s01-parse"]["LePresidente/gitea-logs"][1].Evt.Whitelisted == false results["s01-parse"]["LePresidente/gitea-logs"][2].Success == true results["s01-parse"]["LePresidente/gitea-logs"][2].Evt.Parsed["message"] == "2023/05/12 12:17:34 ...ers/web/auth/auth.go:206:SignInPost() [I] [645e123e] Failed authentication attempt for test from [1234::5678]:0: user does not exist [uid: 0, name: asd, keyid: 0]" @@ -85,12 +92,12 @@ results["s01-parse"]["LePresidente/gitea-logs"][2].Evt.Parsed["program"] == "git results["s01-parse"]["LePresidente/gitea-logs"][2].Evt.Parsed["remote_ip"] == "1234::5678" results["s01-parse"]["LePresidente/gitea-logs"][2].Evt.Parsed["timestamp"] == "2023/05/12 12:17:34" results["s01-parse"]["LePresidente/gitea-logs"][2].Evt.Parsed["username"] == "test" +results["s01-parse"]["LePresidente/gitea-logs"][2].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/gitea-logs"][2].Evt.Meta["datasource_path"]) == "gitea-logs.log" results["s01-parse"]["LePresidente/gitea-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/gitea-logs"][2].Evt.Meta["log_type"] == "gitea_failed_auth" results["s01-parse"]["LePresidente/gitea-logs"][2].Evt.Meta["service"] == "gitea" results["s01-parse"]["LePresidente/gitea-logs"][2].Evt.Meta["source_ip"] == "1234::5678" -results["s01-parse"]["LePresidente/gitea-logs"][2].Evt.Meta["user"] == "test" +results["s01-parse"]["LePresidente/gitea-logs"][2].Evt.Meta["target_user"] == "test" results["s01-parse"]["LePresidente/gitea-logs"][2].Evt.Whitelisted == false results["s01-parse"]["LePresidente/gitea-logs"][3].Success == true results["s01-parse"]["LePresidente/gitea-logs"][3].Evt.Parsed["message"] == "2023/05/12 12:17:35 ...ers/web/auth/auth.go:206:SignInPost() [I] [645e123e] Failed authentication attempt for test@example.com from [1234::5678]:0: user does not exist [uid: 0, name: asd, keyid: 0]" @@ -98,12 +105,12 @@ results["s01-parse"]["LePresidente/gitea-logs"][3].Evt.Parsed["program"] == "git results["s01-parse"]["LePresidente/gitea-logs"][3].Evt.Parsed["remote_ip"] == "1234::5678" results["s01-parse"]["LePresidente/gitea-logs"][3].Evt.Parsed["timestamp"] == "2023/05/12 12:17:35" results["s01-parse"]["LePresidente/gitea-logs"][3].Evt.Parsed["username"] == "test@example.com" +results["s01-parse"]["LePresidente/gitea-logs"][3].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/gitea-logs"][3].Evt.Meta["datasource_path"]) == "gitea-logs.log" results["s01-parse"]["LePresidente/gitea-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/gitea-logs"][3].Evt.Meta["log_type"] == "gitea_failed_auth" results["s01-parse"]["LePresidente/gitea-logs"][3].Evt.Meta["service"] == "gitea" results["s01-parse"]["LePresidente/gitea-logs"][3].Evt.Meta["source_ip"] == "1234::5678" -results["s01-parse"]["LePresidente/gitea-logs"][3].Evt.Meta["user"] == "test@example.com" +results["s01-parse"]["LePresidente/gitea-logs"][3].Evt.Meta["target_user"] == "test@example.com" results["s01-parse"]["LePresidente/gitea-logs"][3].Evt.Whitelisted == false results["s01-parse"]["LePresidente/gitea-logs"][4].Success == true results["s01-parse"]["LePresidente/gitea-logs"][4].Evt.Parsed["message"] == "2023/10/05 16:48:46 ...ers/web/auth/auth.go:206:SignInPost() [I] Failed authentication attempt for toto from 1.1.1.1:39522: user's password is invalid [uid: 1, name: asd]" @@ -112,12 +119,12 @@ results["s01-parse"]["LePresidente/gitea-logs"][4].Evt.Parsed["remote_ip"] == "1 results["s01-parse"]["LePresidente/gitea-logs"][4].Evt.Parsed["remote_port"] == "39522" results["s01-parse"]["LePresidente/gitea-logs"][4].Evt.Parsed["timestamp"] == "2023/10/05 16:48:46" results["s01-parse"]["LePresidente/gitea-logs"][4].Evt.Parsed["username"] == "toto" +results["s01-parse"]["LePresidente/gitea-logs"][4].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/gitea-logs"][4].Evt.Meta["datasource_path"]) == "gitea-logs.log" results["s01-parse"]["LePresidente/gitea-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/gitea-logs"][4].Evt.Meta["log_type"] == "gitea_failed_auth" results["s01-parse"]["LePresidente/gitea-logs"][4].Evt.Meta["service"] == "gitea" results["s01-parse"]["LePresidente/gitea-logs"][4].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/gitea-logs"][4].Evt.Meta["user"] == "toto" +results["s01-parse"]["LePresidente/gitea-logs"][4].Evt.Meta["target_user"] == "toto" results["s01-parse"]["LePresidente/gitea-logs"][4].Evt.Whitelisted == false results["s01-parse"]["LePresidente/gitea-logs"][5].Success == true results["s01-parse"]["LePresidente/gitea-logs"][5].Evt.Parsed["message"] == "2025/04/29 12:33:54 ...ers/web/auth/auth.go:217:SignInPost() [W] Failed authentication attempt for test@example.com from 1.1.1.1:48560: Email address does not exist [email: test@example.com]" @@ -126,12 +133,12 @@ results["s01-parse"]["LePresidente/gitea-logs"][5].Evt.Parsed["remote_ip"] == "1 results["s01-parse"]["LePresidente/gitea-logs"][5].Evt.Parsed["remote_port"] == "48560" results["s01-parse"]["LePresidente/gitea-logs"][5].Evt.Parsed["timestamp"] == "2025/04/29 12:33:54" results["s01-parse"]["LePresidente/gitea-logs"][5].Evt.Parsed["username"] == "test@example.com" +results["s01-parse"]["LePresidente/gitea-logs"][5].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/gitea-logs"][5].Evt.Meta["datasource_path"]) == "gitea-logs.log" results["s01-parse"]["LePresidente/gitea-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/gitea-logs"][5].Evt.Meta["log_type"] == "gitea_failed_auth" results["s01-parse"]["LePresidente/gitea-logs"][5].Evt.Meta["service"] == "gitea" results["s01-parse"]["LePresidente/gitea-logs"][5].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/gitea-logs"][5].Evt.Meta["user"] == "test@example.com" +results["s01-parse"]["LePresidente/gitea-logs"][5].Evt.Meta["target_user"] == "test@example.com" results["s01-parse"]["LePresidente/gitea-logs"][5].Evt.Whitelisted == false results["s01-parse"]["LePresidente/gitea-logs"][6].Success == true results["s01-parse"]["LePresidente/gitea-logs"][6].Evt.Parsed["message"] == "2025/04/29 12:35:50 ...ers/web/auth/auth.go:217:SignInPost() [W] Failed authentication attempt for test from 1.1.1.1:48860: user does not exist [uid: 0, name: test]" @@ -140,14 +147,28 @@ results["s01-parse"]["LePresidente/gitea-logs"][6].Evt.Parsed["remote_ip"] == "1 results["s01-parse"]["LePresidente/gitea-logs"][6].Evt.Parsed["remote_port"] == "48860" results["s01-parse"]["LePresidente/gitea-logs"][6].Evt.Parsed["timestamp"] == "2025/04/29 12:35:50" results["s01-parse"]["LePresidente/gitea-logs"][6].Evt.Parsed["username"] == "test" +results["s01-parse"]["LePresidente/gitea-logs"][6].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/gitea-logs"][6].Evt.Meta["datasource_path"]) == "gitea-logs.log" results["s01-parse"]["LePresidente/gitea-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/gitea-logs"][6].Evt.Meta["log_type"] == "gitea_failed_auth" results["s01-parse"]["LePresidente/gitea-logs"][6].Evt.Meta["service"] == "gitea" results["s01-parse"]["LePresidente/gitea-logs"][6].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/gitea-logs"][6].Evt.Meta["user"] == "test" +results["s01-parse"]["LePresidente/gitea-logs"][6].Evt.Meta["target_user"] == "test" results["s01-parse"]["LePresidente/gitea-logs"][6].Evt.Whitelisted == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 7 +results["s01-parse"]["LePresidente/gitea-logs"][7].Success == true +results["s01-parse"]["LePresidente/gitea-logs"][7].Evt.Parsed["message"] == "2025/04/29 12:36:00 ...ers/web/auth/auth.go:217:SignInPost() [W] Failed authentication attempt for crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl from 1.1.1.1:48861: user does not exist [uid: 0, name: crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl]" +results["s01-parse"]["LePresidente/gitea-logs"][7].Evt.Parsed["program"] == "gitea" +results["s01-parse"]["LePresidente/gitea-logs"][7].Evt.Parsed["remote_ip"] == "1.1.1.1" +results["s01-parse"]["LePresidente/gitea-logs"][7].Evt.Parsed["remote_port"] == "48861" +results["s01-parse"]["LePresidente/gitea-logs"][7].Evt.Parsed["timestamp"] == "2025/04/29 12:36:00" +results["s01-parse"]["LePresidente/gitea-logs"][7].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["LePresidente/gitea-logs"][7].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/gitea-logs"][7].Evt.Meta["datasource_path"]) == "gitea-logs.log" +results["s01-parse"]["LePresidente/gitea-logs"][7].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["LePresidente/gitea-logs"][7].Evt.Meta["service"] == "gitea" +results["s01-parse"]["LePresidente/gitea-logs"][7].Evt.Meta["source_ip"] == "1.1.1.1" +results["s01-parse"]["LePresidente/gitea-logs"][7].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["LePresidente/gitea-logs"][7].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 8 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2022/03/01 12:57:58 ...ers/web/auth/auth.go:200:SignInPost() [I] Failed authentication attempt for test from 1.1.1.1:39522: user does not exist [uid: 0, name: test, keyid: 0]" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "gitea" @@ -155,13 +176,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_port"] == "39522" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2022/03/01 12:57:58" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "test" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "gitea-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "gitea_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "gitea" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "test" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-03-01T12:57:58Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "test" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-03-01T12:57:58Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true @@ -171,13 +192,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_port"] == "39522" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2022/03/01 12:57:59" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "test@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "gitea-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "gitea_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "gitea" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-03-01T12:57:59Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-03-01T12:57:59Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true @@ -186,13 +207,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_ip"] == "1234::5678" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "2023/05/12 12:17:34" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "test" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "gitea-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "gitea_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "gitea" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "1234::5678" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "test" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-05-12T12:17:34Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["user"] == "test" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2023-05-12T12:17:34Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true @@ -201,13 +222,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_ip"] == "1234::5678" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "2023/05/12 12:17:35" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "test@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "gitea-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "gitea_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "gitea" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "1234::5678" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2023-05-12T12:17:35Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2023-05-12T12:17:35Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true @@ -217,13 +238,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_port"] == "39522" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "2023/10/05 16:48:46" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username"] == "toto" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "gitea-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "gitea_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "gitea" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_user"] == "toto" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2023-10-05T16:48:46Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["user"] == "toto" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2023-10-05T16:48:46Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true @@ -233,13 +254,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_port"] == "48560" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "2025/04/29 12:33:54" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["username"] == "test@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "gitea-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "gitea_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "gitea" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2025-04-29T12:33:54Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2025-04-29T12:33:54Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true @@ -249,13 +270,29 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["remote_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["remote_port"] == "48860" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["timestamp"] == "2025/04/29 12:35:50" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["username"] == "test" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "gitea-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "gitea_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "gitea" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["target_user"] == "test" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2025-04-29T12:35:50Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["user"] == "test" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2025-04-29T12:35:50Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false -len(results["success"][""]) == 0 \ No newline at end of file +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "2025/04/29 12:36:00 ...ers/web/auth/auth.go:217:SignInPost() [W] Failed authentication attempt for crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl from 1.1.1.1:48861: user does not exist [uid: 0, name: crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl]" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "gitea" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["remote_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["remote_port"] == "48861" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["timestamp"] == "2025/04/29 12:36:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"]) == "gitea-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "gitea" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2025-04-29T12:36:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2025-04-29T12:36:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/gitlab-bf/parser.assert b/.tests/gitlab-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/gotify-bf/parser.assert b/.tests/gotify-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/gotify-bf/scenario.assert b/.tests/gotify-bf/scenario.assert index e3d62498db9..7bbe721c8fa 100644 --- a/.tests/gotify-bf/scenario.assert +++ b/.tests/gotify-bf/scenario.assert @@ -4,24 +4,28 @@ results[0].Overflow.Sources["10.1.2.3"].IP == "10.1.2.3" results[0].Overflow.Sources["10.1.2.3"].Range == "" results[0].Overflow.Sources["10.1.2.3"].GetScope() == "Ip" results[0].Overflow.Sources["10.1.2.3"].GetValue() == "10.1.2.3" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "gotify-logs.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "gotify-logs.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "gotify_failed_auth" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "gotify" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.1.2.3" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-07T10:52:13Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "gotify-logs.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "gotify-logs.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "gotify_failed_auth" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "gotify" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "10.1.2.3" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-07T10:52:13Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "gotify-logs.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "gotify-logs.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "gotify_failed_auth" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "gotify" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "10.1.2.3" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-07T10:52:13Z" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "gotify-logs.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "gotify-logs.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "gotify_failed_auth" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "gotify" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "10.1.2.3" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-07T10:52:13Z" results[0].Overflow.Alert.GetScenario() == "baudneo/gotify-bf" diff --git a/.tests/gotify-logs/parser.assert b/.tests/gotify-logs/parser.assert index cf5f7ec580d..82f1b944540 100644 --- a/.tests/gotify-logs/parser.assert +++ b/.tests/gotify-logs/parser.assert @@ -85,7 +85,7 @@ results["s01-parse"]["baudneo/gotify-logs"][0].Evt.Parsed["time"] == "10:49:33" results["s01-parse"]["baudneo/gotify-logs"][0].Evt.Parsed["year"] == "2022" results["s01-parse"]["baudneo/gotify-logs"][0].Evt.Meta["datasource_path"] == "gotify-logs.log" results["s01-parse"]["baudneo/gotify-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/gotify-logs"][0].Evt.Meta["log_type"] == "gotify_failed_auth" +results["s01-parse"]["baudneo/gotify-logs"][0].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["baudneo/gotify-logs"][0].Evt.Meta["source_ip"] == "10.1.2.3" results["s01-parse"]["baudneo/gotify-logs"][0].Evt.Whitelisted == false results["s01-parse"]["baudneo/gotify-logs"][1].Success == false @@ -102,7 +102,7 @@ results["s01-parse"]["baudneo/gotify-logs"][2].Evt.Parsed["time"] == "10:50:10" results["s01-parse"]["baudneo/gotify-logs"][2].Evt.Parsed["year"] == "2022" results["s01-parse"]["baudneo/gotify-logs"][2].Evt.Meta["datasource_path"] == "gotify-logs.log" results["s01-parse"]["baudneo/gotify-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/gotify-logs"][2].Evt.Meta["log_type"] == "gotify_failed_auth" +results["s01-parse"]["baudneo/gotify-logs"][2].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["baudneo/gotify-logs"][2].Evt.Meta["source_ip"] == "10.1.2.3" results["s01-parse"]["baudneo/gotify-logs"][2].Evt.Whitelisted == false results["s01-parse"]["baudneo/gotify-logs"][3].Success == false @@ -119,7 +119,7 @@ results["s01-parse"]["baudneo/gotify-logs"][4].Evt.Parsed["time"] == "10:51:34" results["s01-parse"]["baudneo/gotify-logs"][4].Evt.Parsed["year"] == "2022" results["s01-parse"]["baudneo/gotify-logs"][4].Evt.Meta["datasource_path"] == "gotify-logs.log" results["s01-parse"]["baudneo/gotify-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/gotify-logs"][4].Evt.Meta["log_type"] == "gotify_failed_auth" +results["s01-parse"]["baudneo/gotify-logs"][4].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["baudneo/gotify-logs"][4].Evt.Meta["source_ip"] == "10.1.2.3" results["s01-parse"]["baudneo/gotify-logs"][4].Evt.Whitelisted == false results["s01-parse"]["baudneo/gotify-logs"][5].Success == true @@ -135,7 +135,7 @@ results["s01-parse"]["baudneo/gotify-logs"][5].Evt.Parsed["time"] == "10:52:13" results["s01-parse"]["baudneo/gotify-logs"][5].Evt.Parsed["year"] == "2022" results["s01-parse"]["baudneo/gotify-logs"][5].Evt.Meta["datasource_path"] == "gotify-logs.log" results["s01-parse"]["baudneo/gotify-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/gotify-logs"][5].Evt.Meta["log_type"] == "gotify_failed_auth" +results["s01-parse"]["baudneo/gotify-logs"][5].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["baudneo/gotify-logs"][5].Evt.Meta["source_ip"] == "10.1.2.3" results["s01-parse"]["baudneo/gotify-logs"][5].Evt.Whitelisted == false results["s01-parse"]["baudneo/gotify-logs"][6].Success == true @@ -151,7 +151,7 @@ results["s01-parse"]["baudneo/gotify-logs"][6].Evt.Parsed["time"] == "10:53:13" results["s01-parse"]["baudneo/gotify-logs"][6].Evt.Parsed["year"] == "2022" results["s01-parse"]["baudneo/gotify-logs"][6].Evt.Meta["datasource_path"] == "gotify-logs.log" results["s01-parse"]["baudneo/gotify-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/gotify-logs"][6].Evt.Meta["log_type"] == "gotify_failed_auth" +results["s01-parse"]["baudneo/gotify-logs"][6].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["baudneo/gotify-logs"][6].Evt.Meta["source_ip"] == "10.1.2.3" results["s01-parse"]["baudneo/gotify-logs"][6].Evt.Whitelisted == false results["s01-parse"]["baudneo/gotify-logs"][7].Success == true @@ -167,7 +167,7 @@ results["s01-parse"]["baudneo/gotify-logs"][7].Evt.Parsed["time"] == "10:54:13" results["s01-parse"]["baudneo/gotify-logs"][7].Evt.Parsed["year"] == "2022" results["s01-parse"]["baudneo/gotify-logs"][7].Evt.Meta["datasource_path"] == "gotify-logs.log" results["s01-parse"]["baudneo/gotify-logs"][7].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/gotify-logs"][7].Evt.Meta["log_type"] == "gotify_failed_auth" +results["s01-parse"]["baudneo/gotify-logs"][7].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["baudneo/gotify-logs"][7].Evt.Meta["source_ip"] == "10.1.2.3" results["s01-parse"]["baudneo/gotify-logs"][7].Evt.Whitelisted == false results["s01-parse"]["baudneo/gotify-logs"][8].Success == true @@ -183,7 +183,7 @@ results["s01-parse"]["baudneo/gotify-logs"][8].Evt.Parsed["time"] == "10:55:13" results["s01-parse"]["baudneo/gotify-logs"][8].Evt.Parsed["year"] == "2022" results["s01-parse"]["baudneo/gotify-logs"][8].Evt.Meta["datasource_path"] == "gotify-logs.log" results["s01-parse"]["baudneo/gotify-logs"][8].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/gotify-logs"][8].Evt.Meta["log_type"] == "gotify_failed_auth" +results["s01-parse"]["baudneo/gotify-logs"][8].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["baudneo/gotify-logs"][8].Evt.Meta["source_ip"] == "10.1.2.3" results["s01-parse"]["baudneo/gotify-logs"][8].Evt.Whitelisted == false results["s01-parse"]["baudneo/gotify-logs"][9].Success == true @@ -196,7 +196,7 @@ results["s01-parse"]["baudneo/gotify-logs"][9].Evt.Parsed["source_ip"] == "10.1. results["s01-parse"]["baudneo/gotify-logs"][9].Evt.Parsed["timestamp"] == "2023-12-27T22:38:09Z" results["s01-parse"]["baudneo/gotify-logs"][9].Evt.Meta["datasource_path"] == "gotify-logs.log" results["s01-parse"]["baudneo/gotify-logs"][9].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/gotify-logs"][9].Evt.Meta["log_type"] == "gotify_failed_auth" +results["s01-parse"]["baudneo/gotify-logs"][9].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["baudneo/gotify-logs"][9].Evt.Meta["source_ip"] == "10.1.2.3" results["s01-parse"]["baudneo/gotify-logs"][9].Evt.Whitelisted == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 8 @@ -213,7 +213,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time"] == results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["year"] == "2022" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "gotify-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "gotify_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "10.1.2.3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-02-07T10:49:33Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-02-07T10:49:33Z" @@ -231,7 +231,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["time"] == results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["year"] == "2022" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "gotify-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "gotify_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "10.1.2.3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-02-07T10:50:10Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-02-07T10:50:10Z" @@ -249,7 +249,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["time"] == results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["year"] == "2022" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "gotify-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "gotify_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "10.1.2.3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2022-02-07T10:51:34Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2022-02-07T10:51:34Z" @@ -267,7 +267,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["time"] == results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["year"] == "2022" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "gotify-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "gotify_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "10.1.2.3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2022-02-07T10:52:13Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2022-02-07T10:52:13Z" @@ -285,7 +285,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["time"] == results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["year"] == "2022" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "gotify-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "gotify_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "10.1.2.3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2022-02-07T10:53:13Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2022-02-07T10:53:13Z" @@ -303,7 +303,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["time"] == results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["year"] == "2022" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "gotify-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "gotify_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "10.1.2.3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2022-02-07T10:54:13Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2022-02-07T10:54:13Z" @@ -321,7 +321,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["time"] == results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["year"] == "2022" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"] == "gotify-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "gotify_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "10.1.2.3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2022-02-07T10:55:13Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2022-02-07T10:55:13Z" @@ -336,7 +336,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["timestamp"] == "2023-12-27T22:38:09Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"] == "gotify-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "gotify_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "10.1.2.3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2023-12-27T22:38:09Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2023-12-27T22:38:09Z" diff --git a/.tests/grafana-bf/parser.assert b/.tests/grafana-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/grafana-bf/scenario.assert b/.tests/grafana-bf/scenario.assert index 139baecb7c8..98085ebdcdc 100644 --- a/.tests/grafana-bf/scenario.assert +++ b/.tests/grafana-bf/scenario.assert @@ -4,45 +4,45 @@ results[0].Overflow.Sources["192.168.1.6"].IP == "192.168.1.6" results[0].Overflow.Sources["192.168.1.6"].Range == "" results[0].Overflow.Sources["192.168.1.6"].GetScope() == "Ip" results[0].Overflow.Sources["192.168.1.6"].GetValue() == "192.168.1.6" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "grafana-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "grafana-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("log_format") == "CLF" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[0].Overflow.Alert.Events[0].GetMeta("service") == "grafana" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.6" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-02-06T07:25:22.597595031Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "grafana-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "grafana-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("log_format") == "CLF" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[0].Overflow.Alert.Events[1].GetMeta("service") == "grafana" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.6" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-02-06T07:25:22.597595031Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "grafana-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "grafana-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("log_format") == "CLF" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[0].Overflow.Alert.Events[2].GetMeta("service") == "grafana" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.6" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-02-06T07:25:22.597595031Z" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "grafana-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "grafana-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("log_format") == "CLF" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[0].Overflow.Alert.Events[3].GetMeta("service") == "grafana" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.6" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-02-06T07:25:22.597595031Z" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "grafana-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "grafana-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[4].GetMeta("log_format") == "CLF" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[0].Overflow.Alert.Events[4].GetMeta("service") == "grafana" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.6" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2024-02-06T07:25:22.597595031Z" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "grafana-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "grafana-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[5].GetMeta("log_format") == "CLF" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[0].Overflow.Alert.Events[5].GetMeta("service") == "grafana" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.6" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2024-02-06T07:25:22.597595031Z" @@ -54,45 +54,45 @@ results[1].Overflow.Sources["192.168.1.5"].IP == "192.168.1.5" results[1].Overflow.Sources["192.168.1.5"].Range == "" results[1].Overflow.Sources["192.168.1.5"].GetScope() == "Ip" results[1].Overflow.Sources["192.168.1.5"].GetValue() == "192.168.1.5" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "grafana-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "grafana-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[0].GetMeta("log_format") == "CLF" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[1].Overflow.Alert.Events[0].GetMeta("service") == "grafana" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.5" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-02-06T07:24:56.503804307Z" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "grafana-bf.log" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "grafana-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[1].GetMeta("log_format") == "CLF" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[1].Overflow.Alert.Events[1].GetMeta("service") == "grafana" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.5" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-02-06T07:24:56.503804307Z" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "grafana-bf.log" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "grafana-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[2].GetMeta("log_format") == "CLF" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[1].Overflow.Alert.Events[2].GetMeta("service") == "grafana" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.5" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-02-06T07:24:56.503804307Z" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "grafana-bf.log" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "grafana-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[3].GetMeta("log_format") == "CLF" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[1].Overflow.Alert.Events[3].GetMeta("service") == "grafana" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.5" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-02-06T07:24:56.503804307Z" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "grafana-bf.log" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "grafana-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[4].GetMeta("log_format") == "CLF" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[1].Overflow.Alert.Events[4].GetMeta("service") == "grafana" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.5" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2024-02-06T07:24:56.503804307Z" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "grafana-bf.log" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "grafana-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[5].GetMeta("log_format") == "CLF" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[1].Overflow.Alert.Events[5].GetMeta("service") == "grafana" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.5" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2024-02-06T07:24:56.503804307Z" @@ -104,45 +104,45 @@ results[2].Overflow.Sources["192.168.1.4"].IP == "192.168.1.4" results[2].Overflow.Sources["192.168.1.4"].Range == "" results[2].Overflow.Sources["192.168.1.4"].GetScope() == "Ip" results[2].Overflow.Sources["192.168.1.4"].GetValue() == "192.168.1.4" -results[2].Overflow.Alert.Events[0].GetMeta("datasource_path") == "grafana-bf.log" +results[2].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "grafana-bf.log" results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[2].Overflow.Alert.Events[0].GetMeta("log_format") == "JSON" -results[2].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[2].Overflow.Alert.Events[0].GetMeta("service") == "grafana" results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.4" results[2].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-02-07T09:34:51.1833376+02:00" -results[2].Overflow.Alert.Events[1].GetMeta("datasource_path") == "grafana-bf.log" +results[2].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "grafana-bf.log" results[2].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[2].Overflow.Alert.Events[1].GetMeta("log_format") == "JSON" -results[2].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[2].Overflow.Alert.Events[1].GetMeta("service") == "grafana" results[2].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.4" results[2].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-02-07T09:34:51.1833376+02:00" -results[2].Overflow.Alert.Events[2].GetMeta("datasource_path") == "grafana-bf.log" +results[2].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "grafana-bf.log" results[2].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[2].Overflow.Alert.Events[2].GetMeta("log_format") == "JSON" -results[2].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[2].Overflow.Alert.Events[2].GetMeta("service") == "grafana" results[2].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.4" results[2].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-02-07T09:34:51.1833376+02:00" -results[2].Overflow.Alert.Events[3].GetMeta("datasource_path") == "grafana-bf.log" +results[2].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "grafana-bf.log" results[2].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[2].Overflow.Alert.Events[3].GetMeta("log_format") == "JSON" -results[2].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[2].Overflow.Alert.Events[3].GetMeta("service") == "grafana" results[2].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.4" results[2].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-02-07T09:34:51.1833376+02:00" -results[2].Overflow.Alert.Events[4].GetMeta("datasource_path") == "grafana-bf.log" +results[2].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "grafana-bf.log" results[2].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[2].Overflow.Alert.Events[4].GetMeta("log_format") == "JSON" -results[2].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[2].Overflow.Alert.Events[4].GetMeta("service") == "grafana" results[2].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.4" results[2].Overflow.Alert.Events[4].GetMeta("timestamp") == "2024-02-07T09:34:51.1833376+02:00" -results[2].Overflow.Alert.Events[5].GetMeta("datasource_path") == "grafana-bf.log" +results[2].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "grafana-bf.log" results[2].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[2].Overflow.Alert.Events[5].GetMeta("log_format") == "JSON" -results[2].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[2].Overflow.Alert.Events[5].GetMeta("service") == "grafana" results[2].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.4" results[2].Overflow.Alert.Events[5].GetMeta("timestamp") == "2024-02-07T09:34:51.1833376+02:00" @@ -154,45 +154,45 @@ results[3].Overflow.Sources["192.168.1.3"].IP == "192.168.1.3" results[3].Overflow.Sources["192.168.1.3"].Range == "" results[3].Overflow.Sources["192.168.1.3"].GetScope() == "Ip" results[3].Overflow.Sources["192.168.1.3"].GetValue() == "192.168.1.3" -results[3].Overflow.Alert.Events[0].GetMeta("datasource_path") == "grafana-bf.log" +results[3].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "grafana-bf.log" results[3].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[3].Overflow.Alert.Events[0].GetMeta("log_format") == "JSON" -results[3].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[3].Overflow.Alert.Events[0].GetMeta("service") == "grafana" results[3].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.3" results[3].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-02-07T09:33:35.0353436+02:00" -results[3].Overflow.Alert.Events[1].GetMeta("datasource_path") == "grafana-bf.log" +results[3].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "grafana-bf.log" results[3].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[3].Overflow.Alert.Events[1].GetMeta("log_format") == "JSON" -results[3].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[3].Overflow.Alert.Events[1].GetMeta("service") == "grafana" results[3].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.3" results[3].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-02-07T09:33:35.0353436+02:00" -results[3].Overflow.Alert.Events[2].GetMeta("datasource_path") == "grafana-bf.log" +results[3].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "grafana-bf.log" results[3].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[3].Overflow.Alert.Events[2].GetMeta("log_format") == "JSON" -results[3].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[3].Overflow.Alert.Events[2].GetMeta("service") == "grafana" results[3].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.3" results[3].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-02-07T09:33:35.0353436+02:00" -results[3].Overflow.Alert.Events[3].GetMeta("datasource_path") == "grafana-bf.log" +results[3].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "grafana-bf.log" results[3].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[3].Overflow.Alert.Events[3].GetMeta("log_format") == "JSON" -results[3].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[3].Overflow.Alert.Events[3].GetMeta("service") == "grafana" results[3].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.3" results[3].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-02-07T09:33:35.0353436+02:00" -results[3].Overflow.Alert.Events[4].GetMeta("datasource_path") == "grafana-bf.log" +results[3].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "grafana-bf.log" results[3].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[3].Overflow.Alert.Events[4].GetMeta("log_format") == "JSON" -results[3].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[3].Overflow.Alert.Events[4].GetMeta("service") == "grafana" results[3].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.3" results[3].Overflow.Alert.Events[4].GetMeta("timestamp") == "2024-02-07T09:33:35.0353436+02:00" -results[3].Overflow.Alert.Events[5].GetMeta("datasource_path") == "grafana-bf.log" +results[3].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "grafana-bf.log" results[3].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[3].Overflow.Alert.Events[5].GetMeta("log_format") == "JSON" -results[3].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[3].Overflow.Alert.Events[5].GetMeta("service") == "grafana" results[3].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.3" results[3].Overflow.Alert.Events[5].GetMeta("timestamp") == "2024-02-07T09:33:35.0353436+02:00" @@ -204,45 +204,45 @@ results[4].Overflow.Sources["192.168.1.2"].IP == "192.168.1.2" results[4].Overflow.Sources["192.168.1.2"].Range == "" results[4].Overflow.Sources["192.168.1.2"].GetScope() == "Ip" results[4].Overflow.Sources["192.168.1.2"].GetValue() == "192.168.1.2" -results[4].Overflow.Alert.Events[0].GetMeta("datasource_path") == "grafana-bf.log" +results[4].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "grafana-bf.log" results[4].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[4].Overflow.Alert.Events[0].GetMeta("log_format") == "CLF" -results[4].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[4].Overflow.Alert.Events[0].GetMeta("service") == "grafana" results[4].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.2" results[4].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-03-14T06:11:26.182430512+02:00" -results[4].Overflow.Alert.Events[1].GetMeta("datasource_path") == "grafana-bf.log" +results[4].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "grafana-bf.log" results[4].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[4].Overflow.Alert.Events[1].GetMeta("log_format") == "CLF" -results[4].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[4].Overflow.Alert.Events[1].GetMeta("service") == "grafana" results[4].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.2" results[4].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-03-14T06:11:26.182430512+02:00" -results[4].Overflow.Alert.Events[2].GetMeta("datasource_path") == "grafana-bf.log" +results[4].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "grafana-bf.log" results[4].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[4].Overflow.Alert.Events[2].GetMeta("log_format") == "CLF" -results[4].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[4].Overflow.Alert.Events[2].GetMeta("service") == "grafana" results[4].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.2" results[4].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-03-14T06:11:26.182430512+02:00" -results[4].Overflow.Alert.Events[3].GetMeta("datasource_path") == "grafana-bf.log" +results[4].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "grafana-bf.log" results[4].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[4].Overflow.Alert.Events[3].GetMeta("log_format") == "CLF" -results[4].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[4].Overflow.Alert.Events[3].GetMeta("service") == "grafana" results[4].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.2" results[4].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-03-14T06:11:26.182430512+02:00" -results[4].Overflow.Alert.Events[4].GetMeta("datasource_path") == "grafana-bf.log" +results[4].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "grafana-bf.log" results[4].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[4].Overflow.Alert.Events[4].GetMeta("log_format") == "CLF" -results[4].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[4].Overflow.Alert.Events[4].GetMeta("service") == "grafana" results[4].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.2" results[4].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-03-14T06:11:26.182430512+02:00" -results[4].Overflow.Alert.Events[5].GetMeta("datasource_path") == "grafana-bf.log" +results[4].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "grafana-bf.log" results[4].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[4].Overflow.Alert.Events[5].GetMeta("log_format") == "CLF" -results[4].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[4].Overflow.Alert.Events[5].GetMeta("service") == "grafana" results[4].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.2" results[4].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-03-14T06:11:26.182430512+02:00" @@ -254,48 +254,48 @@ results[5].Overflow.Sources["192.168.1.1"].IP == "192.168.1.1" results[5].Overflow.Sources["192.168.1.1"].Range == "" results[5].Overflow.Sources["192.168.1.1"].GetScope() == "Ip" results[5].Overflow.Sources["192.168.1.1"].GetValue() == "192.168.1.1" -results[5].Overflow.Alert.Events[0].GetMeta("datasource_path") == "grafana-bf.log" +results[5].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[5].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "grafana-bf.log" results[5].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[5].Overflow.Alert.Events[0].GetMeta("log_format") == "CLF" -results[5].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[5].Overflow.Alert.Events[0].GetMeta("service") == "grafana" results[5].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.1" results[5].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-03-14T06:10:23.366875297+02:00" -results[5].Overflow.Alert.Events[1].GetMeta("datasource_path") == "grafana-bf.log" +results[5].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[5].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "grafana-bf.log" results[5].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[5].Overflow.Alert.Events[1].GetMeta("log_format") == "CLF" -results[5].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[5].Overflow.Alert.Events[1].GetMeta("service") == "grafana" results[5].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.1" results[5].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-03-14T06:10:23.366875297+02:00" -results[5].Overflow.Alert.Events[2].GetMeta("datasource_path") == "grafana-bf.log" +results[5].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[5].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "grafana-bf.log" results[5].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[5].Overflow.Alert.Events[2].GetMeta("log_format") == "CLF" -results[5].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[5].Overflow.Alert.Events[2].GetMeta("service") == "grafana" results[5].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.1" results[5].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-03-14T06:10:23.366875297+02:00" -results[5].Overflow.Alert.Events[3].GetMeta("datasource_path") == "grafana-bf.log" +results[5].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[5].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "grafana-bf.log" results[5].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[5].Overflow.Alert.Events[3].GetMeta("log_format") == "CLF" -results[5].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[5].Overflow.Alert.Events[3].GetMeta("service") == "grafana" results[5].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.1" results[5].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-03-14T06:10:23.366875297+02:00" -results[5].Overflow.Alert.Events[4].GetMeta("datasource_path") == "grafana-bf.log" +results[5].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[5].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "grafana-bf.log" results[5].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[5].Overflow.Alert.Events[4].GetMeta("log_format") == "CLF" -results[5].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[5].Overflow.Alert.Events[4].GetMeta("service") == "grafana" results[5].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.1" results[5].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-03-14T06:10:23.366875297+02:00" -results[5].Overflow.Alert.Events[5].GetMeta("datasource_path") == "grafana-bf.log" +results[5].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[5].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "grafana-bf.log" results[5].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[5].Overflow.Alert.Events[5].GetMeta("log_format") == "CLF" -results[5].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[5].Overflow.Alert.Events[5].GetMeta("service") == "grafana" results[5].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.1" results[5].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-03-14T06:10:23.366875297+02:00" results[5].Overflow.Alert.GetScenario() == "LePresidente/grafana-bf" results[5].Overflow.Alert.Remediation == true -results[5].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[5].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/grafana-logs/grafana-logs.log b/.tests/grafana-logs/grafana-logs.log index 8b824a57d53..65e0e8f1e5a 100644 --- a/.tests/grafana-logs/grafana-logs.log +++ b/.tests/grafana-logs/grafana-logs.log @@ -6,4 +6,5 @@ logger=http.server t=2023-03-14T06:11:09.073590975+02:00 level=info msg="Success {"User":"admin@localhost","level":"info","logger":"http.server","msg":"Successful Login","t":"2024-02-07T09:34:16.8294691+02:00"} logger=context userId=0 orgId=0 uname= t=2024-02-07T10:20:19.8927413+02:00 level=info msg=Unauthorized error="[password-auth.failed] failed to authenticate identity: [password-auth.invalid] invalid password" remote_addr=192.168.1.3 traceID= logger=context userId=0 orgId=0 uname= t=2024-02-07T10:20:22.5261499+02:00 level=info msg=Unauthorized error="[password-auth.failed] failed to authenticate identity: [identity.not-found] no user found: user not found" remote_addr=192.168.1.3 traceID= -logger=context userId=0 orgId=0 uname= t=2025-07-17T13:08:44.734245376Z level=info msg="Request Completed" method=POST path=/login status=401 remote_addr=192.168.1.1 time_ms=10 duration=10.969722ms size=94 referer=https://monitor.domain.tld:32500/login handler=/login status_source=server errorReason=Unauthorized errorMessageID=password-auth.failed error="failed to authenticate identity: [identity.not-found] no user found: user not found" \ No newline at end of file +logger=context userId=0 orgId=0 uname= t=2025-07-17T13:08:44.734245376Z level=info msg="Request Completed" method=POST path=/login status=401 remote_addr=192.168.1.1 time_ms=10 duration=10.969722ms size=94 referer=https://monitor.domain.tld:32500/login handler=/login status_source=server errorReason=Unauthorized errorMessageID=password-auth.failed error="failed to authenticate identity: [identity.not-found] no user found: user not found" +{"error":"user not found","level":"error","logger":"context","msg":"Invalid username or password","orgId":0,"remote_addr":"192.168.1.1","t":"2025-07-17T13:09:00.0000000Z","traceID":"","uname":"","userId":0} \ No newline at end of file diff --git a/.tests/grafana-logs/parser.assert b/.tests/grafana-logs/parser.assert index 84ce7f0a88e..23eeac376af 100644 --- a/.tests/grafana-logs/parser.assert +++ b/.tests/grafana-logs/parser.assert @@ -1,5 +1,5 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 9 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 10 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "logger=context userId=0 orgId=0 uname= t=2023-03-14T06:10:23.366875297+02:00 level=error msg=\"Invalid username or password\" error=\"user not found\" remote_addr=192.168.1.1 traceID=" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "grafana" @@ -54,7 +54,13 @@ results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["program"] == "graf basename(results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Whitelisted == false -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 9 +results["s00-raw"]["crowdsecurity/non-syslog"][9].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["message"] == "{\"error\":\"user not found\",\"level\":\"error\",\"logger\":\"context\",\"msg\":\"Invalid username or password\",\"orgId\":0,\"remote_addr\":\"192.168.1.1\",\"t\":\"2025-07-17T13:09:00.0000000Z\",\"traceID\":\"\",\"uname\":\"\",\"userId\":0}" +results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["program"] == "grafana" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_path"]) == "grafana-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 10 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false @@ -64,300 +70,322 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][8].Success == false -len(results["s01-parse"]["LePresidente/grafana-logs"]) == 9 +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Success == false +len(results["s01-parse"]["LePresidente/grafana-logs"]) == 10 results["s01-parse"]["LePresidente/grafana-logs"][0].Success == true results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Parsed["auth_status"] == "Invalid" results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Parsed["message"] == "logger=context userId=0 orgId=0 uname= t=2023-03-14T06:10:23.366875297+02:00 level=error msg=\"Invalid username or password\" error=\"user not found\" remote_addr=192.168.1.1 traceID=" results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Parsed["program"] == "grafana" +results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Meta["service"] == "grafana" results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.1" -results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Unmarshaled["grafana"]["uname"] == "" -results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Unmarshaled["grafana"]["userId"] == "0" +results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Unmarshaled["grafana"]["error"] == "user not found" results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Unmarshaled["grafana"]["level"] == "error" results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Unmarshaled["grafana"]["logger"] == "context" results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Unmarshaled["grafana"]["msg"] == "Invalid username or password" +results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.1" +results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Unmarshaled["grafana"]["uname"] == "" +results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Unmarshaled["grafana"]["orgId"] == "0" results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Unmarshaled["grafana"]["t"] == "2023-03-14T06:10:23.366875297+02:00" results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Unmarshaled["grafana"]["traceID"] == "" -results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Unmarshaled["grafana"]["error"] == "user not found" -results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Unmarshaled["grafana"]["orgId"] == "0" +results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Unmarshaled["grafana"]["userId"] == "0" results["s01-parse"]["LePresidente/grafana-logs"][0].Evt.Whitelisted == false results["s01-parse"]["LePresidente/grafana-logs"][1].Success == true results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Parsed["auth_status"] == "Invalid" results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Parsed["message"] == "logger=context userId=0 orgId=0 uname= t=2023-03-14T06:11:26.182430512+02:00 level=error msg=\"Invalid username or password\" error=\"invalid username or password\" remote_addr=192.168.1.1 traceID=" results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Parsed["program"] == "grafana" +results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Meta["service"] == "grafana" results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Unmarshaled["grafana"]["level"] == "error" +results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Unmarshaled["grafana"]["error"] == "invalid username or password" results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Unmarshaled["grafana"]["logger"] == "context" -results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Unmarshaled["grafana"]["msg"] == "Invalid username or password" results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.1" +results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Unmarshaled["grafana"]["t"] == "2023-03-14T06:11:26.182430512+02:00" results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Unmarshaled["grafana"]["traceID"] == "" results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Unmarshaled["grafana"]["userId"] == "0" -results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Unmarshaled["grafana"]["error"] == "invalid username or password" +results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Unmarshaled["grafana"]["level"] == "error" +results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Unmarshaled["grafana"]["msg"] == "Invalid username or password" results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Unmarshaled["grafana"]["orgId"] == "0" -results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Unmarshaled["grafana"]["t"] == "2023-03-14T06:11:26.182430512+02:00" results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Unmarshaled["grafana"]["uname"] == "" results["s01-parse"]["LePresidente/grafana-logs"][1].Evt.Whitelisted == false results["s01-parse"]["LePresidente/grafana-logs"][2].Success == true results["s01-parse"]["LePresidente/grafana-logs"][2].Evt.Parsed["auth_status"] == "Successful" results["s01-parse"]["LePresidente/grafana-logs"][2].Evt.Parsed["message"] == "logger=http.server t=2023-03-14T06:11:09.073590975+02:00 level=info msg=\"Successful Login\" User=admin@localhost" results["s01-parse"]["LePresidente/grafana-logs"][2].Evt.Parsed["program"] == "grafana" +results["s01-parse"]["LePresidente/grafana-logs"][2].Evt.Meta["auth_status"] == "success" basename(results["s01-parse"]["LePresidente/grafana-logs"][2].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s01-parse"]["LePresidente/grafana-logs"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/grafana-logs"][2].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/grafana-logs"][2].Evt.Meta["log_type"] == "auth_success" results["s01-parse"]["LePresidente/grafana-logs"][2].Evt.Meta["service"] == "grafana" +results["s01-parse"]["LePresidente/grafana-logs"][2].Evt.Unmarshaled["grafana"]["logger"] == "http.server" results["s01-parse"]["LePresidente/grafana-logs"][2].Evt.Unmarshaled["grafana"]["msg"] == "Successful Login" results["s01-parse"]["LePresidente/grafana-logs"][2].Evt.Unmarshaled["grafana"]["t"] == "2023-03-14T06:11:09.073590975+02:00" results["s01-parse"]["LePresidente/grafana-logs"][2].Evt.Unmarshaled["grafana"]["User"] == "admin@localhost" results["s01-parse"]["LePresidente/grafana-logs"][2].Evt.Unmarshaled["grafana"]["level"] == "info" -results["s01-parse"]["LePresidente/grafana-logs"][2].Evt.Unmarshaled["grafana"]["logger"] == "http.server" results["s01-parse"]["LePresidente/grafana-logs"][2].Evt.Whitelisted == false results["s01-parse"]["LePresidente/grafana-logs"][3].Success == true results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Parsed["auth_status"] == "Invalid" results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Parsed["message"] == "{\"error\":\"invalid username or password\",\"level\":\"error\",\"logger\":\"context\",\"msg\":\"Invalid username or password\",\"orgId\":0,\"remote_addr\":\"192.168.1.2\",\"t\":\"2024-02-07T09:33:35.0353436+02:00\",\"traceID\":\"\",\"uname\":\"\",\"userId\":0}" results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Parsed["program"] == "grafana" +results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Meta["log_format"] == "JSON" -results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Meta["service"] == "grafana" results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Meta["source_ip"] == "192.168.1.2" -results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Unmarshaled["grafana"]["userId"] == 0 results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Unmarshaled["grafana"]["error"] == "invalid username or password" -results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Unmarshaled["grafana"]["t"] == "2024-02-07T09:33:35.0353436+02:00" -results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Unmarshaled["grafana"]["traceID"] == "" -results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Unmarshaled["grafana"]["level"] == "error" -results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Unmarshaled["grafana"]["logger"] == "context" results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Unmarshaled["grafana"]["msg"] == "Invalid username or password" results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Unmarshaled["grafana"]["orgId"] == 0 results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.2" +results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Unmarshaled["grafana"]["traceID"] == "" +results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Unmarshaled["grafana"]["level"] == "error" +results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Unmarshaled["grafana"]["logger"] == "context" +results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Unmarshaled["grafana"]["t"] == "2024-02-07T09:33:35.0353436+02:00" results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Unmarshaled["grafana"]["uname"] == "" +results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Unmarshaled["grafana"]["userId"] == 0 results["s01-parse"]["LePresidente/grafana-logs"][3].Evt.Whitelisted == false results["s01-parse"]["LePresidente/grafana-logs"][4].Success == true results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Parsed["auth_status"] == "Invalid" results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Parsed["message"] == "{\"error\":\"user not found\",\"level\":\"error\",\"logger\":\"context\",\"msg\":\"Invalid username or password\",\"orgId\":0,\"remote_addr\":\"192.168.1.2\",\"t\":\"2024-02-07T09:34:51.1833376+02:00\",\"traceID\":\"\",\"uname\":\"\",\"userId\":0}" results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Parsed["program"] == "grafana" +results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Meta["log_format"] == "JSON" -results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Meta["service"] == "grafana" results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Meta["source_ip"] == "192.168.1.2" -results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Unmarshaled["grafana"]["logger"] == "context" -results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Unmarshaled["grafana"]["msg"] == "Invalid username or password" results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Unmarshaled["grafana"]["t"] == "2024-02-07T09:34:51.1833376+02:00" +results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Unmarshaled["grafana"]["uname"] == "" results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Unmarshaled["grafana"]["userId"] == 0 results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Unmarshaled["grafana"]["error"] == "user not found" -results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Unmarshaled["grafana"]["orgId"] == 0 -results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.2" results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Unmarshaled["grafana"]["traceID"] == "" -results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Unmarshaled["grafana"]["uname"] == "" results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Unmarshaled["grafana"]["level"] == "error" +results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Unmarshaled["grafana"]["logger"] == "context" +results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Unmarshaled["grafana"]["msg"] == "Invalid username or password" +results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Unmarshaled["grafana"]["orgId"] == 0 +results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.2" results["s01-parse"]["LePresidente/grafana-logs"][4].Evt.Whitelisted == false results["s01-parse"]["LePresidente/grafana-logs"][5].Success == true results["s01-parse"]["LePresidente/grafana-logs"][5].Evt.Parsed["auth_status"] == "Successful" results["s01-parse"]["LePresidente/grafana-logs"][5].Evt.Parsed["message"] == "{\"User\":\"admin@localhost\",\"level\":\"info\",\"logger\":\"http.server\",\"msg\":\"Successful Login\",\"t\":\"2024-02-07T09:34:16.8294691+02:00\"}" results["s01-parse"]["LePresidente/grafana-logs"][5].Evt.Parsed["program"] == "grafana" +results["s01-parse"]["LePresidente/grafana-logs"][5].Evt.Meta["auth_status"] == "success" basename(results["s01-parse"]["LePresidente/grafana-logs"][5].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s01-parse"]["LePresidente/grafana-logs"][5].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/grafana-logs"][5].Evt.Meta["log_format"] == "JSON" -results["s01-parse"]["LePresidente/grafana-logs"][5].Evt.Meta["log_type"] == "auth_success" results["s01-parse"]["LePresidente/grafana-logs"][5].Evt.Meta["service"] == "grafana" -results["s01-parse"]["LePresidente/grafana-logs"][5].Evt.Unmarshaled["grafana"]["msg"] == "Successful Login" -results["s01-parse"]["LePresidente/grafana-logs"][5].Evt.Unmarshaled["grafana"]["t"] == "2024-02-07T09:34:16.8294691+02:00" results["s01-parse"]["LePresidente/grafana-logs"][5].Evt.Unmarshaled["grafana"]["User"] == "admin@localhost" results["s01-parse"]["LePresidente/grafana-logs"][5].Evt.Unmarshaled["grafana"]["level"] == "info" results["s01-parse"]["LePresidente/grafana-logs"][5].Evt.Unmarshaled["grafana"]["logger"] == "http.server" +results["s01-parse"]["LePresidente/grafana-logs"][5].Evt.Unmarshaled["grafana"]["msg"] == "Successful Login" +results["s01-parse"]["LePresidente/grafana-logs"][5].Evt.Unmarshaled["grafana"]["t"] == "2024-02-07T09:34:16.8294691+02:00" results["s01-parse"]["LePresidente/grafana-logs"][5].Evt.Whitelisted == false results["s01-parse"]["LePresidente/grafana-logs"][6].Success == true results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Parsed["auth_status"] == "Unauthorized" results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Parsed["message"] == "logger=context userId=0 orgId=0 uname= t=2024-02-07T10:20:19.8927413+02:00 level=info msg=Unauthorized error=\"[password-auth.failed] failed to authenticate identity: [password-auth.invalid] invalid password\" remote_addr=192.168.1.3 traceID=" results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Parsed["program"] == "grafana" +results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Meta["service"] == "grafana" results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Meta["source_ip"] == "192.168.1.3" +results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Unmarshaled["grafana"]["t"] == "2024-02-07T10:20:19.8927413+02:00" +results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Unmarshaled["grafana"]["traceID"] == "" results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Unmarshaled["grafana"]["uname"] == "" -results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Unmarshaled["grafana"]["error"] == "[password-auth.failed] failed to authenticate identity: [password-auth.invalid] invalid password" results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Unmarshaled["grafana"]["level"] == "info" results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Unmarshaled["grafana"]["logger"] == "context" -results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.3" -results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Unmarshaled["grafana"]["traceID"] == "" +results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Unmarshaled["grafana"]["orgId"] == "0" results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Unmarshaled["grafana"]["userId"] == "0" +results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Unmarshaled["grafana"]["error"] == "[password-auth.failed] failed to authenticate identity: [password-auth.invalid] invalid password" results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Unmarshaled["grafana"]["msg"] == "Unauthorized" -results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Unmarshaled["grafana"]["orgId"] == "0" -results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Unmarshaled["grafana"]["t"] == "2024-02-07T10:20:19.8927413+02:00" +results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.3" results["s01-parse"]["LePresidente/grafana-logs"][6].Evt.Whitelisted == false results["s01-parse"]["LePresidente/grafana-logs"][7].Success == true results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Parsed["auth_status"] == "Unauthorized" results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Parsed["message"] == "logger=context userId=0 orgId=0 uname= t=2024-02-07T10:20:22.5261499+02:00 level=info msg=Unauthorized error=\"[password-auth.failed] failed to authenticate identity: [identity.not-found] no user found: user not found\" remote_addr=192.168.1.3 traceID=" results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Parsed["program"] == "grafana" +results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Meta["service"] == "grafana" results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Meta["source_ip"] == "192.168.1.3" +results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Unmarshaled["grafana"]["uname"] == "" results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Unmarshaled["grafana"]["userId"] == "0" +results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Unmarshaled["grafana"]["error"] == "[password-auth.failed] failed to authenticate identity: [identity.not-found] no user found: user not found" results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Unmarshaled["grafana"]["level"] == "info" results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Unmarshaled["grafana"]["logger"] == "context" +results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Unmarshaled["grafana"]["msg"] == "Unauthorized" results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Unmarshaled["grafana"]["orgId"] == "0" results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.3" results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Unmarshaled["grafana"]["t"] == "2024-02-07T10:20:22.5261499+02:00" -results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Unmarshaled["grafana"]["error"] == "[password-auth.failed] failed to authenticate identity: [identity.not-found] no user found: user not found" -results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Unmarshaled["grafana"]["msg"] == "Unauthorized" results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Unmarshaled["grafana"]["traceID"] == "" -results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Unmarshaled["grafana"]["uname"] == "" results["s01-parse"]["LePresidente/grafana-logs"][7].Evt.Whitelisted == false results["s01-parse"]["LePresidente/grafana-logs"][8].Success == true results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Parsed["message"] == "logger=context userId=0 orgId=0 uname= t=2025-07-17T13:08:44.734245376Z level=info msg=\"Request Completed\" method=POST path=/login status=401 remote_addr=192.168.1.1 time_ms=10 duration=10.969722ms size=94 referer=https://monitor.domain.tld:32500/login handler=/login status_source=server errorReason=Unauthorized errorMessageID=password-auth.failed error=\"failed to authenticate identity: [identity.not-found] no user found: user not found\"" results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Parsed["program"] == "grafana" +results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Meta["log_format"] == "CLF" -results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Meta["service"] == "grafana" results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["level"] == "info" -results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["method"] == "POST" -results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["msg"] == "Request Completed" -results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["status"] == "401" -results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["t"] == "2025-07-17T13:08:44.734245376Z" -results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["uname"] == "" -results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["userId"] == "0" -results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["duration"] == "10.969722ms" results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["errorMessageID"] == "password-auth.failed" -results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["handler"] == "/login" -results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["logger"] == "context" -results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["status_source"] == "server" -results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["error"] == "failed to authenticate identity: [identity.not-found] no user found: user not found" results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["orgId"] == "0" +results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["duration"] == "10.969722ms" +results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["error"] == "failed to authenticate identity: [identity.not-found] no user found: user not found" +results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["errorReason"] == "Unauthorized" +results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["handler"] == "/login" results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["referer"] == "https://monitor.domain.tld:32500/login" results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.1" -results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["time_ms"] == "10" +results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["status"] == "401" +results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["method"] == "POST" results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["path"] == "/login" +results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["status_source"] == "server" +results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["t"] == "2025-07-17T13:08:44.734245376Z" +results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["time_ms"] == "10" +results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["uname"] == "" +results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["userId"] == "0" +results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["level"] == "info" +results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["logger"] == "context" +results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["msg"] == "Request Completed" results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["size"] == "94" -results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Unmarshaled["grafana"]["errorReason"] == "Unauthorized" results["s01-parse"]["LePresidente/grafana-logs"][8].Evt.Whitelisted == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 9 +results["s01-parse"]["LePresidente/grafana-logs"][9].Success == true +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Parsed["auth_status"] == "Invalid" +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Parsed["message"] == "{\"error\":\"user not found\",\"level\":\"error\",\"logger\":\"context\",\"msg\":\"Invalid username or password\",\"orgId\":0,\"remote_addr\":\"192.168.1.1\",\"t\":\"2025-07-17T13:09:00.0000000Z\",\"traceID\":\"\",\"uname\":\"\",\"userId\":0}" +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Parsed["program"] == "grafana" +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Meta["datasource_path"]) == "grafana-logs.log" +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Meta["log_format"] == "JSON" +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Meta["service"] == "grafana" +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Meta["source_ip"] == "192.168.1.1" +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Unmarshaled["grafana"]["level"] == "error" +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Unmarshaled["grafana"]["logger"] == "context" +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Unmarshaled["grafana"]["orgId"] == 0 +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Unmarshaled["grafana"]["userId"] == 0 +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Unmarshaled["grafana"]["error"] == "user not found" +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Unmarshaled["grafana"]["msg"] == "Invalid username or password" +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.1" +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Unmarshaled["grafana"]["t"] == "2025-07-17T13:09:00.0000000Z" +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Unmarshaled["grafana"]["traceID"] == "" +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Unmarshaled["grafana"]["uname"] == "" +results["s01-parse"]["LePresidente/grafana-logs"][9].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 10 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["auth_status"] == "Invalid" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "logger=context userId=0 orgId=0 uname= t=2023-03-14T06:10:23.366875297+02:00 level=error msg=\"Invalid username or password\" error=\"user not found\" remote_addr=192.168.1.1 traceID=" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "grafana" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "grafana" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-03-14T06:10:23.366875297+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-03-14T06:10:23.366875297+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["grafana"]["error"] == "user not found" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["grafana"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["grafana"]["logger"] == "context" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["grafana"]["orgId"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["grafana"]["msg"] == "Invalid username or password" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["grafana"]["t"] == "2023-03-14T06:10:23.366875297+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["grafana"]["traceID"] == "" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["grafana"]["uname"] == "" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["grafana"]["msg"] == "Invalid username or password" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["grafana"]["userId"] == "0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["grafana"]["error"] == "user not found" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["grafana"]["level"] == "error" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["grafana"]["orgId"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["grafana"]["t"] == "2023-03-14T06:10:23.366875297+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["auth_status"] == "Invalid" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "logger=context userId=0 orgId=0 uname= t=2023-03-14T06:11:26.182430512+02:00 level=error msg=\"Invalid username or password\" error=\"invalid username or password\" remote_addr=192.168.1.1 traceID=" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "grafana" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "grafana" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-03-14T06:11:26.182430512+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-03-14T06:11:26.182430512+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["grafana"]["t"] == "2023-03-14T06:11:26.182430512+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["grafana"]["traceID"] == "" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["grafana"]["error"] == "invalid username or password" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["grafana"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["grafana"]["logger"] == "context" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["grafana"]["msg"] == "Invalid username or password" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["grafana"]["uname"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["grafana"]["userId"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["grafana"]["msg"] == "Invalid username or password" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["grafana"]["orgId"] == "0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["grafana"]["t"] == "2023-03-14T06:11:26.182430512+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["grafana"]["traceID"] == "" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["grafana"]["userId"] == "0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["auth_status"] == "Successful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "logger=http.server t=2023-03-14T06:11:09.073590975+02:00 level=info msg=\"Successful Login\" User=admin@localhost" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "grafana" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "success" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "auth_success" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "grafana" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-03-14T06:11:09.073590975+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2023-03-14T06:11:09.073590975+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["grafana"]["User"] == "admin@localhost" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["grafana"]["level"] == "info" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["grafana"]["logger"] == "http.server" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["grafana"]["msg"] == "Successful Login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["grafana"]["t"] == "2023-03-14T06:11:09.073590975+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["grafana"]["User"] == "admin@localhost" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["auth_status"] == "Invalid" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "{\"error\":\"invalid username or password\",\"level\":\"error\",\"logger\":\"context\",\"msg\":\"Invalid username or password\",\"orgId\":0,\"remote_addr\":\"192.168.1.2\",\"t\":\"2024-02-07T09:33:35.0353436+02:00\",\"traceID\":\"\",\"uname\":\"\",\"userId\":0}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "grafana" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_format"] == "JSON" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "grafana" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "192.168.1.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2024-02-07T09:33:35.0353436+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2024-02-07T09:33:35.0353436+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["grafana"]["t"] == "2024-02-07T09:33:35.0353436+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["grafana"]["traceID"] == "" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["grafana"]["uname"] == "" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["grafana"]["error"] == "invalid username or password" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["grafana"]["userId"] == 0 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["grafana"]["level"] == "error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["grafana"]["logger"] == "context" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["grafana"]["msg"] == "Invalid username or password" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["grafana"]["orgId"] == 0 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["grafana"]["traceID"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["grafana"]["userId"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["grafana"]["msg"] == "Invalid username or password" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["auth_status"] == "Invalid" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "{\"error\":\"user not found\",\"level\":\"error\",\"logger\":\"context\",\"msg\":\"Invalid username or password\",\"orgId\":0,\"remote_addr\":\"192.168.1.2\",\"t\":\"2024-02-07T09:34:51.1833376+02:00\",\"traceID\":\"\",\"uname\":\"\",\"userId\":0}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "grafana" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_format"] == "JSON" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "grafana" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "192.168.1.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2024-02-07T09:34:51.1833376+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2024-02-07T09:34:51.1833376+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["grafana"]["level"] == "error" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["grafana"]["logger"] == "context" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["grafana"]["orgId"] == 0 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["grafana"]["t"] == "2024-02-07T09:34:51.1833376+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["grafana"]["traceID"] == "" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["grafana"]["uname"] == "" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["grafana"]["error"] == "user not found" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["grafana"]["logger"] == "context" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["grafana"]["msg"] == "Invalid username or password" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["grafana"]["userId"] == 0 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false @@ -365,10 +393,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["auth_status"] == "Successful" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "{\"User\":\"admin@localhost\",\"level\":\"info\",\"logger\":\"http.server\",\"msg\":\"Successful Login\",\"t\":\"2024-02-07T09:34:16.8294691+02:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "grafana" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "success" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_format"] == "JSON" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "auth_success" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "grafana" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2024-02-07T09:34:16.8294691+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2024-02-07T09:34:16.8294691+02:00" @@ -382,78 +410,101 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["auth_status"] == "Unauthorized" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "logger=context userId=0 orgId=0 uname= t=2024-02-07T10:20:19.8927413+02:00 level=info msg=Unauthorized error=\"[password-auth.failed] failed to authenticate identity: [password-auth.invalid] invalid password\" remote_addr=192.168.1.3 traceID=" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "grafana" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "grafana" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "192.168.1.3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2024-02-07T10:20:19.8927413+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2024-02-07T10:20:19.8927413+02:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["grafana"]["uname"] == "" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["grafana"]["error"] == "[password-auth.failed] failed to authenticate identity: [password-auth.invalid] invalid password" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["grafana"]["logger"] == "context" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["grafana"]["orgId"] == "0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.3" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["grafana"]["uname"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["grafana"]["level"] == "info" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["grafana"]["msg"] == "Unauthorized" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["grafana"]["t"] == "2024-02-07T10:20:19.8927413+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["grafana"]["traceID"] == "" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["grafana"]["userId"] == "0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["grafana"]["level"] == "info" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["grafana"]["logger"] == "context" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["grafana"]["msg"] == "Unauthorized" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["grafana"]["orgId"] == "0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["auth_status"] == "Unauthorized" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "logger=context userId=0 orgId=0 uname= t=2024-02-07T10:20:22.5261499+02:00 level=info msg=Unauthorized error=\"[password-auth.failed] failed to authenticate identity: [identity.not-found] no user found: user not found\" remote_addr=192.168.1.3 traceID=" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "grafana" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "grafana" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "192.168.1.3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2024-02-07T10:20:22.5261499+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2024-02-07T10:20:22.5261499+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.3" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["grafana"]["uname"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["grafana"]["error"] == "[password-auth.failed] failed to authenticate identity: [identity.not-found] no user found: user not found" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["grafana"]["msg"] == "Unauthorized" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["grafana"]["orgId"] == "0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["grafana"]["level"] == "info" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["grafana"]["t"] == "2024-02-07T10:20:22.5261499+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["grafana"]["traceID"] == "" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["grafana"]["uname"] == "" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["grafana"]["userId"] == "0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["grafana"]["error"] == "[password-auth.failed] failed to authenticate identity: [identity.not-found] no user found: user not found" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["grafana"]["level"] == "info" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["grafana"]["logger"] == "context" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["message"] == "logger=context userId=0 orgId=0 uname= t=2025-07-17T13:08:44.734245376Z level=info msg=\"Request Completed\" method=POST path=/login status=401 remote_addr=192.168.1.1 time_ms=10 duration=10.969722ms size=94 referer=https://monitor.domain.tld:32500/login handler=/login status_source=server errorReason=Unauthorized errorMessageID=password-auth.failed error=\"failed to authenticate identity: [identity.not-found] no user found: user not found\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["program"] == "grafana" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"]) == "grafana-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_format"] == "CLF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "grafana" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2025-07-17T13:08:44.734245376Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Enriched["MarshaledTime"] == "2025-07-17T13:08:44.734245376Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["status"] == "401" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["size"] == "94" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["time_ms"] == "10" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["msg"] == "Request Completed" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["path"] == "/login" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["status"] == "401" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["status_source"] == "server" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["t"] == "2025-07-17T13:08:44.734245376Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["errorMessageID"] == "password-auth.failed" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["errorReason"] == "Unauthorized" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["method"] == "POST" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["referer"] == "https://monitor.domain.tld:32500/login" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["uname"] == "" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["userId"] == "0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["duration"] == "10.969722ms" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["error"] == "failed to authenticate identity: [identity.not-found] no user found: user not found" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["handler"] == "/login" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["uname"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["userId"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["errorMessageID"] == "password-auth.failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["time_ms"] == "10" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["level"] == "info" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["logger"] == "context" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["method"] == "POST" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["msg"] == "Request Completed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["orgId"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["t"] == "2025-07-17T13:08:44.734245376Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["duration"] == "10.969722ms" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["errorReason"] == "Unauthorized" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["path"] == "/login" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["referer"] == "https://monitor.domain.tld:32500/login" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["auth_status"] == "Invalid" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["message"] == "{\"error\":\"user not found\",\"level\":\"error\",\"logger\":\"context\",\"msg\":\"Invalid username or password\",\"orgId\":0,\"remote_addr\":\"192.168.1.1\",\"t\":\"2025-07-17T13:09:00.0000000Z\",\"traceID\":\"\",\"uname\":\"\",\"userId\":0}" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["program"] == "grafana" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"]) == "grafana-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_format"] == "JSON" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "grafana" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2025-07-17T13:09:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Enriched["MarshaledTime"] == "2025-07-17T13:09:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["grafana"]["msg"] == "Invalid username or password" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["grafana"]["orgId"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["grafana"]["t"] == "2025-07-17T13:09:00.0000000Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["grafana"]["traceID"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["grafana"]["uname"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["grafana"]["error"] == "user not found" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["grafana"]["remote_addr"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["grafana"]["userId"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["grafana"]["level"] == "error" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["grafana"]["logger"] == "context" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/grafana_cve-2021-43798/parser.assert b/.tests/grafana_cve-2021-43798/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/harbor-bf/parser.assert b/.tests/harbor-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/harbor-bf/scenario.assert b/.tests/harbor-bf/scenario.assert index a34b1dc25e1..8654318dffd 100644 --- a/.tests/harbor-bf/scenario.assert +++ b/.tests/harbor-bf/scenario.assert @@ -4,48 +4,48 @@ results[0].Overflow.Sources["2.2.2.2"].IP == "2.2.2.2" results[0].Overflow.Sources["2.2.2.2"].Range == "" results[0].Overflow.Sources["2.2.2.2"].GetScope() == "Ip" results[0].Overflow.Sources["2.2.2.2"].GetValue() == "2.2.2.2" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "harbor-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "harbor-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "harbor_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "harbor" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "2.2.2.2" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "test@example.com" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-05-16T12:11:39Z" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "test@example.com" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "harbor-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "harbor-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "harbor_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "harbor" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "2.2.2.2" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "test1@example.com" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-05-16T12:11:39Z" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "test1@example.com" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "harbor-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "harbor-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "harbor_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "harbor" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "2.2.2.2" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "test2@example.com" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-05-16T12:11:39Z" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "test2@example.com" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "harbor-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "harbor-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "harbor_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "harbor" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "2.2.2.2" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "test3@example.com" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-05-16T12:11:39Z" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "test3@example.com" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "harbor-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "harbor-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "harbor_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "harbor" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "2.2.2.2" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "test4@example.com" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-05-16T12:11:39Z" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "test4@example.com" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "harbor-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "harbor-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "harbor_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "harbor" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "2.2.2.2" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "test5@example.com" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-05-16T12:11:39Z" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "test5@example.com" results[0].Overflow.Alert.GetScenario() == "LePresidente/harbor-bf_user-enum" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 @@ -54,48 +54,48 @@ results[1].Overflow.Sources["1.1.1.1"].IP == "1.1.1.1" results[1].Overflow.Sources["1.1.1.1"].Range == "" results[1].Overflow.Sources["1.1.1.1"].GetScope() == "Ip" results[1].Overflow.Sources["1.1.1.1"].GetValue() == "1.1.1.1" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "harbor-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "harbor-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "harbor_failed_auth" results[1].Overflow.Alert.Events[0].GetMeta("service") == "harbor" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.1" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "test" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-05-16T12:11:39Z" -results[1].Overflow.Alert.Events[0].GetMeta("user") == "test" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "harbor-bf.log" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "harbor-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "harbor_failed_auth" results[1].Overflow.Alert.Events[1].GetMeta("service") == "harbor" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.1" +results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "test1" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-05-16T12:11:39Z" -results[1].Overflow.Alert.Events[1].GetMeta("user") == "test1" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "harbor-bf.log" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "harbor-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "harbor_failed_auth" results[1].Overflow.Alert.Events[2].GetMeta("service") == "harbor" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.1" +results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "test2" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-05-16T12:11:40Z" -results[1].Overflow.Alert.Events[2].GetMeta("user") == "test2" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "harbor-bf.log" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "harbor-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "harbor_failed_auth" results[1].Overflow.Alert.Events[3].GetMeta("service") == "harbor" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.1" +results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "test3" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-05-16T12:11:40Z" -results[1].Overflow.Alert.Events[3].GetMeta("user") == "test3" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "harbor-bf.log" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "harbor-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "harbor_failed_auth" results[1].Overflow.Alert.Events[4].GetMeta("service") == "harbor" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.1.1.1" +results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "test4" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-05-16T12:11:41Z" -results[1].Overflow.Alert.Events[4].GetMeta("user") == "test4" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "harbor-bf.log" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "harbor-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "harbor_failed_auth" results[1].Overflow.Alert.Events[5].GetMeta("service") == "harbor" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.1.1.1" +results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "test5" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-05-16T12:11:41Z" -results[1].Overflow.Alert.Events[5].GetMeta("user") == "test5" results[1].Overflow.Alert.GetScenario() == "LePresidente/harbor-bf_user-enum" results[1].Overflow.Alert.Remediation == true results[1].Overflow.Alert.GetEventsCount() == 6 @@ -104,48 +104,48 @@ results[2].Overflow.Sources["2.2.2.2"].IP == "2.2.2.2" results[2].Overflow.Sources["2.2.2.2"].Range == "" results[2].Overflow.Sources["2.2.2.2"].GetScope() == "Ip" results[2].Overflow.Sources["2.2.2.2"].GetValue() == "2.2.2.2" -results[2].Overflow.Alert.Events[0].GetMeta("datasource_path") == "harbor-bf.log" +results[2].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "harbor-bf.log" results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[0].GetMeta("log_type") == "harbor_failed_auth" results[2].Overflow.Alert.Events[0].GetMeta("service") == "harbor" results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "2.2.2.2" +results[2].Overflow.Alert.Events[0].GetMeta("target_user") == "test@example.com" results[2].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-05-16T12:11:39Z" -results[2].Overflow.Alert.Events[0].GetMeta("user") == "test@example.com" -results[2].Overflow.Alert.Events[1].GetMeta("datasource_path") == "harbor-bf.log" +results[2].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "harbor-bf.log" results[2].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[1].GetMeta("log_type") == "harbor_failed_auth" results[2].Overflow.Alert.Events[1].GetMeta("service") == "harbor" results[2].Overflow.Alert.Events[1].GetMeta("source_ip") == "2.2.2.2" +results[2].Overflow.Alert.Events[1].GetMeta("target_user") == "test@example.com" results[2].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-05-16T12:11:39Z" -results[2].Overflow.Alert.Events[1].GetMeta("user") == "test@example.com" -results[2].Overflow.Alert.Events[2].GetMeta("datasource_path") == "harbor-bf.log" +results[2].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "harbor-bf.log" results[2].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[2].GetMeta("log_type") == "harbor_failed_auth" results[2].Overflow.Alert.Events[2].GetMeta("service") == "harbor" results[2].Overflow.Alert.Events[2].GetMeta("source_ip") == "2.2.2.2" +results[2].Overflow.Alert.Events[2].GetMeta("target_user") == "test@example.com" results[2].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-05-16T12:11:39Z" -results[2].Overflow.Alert.Events[2].GetMeta("user") == "test@example.com" -results[2].Overflow.Alert.Events[3].GetMeta("datasource_path") == "harbor-bf.log" +results[2].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "harbor-bf.log" results[2].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[3].GetMeta("log_type") == "harbor_failed_auth" results[2].Overflow.Alert.Events[3].GetMeta("service") == "harbor" results[2].Overflow.Alert.Events[3].GetMeta("source_ip") == "2.2.2.2" +results[2].Overflow.Alert.Events[3].GetMeta("target_user") == "test@example.com" results[2].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-05-16T12:11:39Z" -results[2].Overflow.Alert.Events[3].GetMeta("user") == "test@example.com" -results[2].Overflow.Alert.Events[4].GetMeta("datasource_path") == "harbor-bf.log" +results[2].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "harbor-bf.log" results[2].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[4].GetMeta("log_type") == "harbor_failed_auth" results[2].Overflow.Alert.Events[4].GetMeta("service") == "harbor" results[2].Overflow.Alert.Events[4].GetMeta("source_ip") == "2.2.2.2" +results[2].Overflow.Alert.Events[4].GetMeta("target_user") == "test@example.com" results[2].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-05-16T12:11:39Z" -results[2].Overflow.Alert.Events[4].GetMeta("user") == "test@example.com" -results[2].Overflow.Alert.Events[5].GetMeta("datasource_path") == "harbor-bf.log" +results[2].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "harbor-bf.log" results[2].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[5].GetMeta("log_type") == "harbor_failed_auth" results[2].Overflow.Alert.Events[5].GetMeta("service") == "harbor" results[2].Overflow.Alert.Events[5].GetMeta("source_ip") == "2.2.2.2" +results[2].Overflow.Alert.Events[5].GetMeta("target_user") == "test@example.com" results[2].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-05-16T12:11:39Z" -results[2].Overflow.Alert.Events[5].GetMeta("user") == "test@example.com" results[2].Overflow.Alert.GetScenario() == "LePresidente/harbor-bf" results[2].Overflow.Alert.Remediation == true results[2].Overflow.Alert.GetEventsCount() == 6 @@ -154,48 +154,48 @@ results[3].Overflow.Sources["1.1.1.1"].IP == "1.1.1.1" results[3].Overflow.Sources["1.1.1.1"].Range == "" results[3].Overflow.Sources["1.1.1.1"].GetScope() == "Ip" results[3].Overflow.Sources["1.1.1.1"].GetValue() == "1.1.1.1" -results[3].Overflow.Alert.Events[0].GetMeta("datasource_path") == "harbor-bf.log" +results[3].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "harbor-bf.log" results[3].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[0].GetMeta("log_type") == "harbor_failed_auth" results[3].Overflow.Alert.Events[0].GetMeta("service") == "harbor" results[3].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.1" +results[3].Overflow.Alert.Events[0].GetMeta("target_user") == "test" results[3].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-05-16T12:11:39Z" -results[3].Overflow.Alert.Events[0].GetMeta("user") == "test" -results[3].Overflow.Alert.Events[1].GetMeta("datasource_path") == "harbor-bf.log" +results[3].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "harbor-bf.log" results[3].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[1].GetMeta("log_type") == "harbor_failed_auth" results[3].Overflow.Alert.Events[1].GetMeta("service") == "harbor" results[3].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.1" +results[3].Overflow.Alert.Events[1].GetMeta("target_user") == "test" results[3].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-05-16T12:11:40Z" -results[3].Overflow.Alert.Events[1].GetMeta("user") == "test" -results[3].Overflow.Alert.Events[2].GetMeta("datasource_path") == "harbor-bf.log" +results[3].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "harbor-bf.log" results[3].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[2].GetMeta("log_type") == "harbor_failed_auth" results[3].Overflow.Alert.Events[2].GetMeta("service") == "harbor" results[3].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.1" +results[3].Overflow.Alert.Events[2].GetMeta("target_user") == "test" results[3].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-05-16T12:11:40Z" -results[3].Overflow.Alert.Events[2].GetMeta("user") == "test" -results[3].Overflow.Alert.Events[3].GetMeta("datasource_path") == "harbor-bf.log" +results[3].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "harbor-bf.log" results[3].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[3].GetMeta("log_type") == "harbor_failed_auth" results[3].Overflow.Alert.Events[3].GetMeta("service") == "harbor" results[3].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.1" +results[3].Overflow.Alert.Events[3].GetMeta("target_user") == "test" results[3].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-05-16T12:11:41Z" -results[3].Overflow.Alert.Events[3].GetMeta("user") == "test" -results[3].Overflow.Alert.Events[4].GetMeta("datasource_path") == "harbor-bf.log" +results[3].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "harbor-bf.log" results[3].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[4].GetMeta("log_type") == "harbor_failed_auth" results[3].Overflow.Alert.Events[4].GetMeta("service") == "harbor" results[3].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.1.1.1" +results[3].Overflow.Alert.Events[4].GetMeta("target_user") == "test" results[3].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-05-16T12:11:41Z" -results[3].Overflow.Alert.Events[4].GetMeta("user") == "test" -results[3].Overflow.Alert.Events[5].GetMeta("datasource_path") == "harbor-bf.log" +results[3].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "harbor-bf.log" results[3].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[5].GetMeta("log_type") == "harbor_failed_auth" results[3].Overflow.Alert.Events[5].GetMeta("service") == "harbor" results[3].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.1.1.1" +results[3].Overflow.Alert.Events[5].GetMeta("target_user") == "test" results[3].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-05-16T12:11:42Z" -results[3].Overflow.Alert.Events[5].GetMeta("user") == "test" results[3].Overflow.Alert.GetScenario() == "LePresidente/harbor-bf" results[3].Overflow.Alert.Remediation == true -results[3].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[3].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/harbor-logs/harbor-logs.log b/.tests/harbor-logs/harbor-logs.log index 6e891b990de..2347cac7005 100644 --- a/.tests/harbor-logs/harbor-logs.log +++ b/.tests/harbor-logs/harbor-logs.log @@ -1,2 +1,3 @@ May 16 12:11:39 172.25.0.1 core[1160]: 2023-05-16T12:11:39Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="1.1.1.1, 192.168.32.1" requestID="dfdfecc8-f49b-48b1-b32f-85b640ffe85f" user agent="docker/23.0.6 go/go1.19.9 git-commit/9dbdbd4 kernel/5.15.90.1-microsoft-standard-WSL2 os/linux arch/amd64 UpstreamClient(Docker-Client/23.0.6 \(linux\))"]: failed to authenticate user:test, error:Failed to authenticate user, due to error 'Invalid credentials' -May 16 12:11:39 172.25.0.1 core[1160]: 2023-05-16T12:11:39Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="2.2.2.2, 192.168.32.1" requestID="dfdfecc8-f49b-48b1-b32f-85b640ffe85f" user agent="docker/23.0.6 go/go1.19.9 git-commit/9dbdbd4 kernel/5.15.90.1-microsoft-standard-WSL2 os/linux arch/amd64 UpstreamClient(Docker-Client/23.0.6 \(linux\))"]: failed to authenticate user:test@example.com, error:Failed to authenticate user, due to error 'Invalid credentials' \ No newline at end of file +May 16 12:11:39 172.25.0.1 core[1160]: 2023-05-16T12:11:39Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="2.2.2.2, 192.168.32.1" requestID="dfdfecc8-f49b-48b1-b32f-85b640ffe85f" user agent="docker/23.0.6 go/go1.19.9 git-commit/9dbdbd4 kernel/5.15.90.1-microsoft-standard-WSL2 os/linux arch/amd64 UpstreamClient(Docker-Client/23.0.6 \(linux\))"]: failed to authenticate user:test@example.com, error:Failed to authenticate user, due to error 'Invalid credentials' +May 16 12:12:00 172.25.0.1 core[1160]: 2023-05-16T12:12:00Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="1.1.1.1, 192.168.32.1" requestID="test123456789012345678901234567890" user agent="docker/23.0.6 go/go1.19.9 git-commit/9dbdbd4 kernel/5.15.90.1-microsoft-standard-WSL2 os/linux arch/amd64 UpstreamClient(Docker-Client/23.0.6 \(linux\))"]: failed to authenticate user:crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl, error:Failed to authenticate user, due to error 'Invalid credentials' \ No newline at end of file diff --git a/.tests/harbor-logs/parser.assert b/.tests/harbor-logs/parser.assert index 8e0ee9e1396..7dce718a7d2 100644 --- a/.tests/harbor-logs/parser.assert +++ b/.tests/harbor-logs/parser.assert @@ -1,36 +1,45 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 2 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 3 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "May 16 12:11:39 172.25.0.1 core[1160]: 2023-05-16T12:11:39Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP=\"1.1.1.1, 192.168.32.1\" requestID=\"dfdfecc8-f49b-48b1-b32f-85b640ffe85f\" user agent=\"docker/23.0.6 go/go1.19.9 git-commit/9dbdbd4 kernel/5.15.90.1-microsoft-standard-WSL2 os/linux arch/amd64 UpstreamClient(Docker-Client/23.0.6 \\(linux\\))\"]: failed to authenticate user:test, error:Failed to authenticate user, due to error 'Invalid credentials'" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "harbor" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "harbor-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "harbor-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "May 16 12:11:39 172.25.0.1 core[1160]: 2023-05-16T12:11:39Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP=\"2.2.2.2, 192.168.32.1\" requestID=\"dfdfecc8-f49b-48b1-b32f-85b640ffe85f\" user agent=\"docker/23.0.6 go/go1.19.9 git-commit/9dbdbd4 kernel/5.15.90.1-microsoft-standard-WSL2 os/linux arch/amd64 UpstreamClient(Docker-Client/23.0.6 \\(linux\\))\"]: failed to authenticate user:test@example.com, error:Failed to authenticate user, due to error 'Invalid credentials'" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "harbor" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "harbor-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "harbor-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2 +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "May 16 12:12:00 172.25.0.1 core[1160]: 2023-05-16T12:12:00Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP=\"1.1.1.1, 192.168.32.1\" requestID=\"test123456789012345678901234567890\" user agent=\"docker/23.0.6 go/go1.19.9 git-commit/9dbdbd4 kernel/5.15.90.1-microsoft-standard-WSL2 os/linux arch/amd64 UpstreamClient(Docker-Client/23.0.6 \\(linux\\))\"]: failed to authenticate user:crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl, error:Failed to authenticate user, due to error 'Invalid credentials'" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "harbor" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "harbor-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 3 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false -len(results["s01-parse"]["LePresidente/harbor-logs"]) == 2 +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false +len(results["s01-parse"]["LePresidente/harbor-logs"]) == 3 results["s01-parse"]["LePresidente/harbor-logs"][0].Success == true -results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Parsed["program"] == "harbor" -results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Parsed["remote_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Parsed["timestamp"] == "2023-05-16T12:11:39Z" -results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Parsed["username"] == "test" results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Parsed["ERROR"] == "ERROR" results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Parsed["PID"] == "1160" results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Parsed["internal_ip"] == "192.168.32.1" results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Parsed["message"] == "May 16 12:11:39 172.25.0.1 core[1160]: 2023-05-16T12:11:39Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP=\"1.1.1.1, 192.168.32.1\" requestID=\"dfdfecc8-f49b-48b1-b32f-85b640ffe85f\" user agent=\"docker/23.0.6 go/go1.19.9 git-commit/9dbdbd4 kernel/5.15.90.1-microsoft-standard-WSL2 os/linux arch/amd64 UpstreamClient(Docker-Client/23.0.6 \\(linux\\))\"]: failed to authenticate user:test, error:Failed to authenticate user, due to error 'Invalid credentials'" -results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Meta["user"] == "test" -results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Meta["datasource_path"] == "harbor-logs.log" +results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Parsed["program"] == "harbor" +results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Parsed["remote_ip"] == "1.1.1.1" +results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Parsed["timestamp"] == "2023-05-16T12:11:39Z" +results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Parsed["username"] == "test" +results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Meta["datasource_path"]) == "harbor-logs.log" results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Meta["log_type"] == "harbor_failed_auth" results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Meta["service"] == "harbor" results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Meta["source_ip"] == "1.1.1.1" +results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Meta["target_user"] == "test" +results["s01-parse"]["LePresidente/harbor-logs"][0].Evt.Whitelisted == false results["s01-parse"]["LePresidente/harbor-logs"][1].Success == true -results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Parsed["username"] == "test@example.com" results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Parsed["ERROR"] == "ERROR" results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Parsed["PID"] == "1160" results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Parsed["internal_ip"] == "192.168.32.1" @@ -38,14 +47,33 @@ results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Parsed["message"] == "Ma results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Parsed["program"] == "harbor" results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Parsed["remote_ip"] == "2.2.2.2" results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Parsed["timestamp"] == "2023-05-16T12:11:39Z" -results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Meta["user"] == "test@example.com" -results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Meta["datasource_path"] == "harbor-logs.log" +results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Parsed["username"] == "test@example.com" +results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Meta["datasource_path"]) == "harbor-logs.log" results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Meta["log_type"] == "harbor_failed_auth" results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Meta["service"] == "harbor" results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Meta["source_ip"] == "2.2.2.2" -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 +results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Meta["target_user"] == "test@example.com" +results["s01-parse"]["LePresidente/harbor-logs"][1].Evt.Whitelisted == false +results["s01-parse"]["LePresidente/harbor-logs"][2].Success == true +results["s01-parse"]["LePresidente/harbor-logs"][2].Evt.Parsed["ERROR"] == "ERROR" +results["s01-parse"]["LePresidente/harbor-logs"][2].Evt.Parsed["PID"] == "1160" +results["s01-parse"]["LePresidente/harbor-logs"][2].Evt.Parsed["internal_ip"] == "192.168.32.1" +results["s01-parse"]["LePresidente/harbor-logs"][2].Evt.Parsed["message"] == "May 16 12:12:00 172.25.0.1 core[1160]: 2023-05-16T12:12:00Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP=\"1.1.1.1, 192.168.32.1\" requestID=\"test123456789012345678901234567890\" user agent=\"docker/23.0.6 go/go1.19.9 git-commit/9dbdbd4 kernel/5.15.90.1-microsoft-standard-WSL2 os/linux arch/amd64 UpstreamClient(Docker-Client/23.0.6 \\(linux\\))\"]: failed to authenticate user:crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl, error:Failed to authenticate user, due to error 'Invalid credentials'" +results["s01-parse"]["LePresidente/harbor-logs"][2].Evt.Parsed["program"] == "harbor" +results["s01-parse"]["LePresidente/harbor-logs"][2].Evt.Parsed["remote_ip"] == "1.1.1.1" +results["s01-parse"]["LePresidente/harbor-logs"][2].Evt.Parsed["timestamp"] == "2023-05-16T12:12:00Z" +results["s01-parse"]["LePresidente/harbor-logs"][2].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["LePresidente/harbor-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/harbor-logs"][2].Evt.Meta["datasource_path"]) == "harbor-logs.log" +results["s01-parse"]["LePresidente/harbor-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["LePresidente/harbor-logs"][2].Evt.Meta["service"] == "harbor" +results["s01-parse"]["LePresidente/harbor-logs"][2].Evt.Meta["source_ip"] == "1.1.1.1" +results["s01-parse"]["LePresidente/harbor-logs"][2].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["LePresidente/harbor-logs"][2].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 3 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["ERROR"] == "ERROR" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["PID"] == "1160" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["internal_ip"] == "192.168.32.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "May 16 12:11:39 172.25.0.1 core[1160]: 2023-05-16T12:11:39Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP=\"1.1.1.1, 192.168.32.1\" requestID=\"dfdfecc8-f49b-48b1-b32f-85b640ffe85f\" user agent=\"docker/23.0.6 go/go1.19.9 git-commit/9dbdbd4 kernel/5.15.90.1-microsoft-standard-WSL2 os/linux arch/amd64 UpstreamClient(Docker-Client/23.0.6 \\(linux\\))\"]: failed to authenticate user:test, error:Failed to authenticate user, due to error 'Invalid credentials'" @@ -53,16 +81,17 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_ip"] == "1.1.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2023-05-16T12:11:39Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "test" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["ERROR"] == "ERROR" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "harbor-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "harbor-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "harbor_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "harbor" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "test" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-05-16T12:11:39Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "test" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-05-16T12:11:39Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["ERROR"] == "ERROR" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["PID"] == "1160" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["internal_ip"] == "192.168.32.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "May 16 12:11:39 172.25.0.1 core[1160]: 2023-05-16T12:11:39Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP=\"2.2.2.2, 192.168.32.1\" requestID=\"dfdfecc8-f49b-48b1-b32f-85b640ffe85f\" user agent=\"docker/23.0.6 go/go1.19.9 git-commit/9dbdbd4 kernel/5.15.90.1-microsoft-standard-WSL2 os/linux arch/amd64 UpstreamClient(Docker-Client/23.0.6 \\(linux\\))\"]: failed to authenticate user:test@example.com, error:Failed to authenticate user, due to error 'Invalid credentials'" @@ -70,13 +99,31 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_ip"] == "2.2.2.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2023-05-16T12:11:39Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "test@example.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["ERROR"] == "ERROR" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "harbor-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "harbor-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "harbor_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "harbor" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "2.2.2.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-05-16T12:11:39Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-05-16T12:11:39Z" -len(results["success"][""]) == 0 \ No newline at end of file +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["ERROR"] == "ERROR" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["PID"] == "1160" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["internal_ip"] == "192.168.32.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "May 16 12:12:00 172.25.0.1 core[1160]: 2023-05-16T12:12:00Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP=\"1.1.1.1, 192.168.32.1\" requestID=\"test123456789012345678901234567890\" user agent=\"docker/23.0.6 go/go1.19.9 git-commit/9dbdbd4 kernel/5.15.90.1-microsoft-standard-WSL2 os/linux arch/amd64 UpstreamClient(Docker-Client/23.0.6 \\(linux\\))\"]: failed to authenticate user:crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl, error:Failed to authenticate user, due to error 'Invalid credentials'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "harbor" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "2023-05-16T12:12:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "harbor-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "harbor" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-05-16T12:12:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2023-05-16T12:12:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/hestiacp-bf/scenario.assert b/.tests/hestiacp-bf/scenario.assert index 667ba7b0a72..a1d335b7f1a 100644 --- a/.tests/hestiacp-bf/scenario.assert +++ b/.tests/hestiacp-bf/scenario.assert @@ -4,44 +4,44 @@ results[0].Overflow.Sources["192.168.1.1"].IP == "192.168.1.1" results[0].Overflow.Sources["192.168.1.1"].Range == "" results[0].Overflow.Sources["192.168.1.1"].GetScope() == "Ip" results[0].Overflow.Sources["192.168.1.1"].GetValue() == "192.168.1.1" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "hestiacp-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "hestiacp_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "hestiacp" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.1" results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "test_username" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-01-22T01:26:30Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "hestiacp-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "hestiacp_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "hestiacp" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.1" results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "test1_username" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-01-22T01:26:34Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "hestiacp-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "hestiacp_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "hestiacp" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.1" results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "test2_username" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-01-22T01:26:38Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "hestiacp-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "hestiacp_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "hestiacp" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.1" results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "test3_username" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-01-22T01:26:42Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "hestiacp-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "hestiacp_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "hestiacp" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.1" results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "test4_username" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-01-22T01:26:46Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "hestiacp-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "hestiacp_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "hestiacp" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.1" results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "test5_username" @@ -54,44 +54,44 @@ results[1].Overflow.Sources["192.168.1.1"].IP == "192.168.1.1" results[1].Overflow.Sources["192.168.1.1"].Range == "" results[1].Overflow.Sources["192.168.1.1"].GetScope() == "Ip" results[1].Overflow.Sources["192.168.1.1"].GetValue() == "192.168.1.1" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "hestiacp-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "hestiacp_failed_auth" results[1].Overflow.Alert.Events[0].GetMeta("service") == "hestiacp" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.1" results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "test_username" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-01-22T01:26:30Z" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "hestiacp-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "hestiacp_failed_auth" results[1].Overflow.Alert.Events[1].GetMeta("service") == "hestiacp" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.1" results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "test1_username" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-01-22T01:26:34Z" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "hestiacp-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "hestiacp_failed_auth" results[1].Overflow.Alert.Events[2].GetMeta("service") == "hestiacp" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.1" results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "test2_username" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-01-22T01:26:38Z" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "hestiacp-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "hestiacp_failed_auth" results[1].Overflow.Alert.Events[3].GetMeta("service") == "hestiacp" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.1" results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "test3_username" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-01-22T01:26:42Z" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "hestiacp-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "hestiacp_failed_auth" results[1].Overflow.Alert.Events[4].GetMeta("service") == "hestiacp" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.1" results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "test4_username" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-01-22T01:26:46Z" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "hestiacp-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "hestiacp_failed_auth" results[1].Overflow.Alert.Events[5].GetMeta("service") == "hestiacp" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.1" results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "test5_username" diff --git a/.tests/hestiacp-logs/parser.assert b/.tests/hestiacp-logs/parser.assert index 08d0b9b5393..5fab1eaf37e 100644 --- a/.tests/hestiacp-logs/parser.assert +++ b/.tests/hestiacp-logs/parser.assert @@ -22,9 +22,9 @@ results["s01-parse"]["LearningSpot/hestiacp-logs"][0].Evt.Parsed["program"] == " results["s01-parse"]["LearningSpot/hestiacp-logs"][0].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["LearningSpot/hestiacp-logs"][0].Evt.Parsed["timestamp"] == "2025-02-22 01:27:36" results["s01-parse"]["LearningSpot/hestiacp-logs"][0].Evt.Parsed["username"] == "test_username" +results["s01-parse"]["LearningSpot/hestiacp-logs"][0].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LearningSpot/hestiacp-logs"][0].Evt.Meta["datasource_path"]) == "hestiacp-logs.log" results["s01-parse"]["LearningSpot/hestiacp-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LearningSpot/hestiacp-logs"][0].Evt.Meta["log_type"] == "hestiacp_failed_auth" results["s01-parse"]["LearningSpot/hestiacp-logs"][0].Evt.Meta["service"] == "hestiacp" results["s01-parse"]["LearningSpot/hestiacp-logs"][0].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["LearningSpot/hestiacp-logs"][0].Evt.Meta["target_user"] == "test_username" @@ -35,9 +35,9 @@ results["s01-parse"]["LearningSpot/hestiacp-logs"][1].Evt.Parsed["program"] == " results["s01-parse"]["LearningSpot/hestiacp-logs"][1].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["LearningSpot/hestiacp-logs"][1].Evt.Parsed["timestamp"] == "2025-02-22 01:27:40" results["s01-parse"]["LearningSpot/hestiacp-logs"][1].Evt.Parsed["username"] == "test-username" +results["s01-parse"]["LearningSpot/hestiacp-logs"][1].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LearningSpot/hestiacp-logs"][1].Evt.Meta["datasource_path"]) == "hestiacp-logs.log" results["s01-parse"]["LearningSpot/hestiacp-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LearningSpot/hestiacp-logs"][1].Evt.Meta["log_type"] == "hestiacp_failed_auth" results["s01-parse"]["LearningSpot/hestiacp-logs"][1].Evt.Meta["service"] == "hestiacp" results["s01-parse"]["LearningSpot/hestiacp-logs"][1].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["LearningSpot/hestiacp-logs"][1].Evt.Meta["target_user"] == "test-username" @@ -49,9 +49,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2025-02-22 01:27:36" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "test_username" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "hestiacp-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "hestiacp_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "hestiacp" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "test_username" @@ -64,9 +64,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2025-02-22 01:27:40" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "test-username" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "hestiacp-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "hestiacp_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "hestiacp" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "test-username" diff --git a/.tests/home-assistant/parser.assert b/.tests/home-assistant/parser.assert index 3f51740191c..a119cc2ea03 100644 --- a/.tests/home-assistant/parser.assert +++ b/.tests/home-assistant/parser.assert @@ -96,8 +96,8 @@ results["s01-parse"]["crowdsecurity/home-assistant-logs"][0].Evt.Parsed["http_us results["s01-parse"]["crowdsecurity/home-assistant-logs"][0].Evt.Parsed["message"] == "2021-12-12 12:32:19 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). (Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36)" results["s01-parse"]["crowdsecurity/home-assistant-logs"][0].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s01-parse"]["crowdsecurity/home-assistant-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][0].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][0].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][0].Evt.Meta["auth_status"] == "failed" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][0].Evt.Meta["service"] == "home-assistant" results["s01-parse"]["crowdsecurity/home-assistant-logs"][0].Evt.Meta["source_ip"] == "127.0.0.1" results["s01-parse"]["crowdsecurity/home-assistant-logs"][0].Evt.Meta["source_rdns"] == "localhost" results["s01-parse"]["crowdsecurity/home-assistant-logs"][1].Success == true @@ -111,8 +111,8 @@ results["s01-parse"]["crowdsecurity/home-assistant-logs"][1].Evt.Parsed["threadN results["s01-parse"]["crowdsecurity/home-assistant-logs"][1].Evt.Meta["source_rdns"] == "localhost" results["s01-parse"]["crowdsecurity/home-assistant-logs"][1].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s01-parse"]["crowdsecurity/home-assistant-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][1].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][1].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][1].Evt.Meta["auth_status"] == "failed" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][1].Evt.Meta["service"] == "home-assistant" results["s01-parse"]["crowdsecurity/home-assistant-logs"][1].Evt.Meta["source_ip"] == "127.0.0.1" results["s01-parse"]["crowdsecurity/home-assistant-logs"][2].Success == true results["s01-parse"]["crowdsecurity/home-assistant-logs"][2].Evt.Parsed["source_rdns"] == "localhost" @@ -123,8 +123,8 @@ results["s01-parse"]["crowdsecurity/home-assistant-logs"][2].Evt.Parsed["message results["s01-parse"]["crowdsecurity/home-assistant-logs"][2].Evt.Parsed["program"] == "home-assistant" results["s01-parse"]["crowdsecurity/home-assistant-logs"][2].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["crowdsecurity/home-assistant-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][2].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][2].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][2].Evt.Meta["auth_status"] == "failed" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][2].Evt.Meta["service"] == "home-assistant" results["s01-parse"]["crowdsecurity/home-assistant-logs"][2].Evt.Meta["source_ip"] == "127.0.0.1" results["s01-parse"]["crowdsecurity/home-assistant-logs"][2].Evt.Meta["source_rdns"] == "localhost" results["s01-parse"]["crowdsecurity/home-assistant-logs"][2].Evt.Meta["datasource_path"] == "home-assistant-logs.log" @@ -140,8 +140,8 @@ results["s01-parse"]["crowdsecurity/home-assistant-logs"][3].Evt.Meta["source_ip results["s01-parse"]["crowdsecurity/home-assistant-logs"][3].Evt.Meta["source_rdns"] == "localhost" results["s01-parse"]["crowdsecurity/home-assistant-logs"][3].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s01-parse"]["crowdsecurity/home-assistant-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][3].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][3].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][3].Evt.Meta["auth_status"] == "failed" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][3].Evt.Meta["service"] == "home-assistant" results["s01-parse"]["crowdsecurity/home-assistant-logs"][4].Success == true results["s01-parse"]["crowdsecurity/home-assistant-logs"][4].Evt.Parsed["message"] == "2021-12-12 12:32:22 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). (Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36)" results["s01-parse"]["crowdsecurity/home-assistant-logs"][4].Evt.Parsed["program"] == "home-assistant" @@ -152,8 +152,8 @@ results["s01-parse"]["crowdsecurity/home-assistant-logs"][4].Evt.Parsed["time"] results["s01-parse"]["crowdsecurity/home-assistant-logs"][4].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36" results["s01-parse"]["crowdsecurity/home-assistant-logs"][4].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s01-parse"]["crowdsecurity/home-assistant-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][4].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][4].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][4].Evt.Meta["auth_status"] == "failed" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][4].Evt.Meta["service"] == "home-assistant" results["s01-parse"]["crowdsecurity/home-assistant-logs"][4].Evt.Meta["source_ip"] == "127.0.0.1" results["s01-parse"]["crowdsecurity/home-assistant-logs"][4].Evt.Meta["source_rdns"] == "localhost" results["s01-parse"]["crowdsecurity/home-assistant-logs"][5].Success == true @@ -168,8 +168,8 @@ results["s01-parse"]["crowdsecurity/home-assistant-logs"][5].Evt.Meta["source_ip results["s01-parse"]["crowdsecurity/home-assistant-logs"][5].Evt.Meta["source_rdns"] == "localhost" results["s01-parse"]["crowdsecurity/home-assistant-logs"][5].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s01-parse"]["crowdsecurity/home-assistant-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][5].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][5].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][5].Evt.Meta["auth_status"] == "failed" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][5].Evt.Meta["service"] == "home-assistant" results["s01-parse"]["crowdsecurity/home-assistant-logs"][6].Success == true results["s01-parse"]["crowdsecurity/home-assistant-logs"][6].Evt.Parsed["threadName"] == "MainThread" results["s01-parse"]["crowdsecurity/home-assistant-logs"][6].Evt.Parsed["time"] == "2021-12-12 12:32:23" @@ -180,8 +180,8 @@ results["s01-parse"]["crowdsecurity/home-assistant-logs"][6].Evt.Parsed["source_ results["s01-parse"]["crowdsecurity/home-assistant-logs"][6].Evt.Parsed["source_rdns"] == "localhost" results["s01-parse"]["crowdsecurity/home-assistant-logs"][6].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s01-parse"]["crowdsecurity/home-assistant-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][6].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][6].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][6].Evt.Meta["auth_status"] == "failed" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][6].Evt.Meta["service"] == "home-assistant" results["s01-parse"]["crowdsecurity/home-assistant-logs"][6].Evt.Meta["source_ip"] == "127.0.0.1" results["s01-parse"]["crowdsecurity/home-assistant-logs"][6].Evt.Meta["source_rdns"] == "localhost" results["s01-parse"]["crowdsecurity/home-assistant-logs"][7].Success == true @@ -192,12 +192,12 @@ results["s01-parse"]["crowdsecurity/home-assistant-logs"][7].Evt.Parsed["source_ results["s01-parse"]["crowdsecurity/home-assistant-logs"][7].Evt.Parsed["source_rdns"] == "localhost.home" results["s01-parse"]["crowdsecurity/home-assistant-logs"][7].Evt.Parsed["threadName"] == "MainThread" results["s01-parse"]["crowdsecurity/home-assistant-logs"][7].Evt.Parsed["time"] == "2022-02-10 06:56:48" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][7].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][7].Evt.Meta["service"] == "home-assistant" results["s01-parse"]["crowdsecurity/home-assistant-logs"][7].Evt.Meta["source_ip"] == "192.168.1.23" results["s01-parse"]["crowdsecurity/home-assistant-logs"][7].Evt.Meta["source_rdns"] == "localhost.home" results["s01-parse"]["crowdsecurity/home-assistant-logs"][7].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s01-parse"]["crowdsecurity/home-assistant-logs"][7].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][7].Evt.Meta["log_type"] == "home-assistant_failed_auth" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][7].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/home-assistant-logs"][8].Success == true results["s01-parse"]["crowdsecurity/home-assistant-logs"][8].Evt.Parsed["program"] == "home-assistant" results["s01-parse"]["crowdsecurity/home-assistant-logs"][8].Evt.Parsed["source_ip"] == "192.168.254.4" @@ -210,8 +210,8 @@ results["s01-parse"]["crowdsecurity/home-assistant-logs"][8].Evt.Parsed["message results["s01-parse"]["crowdsecurity/home-assistant-logs"][8].Evt.Meta["source_rdns"] == "192.168.254.4" results["s01-parse"]["crowdsecurity/home-assistant-logs"][8].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s01-parse"]["crowdsecurity/home-assistant-logs"][8].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][8].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][8].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][8].Evt.Meta["auth_status"] == "failed" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][8].Evt.Meta["service"] == "home-assistant" results["s01-parse"]["crowdsecurity/home-assistant-logs"][8].Evt.Meta["source_ip"] == "192.168.254.4" results["s01-parse"]["crowdsecurity/home-assistant-logs"][9].Success == true results["s01-parse"]["crowdsecurity/home-assistant-logs"][9].Evt.Parsed["program"] == "home-assistant" @@ -226,8 +226,8 @@ results["s01-parse"]["crowdsecurity/home-assistant-logs"][9].Evt.Meta["source_ip results["s01-parse"]["crowdsecurity/home-assistant-logs"][9].Evt.Meta["source_rdns"] == "192.168.254.4" results["s01-parse"]["crowdsecurity/home-assistant-logs"][9].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s01-parse"]["crowdsecurity/home-assistant-logs"][9].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][9].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][9].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][9].Evt.Meta["auth_status"] == "failed" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][9].Evt.Meta["service"] == "home-assistant" results["s01-parse"]["crowdsecurity/home-assistant-logs"][10].Success == true results["s01-parse"]["crowdsecurity/home-assistant-logs"][10].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0" results["s01-parse"]["crowdsecurity/home-assistant-logs"][10].Evt.Parsed["message"] == "2022-08-11 01:37:57.644 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.254.4 (192.168.254.4). Requested URL: '/auth/login_flow/15168dcd077f019968334f81c0ae7e32'. (Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0)" @@ -239,8 +239,8 @@ results["s01-parse"]["crowdsecurity/home-assistant-logs"][10].Evt.Parsed["time"] results["s01-parse"]["crowdsecurity/home-assistant-logs"][10].Evt.Parsed["url"] == "/auth/login_flow/15168dcd077f019968334f81c0ae7e32" results["s01-parse"]["crowdsecurity/home-assistant-logs"][10].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s01-parse"]["crowdsecurity/home-assistant-logs"][10].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][10].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][10].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][10].Evt.Meta["auth_status"] == "failed" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][10].Evt.Meta["service"] == "home-assistant" results["s01-parse"]["crowdsecurity/home-assistant-logs"][10].Evt.Meta["source_ip"] == "192.168.254.4" results["s01-parse"]["crowdsecurity/home-assistant-logs"][10].Evt.Meta["source_rdns"] == "192.168.254.4" results["s01-parse"]["crowdsecurity/home-assistant-logs"][11].Success == true @@ -253,8 +253,8 @@ results["s01-parse"]["crowdsecurity/home-assistant-logs"][11].Evt.Parsed["messag results["s01-parse"]["crowdsecurity/home-assistant-logs"][11].Evt.Parsed["program"] == "home-assistant" results["s01-parse"]["crowdsecurity/home-assistant-logs"][11].Evt.Parsed["source_ip"] == "192.168.254.4" results["s01-parse"]["crowdsecurity/home-assistant-logs"][11].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][11].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][11].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][11].Evt.Meta["auth_status"] == "failed" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][11].Evt.Meta["service"] == "home-assistant" results["s01-parse"]["crowdsecurity/home-assistant-logs"][11].Evt.Meta["source_ip"] == "192.168.254.4" results["s01-parse"]["crowdsecurity/home-assistant-logs"][11].Evt.Meta["source_rdns"] == "192.168.254.4" results["s01-parse"]["crowdsecurity/home-assistant-logs"][11].Evt.Meta["datasource_path"] == "home-assistant-logs.log" @@ -271,8 +271,8 @@ results["s01-parse"]["crowdsecurity/home-assistant-logs"][12].Evt.Meta["source_i results["s01-parse"]["crowdsecurity/home-assistant-logs"][12].Evt.Meta["source_rdns"] == "192.168.254.4" results["s01-parse"]["crowdsecurity/home-assistant-logs"][12].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s01-parse"]["crowdsecurity/home-assistant-logs"][12].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][12].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][12].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][12].Evt.Meta["auth_status"] == "failed" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][12].Evt.Meta["service"] == "home-assistant" results["s01-parse"]["crowdsecurity/home-assistant-logs"][13].Success == true results["s01-parse"]["crowdsecurity/home-assistant-logs"][13].Evt.Parsed["program"] == "home-assistant" results["s01-parse"]["crowdsecurity/home-assistant-logs"][13].Evt.Parsed["source_ip"] == "192.168.254.4" @@ -284,8 +284,8 @@ results["s01-parse"]["crowdsecurity/home-assistant-logs"][13].Evt.Parsed["http_u results["s01-parse"]["crowdsecurity/home-assistant-logs"][13].Evt.Parsed["message"] == "2022-08-11 01:38:00.587 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.254.4 (192.168.254.4). Requested URL: '/auth/login_flow/fc3d138f29d7be40b46dc4bdbc86fbb8'. (Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0)" results["s01-parse"]["crowdsecurity/home-assistant-logs"][13].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s01-parse"]["crowdsecurity/home-assistant-logs"][13].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][13].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s01-parse"]["crowdsecurity/home-assistant-logs"][13].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][13].Evt.Meta["auth_status"] == "failed" +results["s01-parse"]["crowdsecurity/home-assistant-logs"][13].Evt.Meta["service"] == "home-assistant" results["s01-parse"]["crowdsecurity/home-assistant-logs"][13].Evt.Meta["source_ip"] == "192.168.254.4" results["s01-parse"]["crowdsecurity/home-assistant-logs"][13].Evt.Meta["source_rdns"] == "192.168.254.4" len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 14 @@ -301,8 +301,8 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_rdns results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2021-12-12T12:32:19Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "home-assistant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2021-12-12T12:32:19Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true @@ -315,8 +315,8 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["time"] == results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "home-assistant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_rdns"] == "localhost" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2021-12-12T12:32:21Z" @@ -333,8 +333,8 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_rdns results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2021-12-12T12:32:21Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "home-assistant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2021-12-12T12:32:21Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true @@ -345,13 +345,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["threadNam results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["time"] == "2021-12-12 12:32:22" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "2021-12-12 12:32:22 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). (Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36)" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "home-assistant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_rdns"] == "localhost" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2021-12-12T12:32:22Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "home-assistant_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2021-12-12T12:32:22Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "127.0.0.1" @@ -362,8 +362,8 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["http_user results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "2021-12-12 12:32:22 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). (Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36)" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "home-assistant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "home-assistant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_rdns"] == "localhost" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2021-12-12T12:32:22Z" @@ -377,8 +377,8 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_rd results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["threadName"] == "MainThread" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["time"] == "2021-12-12 12:32:23" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "home-assistant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_rdns"] == "localhost" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2021-12-12T12:32:23Z" @@ -395,8 +395,8 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_rdns"] == "localhost" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["auth_status"] == "failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "home-assistant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_rdns"] == "localhost" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2021-12-12T12:32:23Z" @@ -413,8 +413,8 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_rdns results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2022-02-10T06:56:48Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["auth_status"] == "failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "home-assistant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "192.168.1.23" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2022-02-10T06:56:48Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Success == true @@ -426,8 +426,8 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["threadNam results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["time"] == "2022-08-11 01:37:55.287" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["url"] == "/auth/login_flow/69d9550b6315c1b2c241a0bb68323883" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["auth_status"] == "failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "home-assistant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "192.168.254.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_rdns"] == "192.168.254.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2022-08-11T01:37:55.287Z" @@ -444,8 +444,8 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_rdns"] == "192.168.254.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["threadName"] == "MainThread" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["auth_status"] == "failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "home-assistant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "192.168.254.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_rdns"] == "192.168.254.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2022-08-11T01:37:56.287Z" @@ -460,8 +460,8 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["threadNa results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["time"] == "2022-08-11 01:37:57.644" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["url"] == "/auth/login_flow/15168dcd077f019968334f81c0ae7e32" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["auth_status"] == "failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["service"] == "home-assistant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["source_ip"] == "192.168.254.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["source_rdns"] == "192.168.254.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["timestamp"] == "2022-08-11T01:37:57.644Z" @@ -478,8 +478,8 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["program" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["source_ip"] == "192.168.254.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["source_rdns"] == "192.168.254.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["auth_status"] == "failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["service"] == "home-assistant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_ip"] == "192.168.254.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_rdns"] == "192.168.254.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["timestamp"] == "2022-08-11T01:37:58.454Z" @@ -499,8 +499,8 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["source_rdn results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["timestamp"] == "2022-08-11T01:37:59.587Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["log_type"] == "home-assistant_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["auth_status"] == "failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["service"] == "home-assistant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Enriched["MarshaledTime"] == "2022-08-11T01:37:59.587Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["threadName"] == "MainThread" @@ -511,12 +511,12 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["message" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["program"] == "home-assistant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["source_ip"] == "192.168.254.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["source_rdns"] == "192.168.254.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["service"] == "home-assistant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["source_ip"] == "192.168.254.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["source_rdns"] == "192.168.254.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["timestamp"] == "2022-08-11T01:38:00.587Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_path"] == "home-assistant-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["log_type"] == "home-assistant_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Enriched["MarshaledTime"] == "2022-08-11T01:38:00.587Z" len(results["success"][""]) == 0 \ No newline at end of file diff --git a/.tests/home-assistant/scenario.assert b/.tests/home-assistant/scenario.assert index afc5281a6b0..97678dca40c 100644 --- a/.tests/home-assistant/scenario.assert +++ b/.tests/home-assistant/scenario.assert @@ -6,43 +6,43 @@ results[0].Overflow.Sources["192.168.254.4"].GetScope() == "Ip" results[0].Overflow.Sources["192.168.254.4"].GetValue() == "192.168.254.4" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "home-assistant-logs.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "home-assistant_failed_auth" -results[0].Overflow.Alert.Events[0].GetMeta("service") == "http" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "home-assistant" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.254.4" results[0].Overflow.Alert.Events[0].GetMeta("source_rdns") == "192.168.254.4" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-08-11T01:37:55.287Z" results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "home-assistant-logs.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "home-assistant_failed_auth" -results[0].Overflow.Alert.Events[1].GetMeta("service") == "http" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "home-assistant" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.254.4" results[0].Overflow.Alert.Events[1].GetMeta("source_rdns") == "192.168.254.4" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-08-11T01:37:56.287Z" results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "home-assistant-logs.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "home-assistant_failed_auth" -results[0].Overflow.Alert.Events[2].GetMeta("service") == "http" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "home-assistant" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.254.4" results[0].Overflow.Alert.Events[2].GetMeta("source_rdns") == "192.168.254.4" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-08-11T01:37:57.644Z" results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "home-assistant-logs.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "home-assistant_failed_auth" -results[0].Overflow.Alert.Events[3].GetMeta("service") == "http" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "home-assistant" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.254.4" results[0].Overflow.Alert.Events[3].GetMeta("source_rdns") == "192.168.254.4" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-08-11T01:37:58.454Z" results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "home-assistant-logs.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "home-assistant_failed_auth" -results[0].Overflow.Alert.Events[4].GetMeta("service") == "http" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +results[0].Overflow.Alert.Events[4].GetMeta("service") == "home-assistant" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.254.4" results[0].Overflow.Alert.Events[4].GetMeta("source_rdns") == "192.168.254.4" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-08-11T01:37:59.587Z" results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "home-assistant-logs.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "home-assistant_failed_auth" -results[0].Overflow.Alert.Events[5].GetMeta("service") == "http" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +results[0].Overflow.Alert.Events[5].GetMeta("service") == "home-assistant" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.254.4" results[0].Overflow.Alert.Events[5].GetMeta("source_rdns") == "192.168.254.4" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-08-11T01:38:00.587Z" @@ -56,43 +56,43 @@ results[1].Overflow.Sources["127.0.0.1"].GetScope() == "Ip" results[1].Overflow.Sources["127.0.0.1"].GetValue() == "127.0.0.1" results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "home-assistant-logs.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "home-assistant_failed_auth" -results[1].Overflow.Alert.Events[0].GetMeta("service") == "http" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +results[1].Overflow.Alert.Events[0].GetMeta("service") == "home-assistant" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1" results[1].Overflow.Alert.Events[0].GetMeta("source_rdns") == "localhost" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2021-12-12T12:32:19Z" results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "home-assistant-logs.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "home-assistant_failed_auth" -results[1].Overflow.Alert.Events[1].GetMeta("service") == "http" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +results[1].Overflow.Alert.Events[1].GetMeta("service") == "home-assistant" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.1" results[1].Overflow.Alert.Events[1].GetMeta("source_rdns") == "localhost" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2021-12-12T12:32:21Z" results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "home-assistant-logs.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "home-assistant_failed_auth" -results[1].Overflow.Alert.Events[2].GetMeta("service") == "http" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +results[1].Overflow.Alert.Events[2].GetMeta("service") == "home-assistant" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.1" results[1].Overflow.Alert.Events[2].GetMeta("source_rdns") == "localhost" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2021-12-12T12:32:21Z" results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "home-assistant-logs.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "home-assistant_failed_auth" -results[1].Overflow.Alert.Events[3].GetMeta("service") == "http" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +results[1].Overflow.Alert.Events[3].GetMeta("service") == "home-assistant" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.1" results[1].Overflow.Alert.Events[3].GetMeta("source_rdns") == "localhost" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2021-12-12T12:32:22Z" results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "home-assistant-logs.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "home-assistant_failed_auth" -results[1].Overflow.Alert.Events[4].GetMeta("service") == "http" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +results[1].Overflow.Alert.Events[4].GetMeta("service") == "home-assistant" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.1" results[1].Overflow.Alert.Events[4].GetMeta("source_rdns") == "localhost" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2021-12-12T12:32:22Z" results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "home-assistant-logs.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "home-assistant_failed_auth" -results[1].Overflow.Alert.Events[5].GetMeta("service") == "http" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +results[1].Overflow.Alert.Events[5].GetMeta("service") == "home-assistant" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.1" results[1].Overflow.Alert.Events[5].GetMeta("source_rdns") == "localhost" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2021-12-12T12:32:23Z" diff --git a/.tests/http-bf-wordpress-bf/scenario.assert b/.tests/http-bf-wordpress-bf/scenario.assert index 84ba996d687..a9dee7cfe52 100644 --- a/.tests/http-bf-wordpress-bf/scenario.assert +++ b/.tests/http-bf-wordpress-bf/scenario.assert @@ -1,8 +1,10 @@ +len(results) == 1 "81.150.104.130" in results[0].Overflow.GetSources() results[0].Overflow.Sources["81.150.104.130"].IP == "81.150.104.130" results[0].Overflow.Sources["81.150.104.130"].Range == "" results[0].Overflow.Sources["81.150.104.130"].GetScope() == "Ip" results[0].Overflow.Sources["81.150.104.130"].GetValue() == "81.150.104.130" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "http-bf-wordpress-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("http_args_len") == "0" results[0].Overflow.Alert.Events[0].GetMeta("http_path") == "/wp-login.php" @@ -12,7 +14,8 @@ results[0].Overflow.Alert.Events[0].GetMeta("http_verb") == "POST" results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log" results[0].Overflow.Alert.Events[0].GetMeta("service") == "http" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "81.150.104.130" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "http-bf-wordpress-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2021-09-15T16:13:46Z" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "http-bf-wordpress-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("http_args_len") == "0" results[0].Overflow.Alert.Events[1].GetMeta("http_path") == "/wp-login.php" @@ -22,7 +25,8 @@ results[0].Overflow.Alert.Events[1].GetMeta("http_verb") == "POST" results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "http_access-log" results[0].Overflow.Alert.Events[1].GetMeta("service") == "http" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "81.150.104.130" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "http-bf-wordpress-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2021-09-15T16:13:46Z" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "http-bf-wordpress-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("http_args_len") == "0" results[0].Overflow.Alert.Events[2].GetMeta("http_path") == "/wp-login.php" @@ -32,7 +36,8 @@ results[0].Overflow.Alert.Events[2].GetMeta("http_verb") == "POST" results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "http_access-log" results[0].Overflow.Alert.Events[2].GetMeta("service") == "http" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "81.150.104.130" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "http-bf-wordpress-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2021-09-15T16:13:46Z" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "http-bf-wordpress-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("http_args_len") == "0" results[0].Overflow.Alert.Events[3].GetMeta("http_path") == "/wp-login.php" @@ -42,7 +47,8 @@ results[0].Overflow.Alert.Events[3].GetMeta("http_verb") == "POST" results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "http_access-log" results[0].Overflow.Alert.Events[3].GetMeta("service") == "http" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "81.150.104.130" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "http-bf-wordpress-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2021-09-15T16:13:46Z" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "http-bf-wordpress-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[4].GetMeta("http_args_len") == "0" results[0].Overflow.Alert.Events[4].GetMeta("http_path") == "/wp-login.php" @@ -52,7 +58,8 @@ results[0].Overflow.Alert.Events[4].GetMeta("http_verb") == "POST" results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "http_access-log" results[0].Overflow.Alert.Events[4].GetMeta("service") == "http" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "81.150.104.130" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "http-bf-wordpress-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2021-09-15T16:13:46Z" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "http-bf-wordpress-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[5].GetMeta("http_args_len") == "0" results[0].Overflow.Alert.Events[5].GetMeta("http_path") == "/wp-login.php" @@ -62,6 +69,7 @@ results[0].Overflow.Alert.Events[5].GetMeta("http_verb") == "POST" results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "http_access-log" results[0].Overflow.Alert.Events[5].GetMeta("service") == "http" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "81.150.104.130" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2021-09-15T16:13:46Z" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/http-bf-wordpress_bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/http-cve-probing/parser.assert b/.tests/http-cve-probing/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/http-dos-bypass-cache/parser.assert b/.tests/http-dos-bypass-cache/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/http-dos-random-uri/parser.assert b/.tests/http-dos-random-uri/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/http-dos-switching-ua/parser.assert b/.tests/http-dos-switching-ua/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/http-magento-bf/parser.assert b/.tests/http-magento-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/http-wordpress_wpconfig/scenario.assert b/.tests/http-wordpress_wpconfig/scenario.assert index 8ce5b5e01c2..53f3b9435fe 100644 --- a/.tests/http-wordpress_wpconfig/scenario.assert +++ b/.tests/http-wordpress_wpconfig/scenario.assert @@ -1,9 +1,10 @@ +len(results) == 1 "167.71.13.196" in results[0].Overflow.GetSources() results[0].Overflow.Sources["167.71.13.196"].IP == "167.71.13.196" results[0].Overflow.Sources["167.71.13.196"].Range == "" results[0].Overflow.Sources["167.71.13.196"].GetScope() == "Ip" results[0].Overflow.Sources["167.71.13.196"].GetValue() == "167.71.13.196" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "http-wordpress_wpconfig.log" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "http-wordpress_wpconfig.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("http_args_len") == "0" results[0].Overflow.Alert.Events[0].GetMeta("http_path") == "/wp-config.php" @@ -13,7 +14,8 @@ results[0].Overflow.Alert.Events[0].GetMeta("http_verb") == "GET" results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log" results[0].Overflow.Alert.Events[0].GetMeta("service") == "http" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "167.71.13.196" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "http-wordpress_wpconfig.log" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2021-07-08T11:07:07Z" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "http-wordpress_wpconfig.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("http_args_len") == "0" results[0].Overflow.Alert.Events[1].GetMeta("http_path") == "/.wp-config.php.swp" @@ -23,7 +25,8 @@ results[0].Overflow.Alert.Events[1].GetMeta("http_verb") == "GET" results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "http_access-log" results[0].Overflow.Alert.Events[1].GetMeta("service") == "http" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "167.71.13.196" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "http-wordpress_wpconfig.log" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2021-07-08T11:07:08Z" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "http-wordpress_wpconfig.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("http_args_len") == "0" results[0].Overflow.Alert.Events[2].GetMeta("http_path") == "/wp-config.php.txt" @@ -33,7 +36,8 @@ results[0].Overflow.Alert.Events[2].GetMeta("http_verb") == "GET" results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "http_access-log" results[0].Overflow.Alert.Events[2].GetMeta("service") == "http" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "167.71.13.196" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "http-wordpress_wpconfig.log" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2021-07-08T11:07:10Z" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "http-wordpress_wpconfig.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("http_args_len") == "0" results[0].Overflow.Alert.Events[3].GetMeta("http_path") == "/wp-config.php.bak" @@ -43,7 +47,8 @@ results[0].Overflow.Alert.Events[3].GetMeta("http_verb") == "GET" results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "http_access-log" results[0].Overflow.Alert.Events[3].GetMeta("service") == "http" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "167.71.13.196" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "http-wordpress_wpconfig.log" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2021-07-08T11:07:10Z" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "http-wordpress_wpconfig.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[4].GetMeta("http_args_len") == "0" results[0].Overflow.Alert.Events[4].GetMeta("http_path") == "/wp-config.php.old" @@ -53,7 +58,8 @@ results[0].Overflow.Alert.Events[4].GetMeta("http_verb") == "GET" results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "http_access-log" results[0].Overflow.Alert.Events[4].GetMeta("service") == "http" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "167.71.13.196" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "http-wordpress_wpconfig.log" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2021-07-08T11:07:10Z" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "http-wordpress_wpconfig.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[5].GetMeta("http_args_len") == "0" results[0].Overflow.Alert.Events[5].GetMeta("http_path") == "/wp-config.php.dist" @@ -63,6 +69,7 @@ results[0].Overflow.Alert.Events[5].GetMeta("http_verb") == "GET" results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "http_access-log" results[0].Overflow.Alert.Events[5].GetMeta("service") == "http" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "167.71.13.196" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2021-07-08T11:07:11Z" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/http-wordpress_wpconfig" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/immich-bf/config.yaml b/.tests/immich-bf/config.yaml index e4d78d7139b..4316fa934d3 100644 --- a/.tests/immich-bf/config.yaml +++ b/.tests/immich-bf/config.yaml @@ -9,5 +9,5 @@ postoverflows: log_file: immich-bf.log log_type: immich labels: {} -ignore_parsers: false +ignore_parsers: true override_statics: [] diff --git a/.tests/immich-bf/parser.assert b/.tests/immich-bf/parser.assert deleted file mode 100644 index ec3a5029c93..00000000000 --- a/.tests/immich-bf/parser.assert +++ /dev/null @@ -1,230 +0,0 @@ -len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 7 -results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "immich" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "immich" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "immich" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "immich" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "immich" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "immich" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][6].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "immich" -results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_type"] == "file" -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 7 -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == false -len(results["s01-parse"]["gauth-fr/immich-logs"]) == 7 -results["s01-parse"]["gauth-fr/immich-logs"][0].Success == true -results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM" -results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Parsed["username"] == "azaz@qsqs.com" -results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Parsed["program"] == "immich" -results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Parsed["source_ip"] == "192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["user"] == "azaz@qsqs.com" -results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["log_type"] == "immich_failed_auth" -results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["service"] == "immich" -results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["source_ip"] == "192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][1].Success == true -results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM" -results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Parsed["username"] == "azaz@qsqs.com" -results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Parsed["program"] == "immich" -results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Parsed["source_ip"] == "192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["log_type"] == "immich_failed_auth" -results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["service"] == "immich" -results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["source_ip"] == "192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["user"] == "azaz@qsqs.com" -results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s01-parse"]["gauth-fr/immich-logs"][2].Success == true -results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Parsed["program"] == "immich" -results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Parsed["source_ip"] == "192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM" -results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Parsed["username"] == "azaz@qsqs.com" -results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["user"] == "azaz@qsqs.com" -results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["log_type"] == "immich_failed_auth" -results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["service"] == "immich" -results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["source_ip"] == "192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][3].Success == true -results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Parsed["username"] == "azaz@qsqs.com" -results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Parsed["program"] == "immich" -results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Parsed["source_ip"] == "192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM" -results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["log_type"] == "immich_failed_auth" -results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["service"] == "immich" -results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["source_ip"] == "192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["user"] == "azaz@qsqs.com" -results["s01-parse"]["gauth-fr/immich-logs"][4].Success == true -results["s01-parse"]["gauth-fr/immich-logs"][4].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][4].Evt.Parsed["program"] == "immich" -results["s01-parse"]["gauth-fr/immich-logs"][4].Evt.Parsed["source_ip"] == "192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][4].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM" -results["s01-parse"]["gauth-fr/immich-logs"][4].Evt.Parsed["username"] == "azaz@qsqs.com" -results["s01-parse"]["gauth-fr/immich-logs"][4].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s01-parse"]["gauth-fr/immich-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["gauth-fr/immich-logs"][4].Evt.Meta["log_type"] == "immich_failed_auth" -results["s01-parse"]["gauth-fr/immich-logs"][4].Evt.Meta["service"] == "immich" -results["s01-parse"]["gauth-fr/immich-logs"][4].Evt.Meta["source_ip"] == "192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][4].Evt.Meta["user"] == "azaz@qsqs.com" -results["s01-parse"]["gauth-fr/immich-logs"][5].Success == true -results["s01-parse"]["gauth-fr/immich-logs"][5].Evt.Parsed["source_ip"] == "192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][5].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM" -results["s01-parse"]["gauth-fr/immich-logs"][5].Evt.Parsed["username"] == "azaz@qsqs.com" -results["s01-parse"]["gauth-fr/immich-logs"][5].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][5].Evt.Parsed["program"] == "immich" -results["s01-parse"]["gauth-fr/immich-logs"][5].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s01-parse"]["gauth-fr/immich-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["gauth-fr/immich-logs"][5].Evt.Meta["log_type"] == "immich_failed_auth" -results["s01-parse"]["gauth-fr/immich-logs"][5].Evt.Meta["service"] == "immich" -results["s01-parse"]["gauth-fr/immich-logs"][5].Evt.Meta["source_ip"] == "192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][5].Evt.Meta["user"] == "azaz@qsqs.com" -results["s01-parse"]["gauth-fr/immich-logs"][6].Success == true -results["s01-parse"]["gauth-fr/immich-logs"][6].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][6].Evt.Parsed["program"] == "immich" -results["s01-parse"]["gauth-fr/immich-logs"][6].Evt.Parsed["source_ip"] == "192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][6].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM" -results["s01-parse"]["gauth-fr/immich-logs"][6].Evt.Parsed["username"] == "azaz@qsqs.com" -results["s01-parse"]["gauth-fr/immich-logs"][6].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s01-parse"]["gauth-fr/immich-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["gauth-fr/immich-logs"][6].Evt.Meta["log_type"] == "immich_failed_auth" -results["s01-parse"]["gauth-fr/immich-logs"][6].Evt.Meta["service"] == "immich" -results["s01-parse"]["gauth-fr/immich-logs"][6].Evt.Meta["source_ip"] == "192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][6].Evt.Meta["user"] == "azaz@qsqs.com" -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 7 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "azaz@qsqs.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "immich" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "immich_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "immich" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-08-02T19:32:47Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "azaz@qsqs.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-08-02T19:32:47Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "immich" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "azaz@qsqs.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "immich" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-08-02T19:32:47Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "azaz@qsqs.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "immich_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-08-02T19:32:47Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "immich" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "azaz@qsqs.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "immich_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "immich" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-08-02T19:32:47Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["user"] == "azaz@qsqs.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2023-08-02T19:32:47Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "immich" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "azaz@qsqs.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "immich_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "immich" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2023-08-02T19:32:47Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["user"] == "azaz@qsqs.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2023-08-02T19:32:47Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "immich" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username"] == "azaz@qsqs.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2023-08-02T19:32:47Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["user"] == "azaz@qsqs.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "immich_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "immich" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2023-08-02T19:32:47Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["username"] == "azaz@qsqs.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "immich" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "immich_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "immich" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2023-08-02T19:32:47Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["user"] == "azaz@qsqs.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2023-08-02T19:32:47Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["username"] == "azaz@qsqs.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "immich" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_ip"] == "192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "immich" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "192.168.0.254" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2023-08-02T19:32:47Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["user"] == "azaz@qsqs.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"] == "immich-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "immich_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2023-08-02T19:32:47Z" -len(results["success"][""]) == 0 \ No newline at end of file diff --git a/.tests/immich-bf/scenario.assert b/.tests/immich-bf/scenario.assert index 6dcae3de69c..74719a2e0bf 100644 --- a/.tests/immich-bf/scenario.assert +++ b/.tests/immich-bf/scenario.assert @@ -4,48 +4,48 @@ results[0].Overflow.Sources["192.168.0.254"].IP == "192.168.0.254" results[0].Overflow.Sources["192.168.0.254"].Range == "" results[0].Overflow.Sources["192.168.0.254"].GetScope() == "Ip" results[0].Overflow.Sources["192.168.0.254"].GetValue() == "192.168.0.254" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "immich-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "immich-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "immich_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "immich" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.254" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "azaz@qsqs.com" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-08-02T19:32:47Z" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "azaz@qsqs.com" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "immich-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "immich-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "immich_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "immich" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.0.254" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "azaz@qsqs.com" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-08-02T19:32:47Z" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "azaz@qsqs.com" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "immich-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "immich-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "immich_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "immich" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.0.254" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "azaz@qsqs.com" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-08-02T19:32:47Z" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "azaz@qsqs.com" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "immich-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "immich-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "immich_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "immich" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.0.254" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "azaz@qsqs.com" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-08-02T19:32:47Z" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "azaz@qsqs.com" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "immich-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "immich-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "immich_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "immich" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.0.254" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "azaz@qsqs.com" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-08-02T19:32:47Z" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "azaz@qsqs.com" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "immich-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "immich-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "immich_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "immich" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.0.254" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "azaz@qsqs.com" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-08-02T19:32:47Z" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "azaz@qsqs.com" results[0].Overflow.Alert.GetScenario() == "gauth-fr/immich-bf" results[0].Overflow.Alert.Remediation == true -results[0].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/immich-logs/immich-logs.log b/.tests/immich-logs/immich-logs.log index bd81b1a5584..18e32f35447 100644 --- a/.tests/immich-logs/immich-logs.log +++ b/.tests/immich-logs/immich-logs.log @@ -1,4 +1,5 @@ [Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254 [Nest] 7 - 08/02/2023, 7:34:03 PM WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.211 [Nest] 7 - 08/02/2023, 7:34:03 WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.212 -\x1b[33m[Nest] 6 - \x1b[39m08/04/2023, 8:47:38 PM \x1b[33m WARN\x1b[39m \x1b[38;5;3m[AuthService] \x1b[39m\x1b[33mFailed login attempt for user fjdi@fkdk.cof from ip address 176.171.169.54\x1b \ No newline at end of file +\x1b[33m[Nest] 6 - \x1b[39m08/04/2023, 8:47:38 PM \x1b[33m WARN\x1b[39m \x1b[38;5;3m[AuthService] \x1b[39m\x1b[33mFailed login attempt for user fjdi@fkdk.cof from ip address 176.171.169.54\x1b +[Nest] 7 - 08/04/2023, 8:48:00 PM WARN [AuthService] Failed login attempt for user crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl from ip address 192.168.0.254 \ No newline at end of file diff --git a/.tests/immich-logs/parser.assert b/.tests/immich-logs/parser.assert index 20eb1ffc004..e538e88dad4 100644 --- a/.tests/immich-logs/parser.assert +++ b/.tests/immich-logs/parser.assert @@ -1,79 +1,95 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 4 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 5 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "immich" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "immich-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "immich-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:34:03 PM WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.211" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "immich" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "immich-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "immich-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:34:03 WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.212" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "immich" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "immich-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "immich-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "immich" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "\\x1b[33m[Nest] 6 - \\x1b[39m08/04/2023, 8:47:38 PM \\x1b[33m WARN\\x1b[39m \\x1b[38;5;3m[AuthService] \\x1b[39m\\x1b[33mFailed login attempt for user fjdi@fkdk.cof from ip address 176.171.169.54\\x1b" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "immich-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "immich" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "immich-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4 +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "[Nest] 7 - 08/04/2023, 8:48:00 PM WARN [AuthService] Failed login attempt for user crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl from ip address 192.168.0.254" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "immich" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"]) == "immich-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 5 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false -len(results["s01-parse"]["gauth-fr/immich-logs"]) == 4 +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false +len(results["s01-parse"]["gauth-fr/immich-logs"]) == 5 results["s01-parse"]["gauth-fr/immich-logs"][0].Success == true -results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM" -results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Parsed["username"] == "azaz@qsqs.com" results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Parsed["program"] == "immich" results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Parsed["source_ip"] == "192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["datasource_path"] == "immich-logs.log" +results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM" +results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Parsed["username"] == "azaz@qsqs.com" +results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["datasource_path"]) == "immich-logs.log" results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["log_type"] == "immich_failed_auth" results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["service"] == "immich" results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["source_ip"] == "192.168.0.254" -results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["user"] == "azaz@qsqs.com" +results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["target_user"] == "azaz@qsqs.com" +results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Whitelisted == false results["s01-parse"]["gauth-fr/immich-logs"][1].Success == true +results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:34:03 PM WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.211" +results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Parsed["program"] == "immich" results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Parsed["source_ip"] == "176.172.44.211" results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Parsed["timestamp"] == "08/02/2023, 7:34:03 PM" results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Parsed["username"] == "fds@hdd.com" -results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:34:03 PM WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.211" -results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Parsed["program"] == "immich" -results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["source_ip"] == "176.172.44.211" -results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["user"] == "fds@hdd.com" -results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["datasource_path"] == "immich-logs.log" +results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["datasource_path"]) == "immich-logs.log" results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["log_type"] == "immich_failed_auth" results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["service"] == "immich" +results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["source_ip"] == "176.172.44.211" +results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["target_user"] == "fds@hdd.com" +results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Whitelisted == false results["s01-parse"]["gauth-fr/immich-logs"][2].Success == true +results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:34:03 WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.212" +results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Parsed["program"] == "immich" results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Parsed["source_ip"] == "176.172.44.212" results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Parsed["timestamp"] == "08/02/2023, 7:34:03" results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Parsed["username"] == "fds@hdd.com" -results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:34:03 WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.212" -results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Parsed["program"] == "immich" -results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["datasource_path"] == "immich-logs.log" +results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["datasource_path"]) == "immich-logs.log" results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["log_type"] == "immich_failed_auth" results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["service"] == "immich" results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["source_ip"] == "176.172.44.212" -results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["user"] == "fds@hdd.com" +results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["target_user"] == "fds@hdd.com" +results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Whitelisted == false results["s01-parse"]["gauth-fr/immich-logs"][3].Success == true -results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Parsed["username"] == "fjdi@fkdk.cof" results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Parsed["message"] == "\\x1b[33m[Nest] 6 - \\x1b[39m08/04/2023, 8:47:38 PM \\x1b[33m WARN\\x1b[39m \\x1b[38;5;3m[AuthService] \\x1b[39m\\x1b[33mFailed login attempt for user fjdi@fkdk.cof from ip address 176.171.169.54\\x1b" results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Parsed["program"] == "immich" results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Parsed["source_ip"] == "176.171.169.54" results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Parsed["timestamp"] == "08/04/2023, 8:47:38 PM" -results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["datasource_path"] == "immich-logs.log" +results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Parsed["username"] == "fjdi@fkdk.cof" +results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["datasource_path"]) == "immich-logs.log" results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["log_type"] == "immich_failed_auth" results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["service"] == "immich" results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["source_ip"] == "176.171.169.54" -results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["user"] == "fjdi@fkdk.cof" +results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["target_user"] == "fjdi@fkdk.cof" +results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Whitelisted == false +results["s01-parse"]["gauth-fr/immich-logs"][4].Success == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 4 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:32:47 PM WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254" @@ -81,54 +97,58 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "192.168.0.254" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "azaz@qsqs.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "azaz@qsqs.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "immich-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "immich-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "immich_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "immich" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.0.254" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "azaz@qsqs.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-08-02T19:32:47Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-08-02T19:32:47Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:34:03 PM WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.211" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "immich" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "176.172.44.211" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "08/02/2023, 7:34:03 PM" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "fds@hdd.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "immich-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "immich-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "immich_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "immich" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "176.172.44.211" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "fds@hdd.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-08-02T19:34:03Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "fds@hdd.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-08-02T19:34:03Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:34:03 WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.212" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "immich" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "176.172.44.212" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "08/02/2023, 7:34:03" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "fds@hdd.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "[Nest] 7 - 08/02/2023, 7:34:03 WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.212" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "immich" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["user"] == "fds@hdd.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "immich-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "immich-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "immich_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "immich" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "176.172.44.212" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "fds@hdd.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-08-02T07:34:03Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2023-08-02T07:34:03Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "\\x1b[33m[Nest] 6 - \\x1b[39m08/04/2023, 8:47:38 PM \\x1b[33m WARN\\x1b[39m \\x1b[38;5;3m[AuthService] \\x1b[39m\\x1b[33mFailed login attempt for user fjdi@fkdk.cof from ip address 176.171.169.54\\x1b" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "immich" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "176.171.169.54" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "08/04/2023, 8:47:38 PM" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "fjdi@fkdk.cof" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "\\x1b[33m[Nest] 6 - \\x1b[39m08/04/2023, 8:47:38 PM \\x1b[33m WARN\\x1b[39m \\x1b[38;5;3m[AuthService] \\x1b[39m\\x1b[33mFailed login attempt for user fjdi@fkdk.cof from ip address 176.171.169.54\\x1b" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "immich-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "immich" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "176.171.169.54" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "fjdi@fkdk.cof" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2023-08-04T20:47:38Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["user"] == "fjdi@fkdk.cof" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "immich-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "immich_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2023-08-04T20:47:38Z" -len(results["success"][""]) == 0 \ No newline at end of file +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/iptables-scan-multi-port/parser.assert b/.tests/iptables-scan-multi-port/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/ipv6-postoverflow/parser.assert b/.tests/ipv6-postoverflow/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/jellyfin-bf/parser.assert b/.tests/jellyfin-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/jellyfin-bf/scenario.assert b/.tests/jellyfin-bf/scenario.assert index d1dc66c51a4..a5230716c93 100644 --- a/.tests/jellyfin-bf/scenario.assert +++ b/.tests/jellyfin-bf/scenario.assert @@ -4,48 +4,48 @@ results[0].Overflow.Sources["127.0.0.1"].IP == "127.0.0.1" results[0].Overflow.Sources["127.0.0.1"].Range == "" results[0].Overflow.Sources["127.0.0.1"].GetScope() == "Ip" results[0].Overflow.Sources["127.0.0.1"].GetValue() == "127.0.0.1" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "jellyfin-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "jellyfin-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "jellyfin_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "jellyfin" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "testuser" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-02-12T12:16:05.729Z" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "testuser" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "jellyfin-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "jellyfin-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "jellyfin_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "jellyfin" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "testuser" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-02-12T12:16:05.729Z" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "testuser" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "jellyfin-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "jellyfin-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "jellyfin_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "jellyfin" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "testuser" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-02-12T12:16:05.729Z" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "testuser" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "jellyfin-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "jellyfin-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "jellyfin_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "jellyfin" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "testuser" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-02-12T12:16:05.729Z" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "testuser" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "jellyfin-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "jellyfin-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "jellyfin_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "jellyfin" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "testuser" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-02-12T12:16:05.729Z" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "testuser" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "jellyfin-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "jellyfin-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "jellyfin_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "jellyfin" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "testuser" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-02-12T12:16:05.729Z" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "testuser" results[0].Overflow.Alert.GetScenario() == "LePresidente/jellyfin-bf" results[0].Overflow.Alert.Remediation == true -results[0].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/jellyfin-logs/jellyfin-logs.log b/.tests/jellyfin-logs/jellyfin-logs.log index ecc088955cb..2b9d9e04756 100644 --- a/.tests/jellyfin-logs/jellyfin-logs.log +++ b/.tests/jellyfin-logs/jellyfin-logs.log @@ -1,4 +1,5 @@ [2023-02-12 12:16:05.729 +01:00] [INF] [79] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for "testuser" has been denied (IP: "127.0.0.1"). [2023-02-13 08:37:50.708 +01:00] [INF] [115] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for "testuser" has succeeded. [2023-05-20 17:22:00.500 +02:00] [INF] [19] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for testuser has been denied (IP: 163.234.23.45). -[2023-02-13 08:37:50.708 +01:00] [INF] [115] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for testuser has succeeded. \ No newline at end of file +[2023-02-13 08:37:50.708 +01:00] [INF] [115] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for testuser has succeeded. +[2023-02-13 08:38:00.000 +01:00] [INF] [115] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" has been denied (IP: "127.0.0.1"). \ No newline at end of file diff --git a/.tests/jellyfin-logs/parser.assert b/.tests/jellyfin-logs/parser.assert index d55cab68b95..24a6bbb4a5a 100644 --- a/.tests/jellyfin-logs/parser.assert +++ b/.tests/jellyfin-logs/parser.assert @@ -1,84 +1,127 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 4 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 5 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "[2023-02-12 12:16:05.729 +01:00] [INF] [79] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for \"testuser\" has been denied (IP: \"127.0.0.1\")." results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "jellyfin" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "jellyfin-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "[2023-02-13 08:37:50.708 +01:00] [INF] [115] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for \"testuser\" has succeeded." results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "jellyfin" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "jellyfin-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "[2023-05-20 17:22:00.500 +02:00] [INF] [19] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for testuser has been denied (IP: 163.234.23.45)." results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "jellyfin" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "jellyfin-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "[2023-02-13 08:37:50.708 +01:00] [INF] [115] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for testuser has succeeded." results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "jellyfin" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "jellyfin-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4 +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "[2023-02-13 08:38:00.000 +01:00] [INF] [115] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for \"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\" has been denied (IP: \"127.0.0.1\")." +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "jellyfin" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"]) == "jellyfin-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 5 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false -len(results["s01-parse"]["LePresidente/jellyfin-logs"]) == 4 +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false +len(results["s01-parse"]["LePresidente/jellyfin-logs"]) == 5 results["s01-parse"]["LePresidente/jellyfin-logs"][0].Success == true results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Parsed["message"] == "[2023-02-12 12:16:05.729 +01:00] [INF] [79] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for \"testuser\" has been denied (IP: \"127.0.0.1\")." results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Parsed["program"] == "jellyfin" results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Parsed["timestamp"] == "2023-02-12 12:16:05.729" results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Parsed["username"] == "testuser" +results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Meta["datasource_path"]) == "jellyfin-logs.log" results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Meta["log_type"] == "jellyfin_failed_auth" results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Meta["service"] == "jellyfin" results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Meta["user"] == "testuser" -results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Meta["target_user"] == "testuser" +results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Whitelisted == false results["s01-parse"]["LePresidente/jellyfin-logs"][1].Success == false results["s01-parse"]["LePresidente/jellyfin-logs"][2].Success == true +results["s01-parse"]["LePresidente/jellyfin-logs"][2].Evt.Parsed["message"] == "[2023-05-20 17:22:00.500 +02:00] [INF] [19] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for testuser has been denied (IP: 163.234.23.45)." results["s01-parse"]["LePresidente/jellyfin-logs"][2].Evt.Parsed["program"] == "jellyfin" results["s01-parse"]["LePresidente/jellyfin-logs"][2].Evt.Parsed["source_ip"] == "163.234.23.45" results["s01-parse"]["LePresidente/jellyfin-logs"][2].Evt.Parsed["timestamp"] == "2023-05-20 17:22:00.500" results["s01-parse"]["LePresidente/jellyfin-logs"][2].Evt.Parsed["username"] == "testuser" -results["s01-parse"]["LePresidente/jellyfin-logs"][2].Evt.Parsed["message"] == "[2023-05-20 17:22:00.500 +02:00] [INF] [19] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for testuser has been denied (IP: 163.234.23.45)." -results["s01-parse"]["LePresidente/jellyfin-logs"][2].Evt.Meta["source_ip"] == "163.234.23.45" -results["s01-parse"]["LePresidente/jellyfin-logs"][2].Evt.Meta["user"] == "testuser" -results["s01-parse"]["LePresidente/jellyfin-logs"][2].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s01-parse"]["LePresidente/jellyfin-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/jellyfin-logs"][2].Evt.Meta["datasource_path"]) == "jellyfin-logs.log" results["s01-parse"]["LePresidente/jellyfin-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/jellyfin-logs"][2].Evt.Meta["log_type"] == "jellyfin_failed_auth" results["s01-parse"]["LePresidente/jellyfin-logs"][2].Evt.Meta["service"] == "jellyfin" +results["s01-parse"]["LePresidente/jellyfin-logs"][2].Evt.Meta["source_ip"] == "163.234.23.45" +results["s01-parse"]["LePresidente/jellyfin-logs"][2].Evt.Meta["target_user"] == "testuser" +results["s01-parse"]["LePresidente/jellyfin-logs"][2].Evt.Whitelisted == false results["s01-parse"]["LePresidente/jellyfin-logs"][3].Success == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 +results["s01-parse"]["LePresidente/jellyfin-logs"][4].Success == true +results["s01-parse"]["LePresidente/jellyfin-logs"][4].Evt.Parsed["message"] == "[2023-02-13 08:38:00.000 +01:00] [INF] [115] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for \"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\" has been denied (IP: \"127.0.0.1\")." +results["s01-parse"]["LePresidente/jellyfin-logs"][4].Evt.Parsed["program"] == "jellyfin" +results["s01-parse"]["LePresidente/jellyfin-logs"][4].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s01-parse"]["LePresidente/jellyfin-logs"][4].Evt.Parsed["timestamp"] == "2023-02-13 08:38:00.000" +results["s01-parse"]["LePresidente/jellyfin-logs"][4].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["LePresidente/jellyfin-logs"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/jellyfin-logs"][4].Evt.Meta["datasource_path"]) == "jellyfin-logs.log" +results["s01-parse"]["LePresidente/jellyfin-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["LePresidente/jellyfin-logs"][4].Evt.Meta["service"] == "jellyfin" +results["s01-parse"]["LePresidente/jellyfin-logs"][4].Evt.Meta["source_ip"] == "127.0.0.1" +results["s01-parse"]["LePresidente/jellyfin-logs"][4].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["LePresidente/jellyfin-logs"][4].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 3 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "[2023-02-12 12:16:05.729 +01:00] [INF] [79] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for \"testuser\" has been denied (IP: \"127.0.0.1\")." results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "jellyfin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2023-02-12 12:16:05.729" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "testuser" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "[2023-02-12 12:16:05.729 +01:00] [INF] [79] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for \"testuser\" has been denied (IP: \"127.0.0.1\")." -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "jellyfin-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "jellyfin_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "jellyfin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "testuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-02-12T12:16:05.729Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "testuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-02-12T12:16:05.729Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "[2023-05-20 17:22:00.500 +02:00] [INF] [19] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for testuser has been denied (IP: 163.234.23.45)." results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "jellyfin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "163.234.23.45" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2023-05-20 17:22:00.500" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "testuser" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "[2023-05-20 17:22:00.500 +02:00] [INF] [19] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for testuser has been denied (IP: 163.234.23.45)." +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "jellyfin-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "jellyfin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "163.234.23.45" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "testuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-05-20T17:22:00.5Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "testuser" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "jellyfin-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "jellyfin_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-05-20T17:22:00.5Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "[2023-02-13 08:38:00.000 +01:00] [INF] [115] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for \"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\" has been denied (IP: \"127.0.0.1\")." +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "jellyfin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "2023-02-13 08:38:00.000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "jellyfin-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "jellyfin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-02-13T08:38:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2023-02-13T08:38:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/jellyfin-syslog-bf/parser.assert b/.tests/jellyfin-syslog-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/jellyfin-syslog-bf/scenario.assert b/.tests/jellyfin-syslog-bf/scenario.assert index 319b8000487..bc09271cba6 100644 --- a/.tests/jellyfin-syslog-bf/scenario.assert +++ b/.tests/jellyfin-syslog-bf/scenario.assert @@ -6,52 +6,52 @@ results[0].Overflow.Sources["127.0.0.1"].GetScope() == "Ip" results[0].Overflow.Sources["127.0.0.1"].GetValue() == "127.0.0.1" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "jellyfin-syslog-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "jellyfin_failed_auth" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[0].GetMeta("machine") == "subuina" results[0].Overflow.Alert.Events[0].GetMeta("service") == "jellyfin" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-07-18T10:22:17+02:00" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "testuser" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "testuser" results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "jellyfin-syslog-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "jellyfin_failed_auth" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[1].GetMeta("machine") == "subuina" results[0].Overflow.Alert.Events[1].GetMeta("service") == "jellyfin" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-07-18T10:22:17+02:00" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "testuser" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "testuser" results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "jellyfin-syslog-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "jellyfin_failed_auth" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[2].GetMeta("machine") == "subuina" results[0].Overflow.Alert.Events[2].GetMeta("service") == "jellyfin" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-07-18T10:22:17+02:00" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "testuser" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "testuser" results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "jellyfin-syslog-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "jellyfin_failed_auth" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[3].GetMeta("machine") == "subuina" results[0].Overflow.Alert.Events[3].GetMeta("service") == "jellyfin" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-07-18T10:22:17+02:00" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "testuser" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "testuser" results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "jellyfin-syslog-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "jellyfin_failed_auth" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[4].GetMeta("machine") == "subuina" results[0].Overflow.Alert.Events[4].GetMeta("service") == "jellyfin" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-07-18T10:22:17+02:00" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "testuser" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "testuser" results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "jellyfin-syslog-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "jellyfin_failed_auth" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[5].GetMeta("machine") == "subuina" results[0].Overflow.Alert.Events[5].GetMeta("service") == "jellyfin" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-07-18T10:22:17+02:00" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "testuser" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "testuser" results[0].Overflow.Alert.GetScenario() == "LePresidente/jellyfin-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file diff --git a/.tests/jellyfin-syslog-logs/parser.assert b/.tests/jellyfin-syslog-logs/parser.assert index f3fec6d635b..fc49580b68a 100644 --- a/.tests/jellyfin-syslog-logs/parser.assert +++ b/.tests/jellyfin-syslog-logs/parser.assert @@ -29,11 +29,11 @@ results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Parsed["source_ip"] == results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Parsed["timestamp8601"] == "2023-07-18T10:22:17+02:00" results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Meta["datasource_path"] == "jellyfin-syslog-logs.log" results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Meta["log_type"] == "jellyfin_failed_auth" +results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Meta["machine"] == "subuina" results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Meta["service"] == "jellyfin" results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Meta["user"] == "testuser" +results["s01-parse"]["LePresidente/jellyfin-logs"][0].Evt.Meta["target_user"] == "testuser" results["s01-parse"]["LePresidente/jellyfin-logs"][1].Success == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 1 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true @@ -44,10 +44,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "[10:22:17] [INF] Authentication request for testuser has been denied (IP: 127.0.0.1)." results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "742" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "jellyfin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "testuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "testuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "jellyfin-syslog-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "jellyfin_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "subuina" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "jellyfin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "127.0.0.1" diff --git a/.tests/jellyseerr-bf/parser.assert b/.tests/jellyseerr-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/jellyseerr-bf/scenario.assert b/.tests/jellyseerr-bf/scenario.assert index b415f18fec9..0be33ac533d 100644 --- a/.tests/jellyseerr-bf/scenario.assert +++ b/.tests/jellyseerr-bf/scenario.assert @@ -4,48 +4,48 @@ results[0].Overflow.Sources["127.0.0.4"].IP == "127.0.0.4" results[0].Overflow.Sources["127.0.0.4"].Range == "" results[0].Overflow.Sources["127.0.0.4"].GetScope() == "Ip" results[0].Overflow.Sources["127.0.0.4"].GetValue() == "127.0.0.4" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "jellyseerr_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "jellyseerr" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.4" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "realuser" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-06-20T09:52:50.332Z" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "realuser" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "jellyseerr_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "jellyseerr" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.4" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "realuser" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-06-20T09:52:50.332Z" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "realuser" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "jellyseerr_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "jellyseerr" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.4" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "realuser" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-06-20T09:52:50.332Z" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "realuser" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "jellyseerr_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "jellyseerr" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.4" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "realuser" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-06-20T09:52:50.332Z" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "realuser" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "jellyseerr_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "jellyseerr" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.4" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "realuser" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-06-20T09:52:50.332Z" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "realuser" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "jellyseerr_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "jellyseerr" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.4" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "realuser" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-06-20T09:52:50.332Z" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "realuser" results[0].Overflow.Alert.GetScenario() == "LePresidente/jellyseerr-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 @@ -54,48 +54,48 @@ results[1].Overflow.Sources["127.0.0.3"].IP == "127.0.0.3" results[1].Overflow.Sources["127.0.0.3"].Range == "" results[1].Overflow.Sources["127.0.0.3"].GetScope() == "Ip" results[1].Overflow.Sources["127.0.0.3"].GetValue() == "127.0.0.3" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "jellyseerr_failed_auth" results[1].Overflow.Alert.Events[0].GetMeta("service") == "jellyseerr" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.3" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-06-20T09:52:34.281Z" -results[1].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "jellyseerr_failed_auth" results[1].Overflow.Alert.Events[1].GetMeta("service") == "jellyseerr" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.3" +results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "fakeuser" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-06-20T09:52:34.281Z" -results[1].Overflow.Alert.Events[1].GetMeta("user") == "fakeuser" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "jellyseerr_failed_auth" results[1].Overflow.Alert.Events[2].GetMeta("service") == "jellyseerr" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.3" +results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "fakeuser" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-06-20T09:52:34.281Z" -results[1].Overflow.Alert.Events[2].GetMeta("user") == "fakeuser" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "jellyseerr_failed_auth" results[1].Overflow.Alert.Events[3].GetMeta("service") == "jellyseerr" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.3" +results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "fakeuser" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-06-20T09:52:34.281Z" -results[1].Overflow.Alert.Events[3].GetMeta("user") == "fakeuser" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "jellyseerr_failed_auth" results[1].Overflow.Alert.Events[4].GetMeta("service") == "jellyseerr" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.3" +results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "fakeuser" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-06-20T09:52:34.281Z" -results[1].Overflow.Alert.Events[4].GetMeta("user") == "fakeuser" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "jellyseerr_failed_auth" results[1].Overflow.Alert.Events[5].GetMeta("service") == "jellyseerr" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.3" +results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "fakeuser" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-06-20T09:52:34.281Z" -results[1].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser" results[1].Overflow.Alert.GetScenario() == "LePresidente/jellyseerr-bf" results[1].Overflow.Alert.Remediation == true results[1].Overflow.Alert.GetEventsCount() == 6 @@ -104,48 +104,48 @@ results[2].Overflow.Sources["127.0.0.2"].IP == "127.0.0.2" results[2].Overflow.Sources["127.0.0.2"].Range == "" results[2].Overflow.Sources["127.0.0.2"].GetScope() == "Ip" results[2].Overflow.Sources["127.0.0.2"].GetValue() == "127.0.0.2" -results[2].Overflow.Alert.Events[0].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[2].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[0].GetMeta("log_type") == "jellyseerr_failed_auth" results[2].Overflow.Alert.Events[0].GetMeta("service") == "jellyseerr" results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.2" +results[2].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser@example.com" results[2].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[2].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser@example.com" -results[2].Overflow.Alert.Events[1].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[2].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[2].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[1].GetMeta("log_type") == "jellyseerr_failed_auth" results[2].Overflow.Alert.Events[1].GetMeta("service") == "jellyseerr" results[2].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.2" +results[2].Overflow.Alert.Events[1].GetMeta("target_user") == "fakeuser@example.com" results[2].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[2].Overflow.Alert.Events[1].GetMeta("user") == "fakeuser@example.com" -results[2].Overflow.Alert.Events[2].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[2].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[2].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[2].GetMeta("log_type") == "jellyseerr_failed_auth" results[2].Overflow.Alert.Events[2].GetMeta("service") == "jellyseerr" results[2].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.2" +results[2].Overflow.Alert.Events[2].GetMeta("target_user") == "fakeuser@example.com" results[2].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[2].Overflow.Alert.Events[2].GetMeta("user") == "fakeuser@example.com" -results[2].Overflow.Alert.Events[3].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[2].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[2].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[3].GetMeta("log_type") == "jellyseerr_failed_auth" results[2].Overflow.Alert.Events[3].GetMeta("service") == "jellyseerr" results[2].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.2" +results[2].Overflow.Alert.Events[3].GetMeta("target_user") == "fakeuser@example.com" results[2].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[2].Overflow.Alert.Events[3].GetMeta("user") == "fakeuser@example.com" -results[2].Overflow.Alert.Events[4].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[2].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[2].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[4].GetMeta("log_type") == "jellyseerr_failed_auth" results[2].Overflow.Alert.Events[4].GetMeta("service") == "jellyseerr" results[2].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.2" +results[2].Overflow.Alert.Events[4].GetMeta("target_user") == "fakeuser@example.com" results[2].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[2].Overflow.Alert.Events[4].GetMeta("user") == "fakeuser@example.com" -results[2].Overflow.Alert.Events[5].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[2].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[2].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[5].GetMeta("log_type") == "jellyseerr_failed_auth" results[2].Overflow.Alert.Events[5].GetMeta("service") == "jellyseerr" results[2].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.2" +results[2].Overflow.Alert.Events[5].GetMeta("target_user") == "fakeuser@example.com" results[2].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[2].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser@example.com" results[2].Overflow.Alert.GetScenario() == "LePresidente/jellyseerr-bf" results[2].Overflow.Alert.Remediation == true results[2].Overflow.Alert.GetEventsCount() == 6 @@ -154,48 +154,48 @@ results[3].Overflow.Sources["127.0.0.1"].IP == "127.0.0.1" results[3].Overflow.Sources["127.0.0.1"].Range == "" results[3].Overflow.Sources["127.0.0.1"].GetScope() == "Ip" results[3].Overflow.Sources["127.0.0.1"].GetValue() == "127.0.0.1" -results[3].Overflow.Alert.Events[0].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[3].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[3].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[0].GetMeta("log_type") == "jellyseerr_failed_auth" results[3].Overflow.Alert.Events[0].GetMeta("service") == "jellyseerr" results[3].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1" +results[3].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser" results[3].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[3].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser" -results[3].Overflow.Alert.Events[1].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[3].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[3].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[1].GetMeta("log_type") == "jellyseerr_failed_auth" results[3].Overflow.Alert.Events[1].GetMeta("service") == "jellyseerr" results[3].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.1" +results[3].Overflow.Alert.Events[1].GetMeta("target_user") == "fakeuser" results[3].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[3].Overflow.Alert.Events[1].GetMeta("user") == "fakeuser" -results[3].Overflow.Alert.Events[2].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[3].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[3].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[2].GetMeta("log_type") == "jellyseerr_failed_auth" results[3].Overflow.Alert.Events[2].GetMeta("service") == "jellyseerr" results[3].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.1" +results[3].Overflow.Alert.Events[2].GetMeta("target_user") == "fakeuser" results[3].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[3].Overflow.Alert.Events[2].GetMeta("user") == "fakeuser" -results[3].Overflow.Alert.Events[3].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[3].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[3].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[3].GetMeta("log_type") == "jellyseerr_failed_auth" results[3].Overflow.Alert.Events[3].GetMeta("service") == "jellyseerr" results[3].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.1" +results[3].Overflow.Alert.Events[3].GetMeta("target_user") == "fakeuser" results[3].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[3].Overflow.Alert.Events[3].GetMeta("user") == "fakeuser" -results[3].Overflow.Alert.Events[4].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[3].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[3].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[4].GetMeta("log_type") == "jellyseerr_failed_auth" results[3].Overflow.Alert.Events[4].GetMeta("service") == "jellyseerr" results[3].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.1" +results[3].Overflow.Alert.Events[4].GetMeta("target_user") == "fakeuser" results[3].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[3].Overflow.Alert.Events[4].GetMeta("user") == "fakeuser" -results[3].Overflow.Alert.Events[5].GetMeta("datasource_path") == "jellyseerr-bf.log" +results[3].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "jellyseerr-bf.log" results[3].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[5].GetMeta("log_type") == "jellyseerr_failed_auth" results[3].Overflow.Alert.Events[5].GetMeta("service") == "jellyseerr" results[3].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.1" +results[3].Overflow.Alert.Events[5].GetMeta("target_user") == "fakeuser" results[3].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[3].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser" results[3].Overflow.Alert.GetScenario() == "LePresidente/jellyseerr-bf" results[3].Overflow.Alert.Remediation == true -results[3].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[3].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/jellyseerr-logs/jellyseerr-logs.log b/.tests/jellyseerr-logs/jellyseerr-logs.log index a93960fc955..9dabe548bb6 100644 --- a/.tests/jellyseerr-logs/jellyseerr-logs.log +++ b/.tests/jellyseerr-logs/jellyseerr-logs.log @@ -3,4 +3,5 @@ 2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {"ip":"::ffff:127.0.0.1","email":"fakeuser@example.com"} 2022-06-20T09:52:34.281Z [info][Auth]: Failed login attempt from user with incorrect Jellyfin credentials {"account":{"ip":"::ffff:127.0.0.1","email":"fakeuser","password":"__REDACTED__"}} 2022-06-20T09:52:50.332Z [info][Auth]: Failed login attempt from user with incorrect Jellyfin credentials {"account":{"ip":"::ffff:127.0.0.1","email":"realuser","password":"__REDACTED__"}} -2022-08-03T06:40:25.190Z [info][Auth]: Failed login attempt from user with incorrect Jellyfin credentials {"account":{"ip":"127.0.0.1","email":"fakeuser","password":"__REDACTED__"} \ No newline at end of file +2022-08-03T06:40:25.190Z [info][Auth]: Failed login attempt from user with incorrect Jellyfin credentials {"account":{"ip":"127.0.0.1","email":"fakeuser","password":"__REDACTED__"} +2022-08-03T06:41:00.000Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {"ip":"127.0.0.1","email":"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl"} \ No newline at end of file diff --git a/.tests/jellyseerr-logs/parser.assert b/.tests/jellyseerr-logs/parser.assert index a64e87f16f5..38b08f4c2c3 100644 --- a/.tests/jellyseerr-logs/parser.assert +++ b/.tests/jellyseerr-logs/parser.assert @@ -1,180 +1,232 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/docker-logs"]) == 6 +len(results["s00-raw"]["crowdsecurity/docker-logs"]) == 7 results["s00-raw"]["crowdsecurity/docker-logs"][0].Success == false results["s00-raw"]["crowdsecurity/docker-logs"][1].Success == false results["s00-raw"]["crowdsecurity/docker-logs"][2].Success == false results["s00-raw"]["crowdsecurity/docker-logs"][3].Success == false results["s00-raw"]["crowdsecurity/docker-logs"][4].Success == false results["s00-raw"]["crowdsecurity/docker-logs"][5].Success == false -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 6 +results["s00-raw"]["crowdsecurity/docker-logs"][6].Success == false +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 7 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"::ffff:127.0.0.1\",\"email\":\"fakeuser\"}" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "jellyseerr" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "jellyseerr-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"127.0.0.1\",\"email\":\"fakeuser\"}" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "jellyseerr" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "jellyseerr-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "jellyseerr" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"::ffff:127.0.0.1\",\"email\":\"fakeuser@example.com\"}" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "jellyseerr-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "jellyseerr" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "2022-06-20T09:52:34.281Z [info][Auth]: Failed login attempt from user with incorrect Jellyfin credentials {\"account\":{\"ip\":\"::ffff:127.0.0.1\",\"email\":\"fakeuser\",\"password\":\"__REDACTED__\"}}" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "jellyseerr" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "jellyseerr-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "2022-06-20T09:52:50.332Z [info][Auth]: Failed login attempt from user with incorrect Jellyfin credentials {\"account\":{\"ip\":\"::ffff:127.0.0.1\",\"email\":\"realuser\",\"password\":\"__REDACTED__\"}}" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "jellyseerr" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "jellyseerr-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "2022-08-03T06:40:25.190Z [info][Auth]: Failed login attempt from user with incorrect Jellyfin credentials {\"account\":{\"ip\":\"127.0.0.1\",\"email\":\"fakeuser\",\"password\":\"__REDACTED__\"}" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "jellyseerr" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"] == "jellyseerr-logs.log" -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 6 +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][6].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["message"] == "2022-08-03T06:41:00.000Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"127.0.0.1\",\"email\":\"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\"}" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "jellyseerr" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 7 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == false -len(results["s01-parse"]["LePresidente/jellyseerr-logs"]) == 6 +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == false +len(results["s01-parse"]["LePresidente/jellyseerr-logs"]) == 7 results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Success == true +results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"::ffff:127.0.0.1\",\"email\":\"fakeuser\"}" +results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Evt.Parsed["program"] == "jellyseerr" results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Evt.Parsed["timestamp"] == "2022-06-20T09:52:17.637Z" results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Evt.Parsed["username"] == "fakeuser" -results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"::ffff:127.0.0.1\",\"email\":\"fakeuser\"}" -results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Evt.Parsed["program"] == "jellyseerr" -results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Evt.Meta["user"] == "fakeuser" -results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Evt.Meta["datasource_path"] == "jellyseerr-logs.log" +results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Evt.Meta["log_type"] == "jellyseerr_failed_auth" results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Evt.Meta["service"] == "jellyseerr" +results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Evt.Meta["source_ip"] == "127.0.0.1" +results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Evt.Meta["target_user"] == "fakeuser" +results["s01-parse"]["LePresidente/jellyseerr-logs"][0].Evt.Whitelisted == false results["s01-parse"]["LePresidente/jellyseerr-logs"][1].Success == true results["s01-parse"]["LePresidente/jellyseerr-logs"][1].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"127.0.0.1\",\"email\":\"fakeuser\"}" results["s01-parse"]["LePresidente/jellyseerr-logs"][1].Evt.Parsed["program"] == "jellyseerr" results["s01-parse"]["LePresidente/jellyseerr-logs"][1].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["LePresidente/jellyseerr-logs"][1].Evt.Parsed["timestamp"] == "2022-06-20T09:52:17.637Z" results["s01-parse"]["LePresidente/jellyseerr-logs"][1].Evt.Parsed["username"] == "fakeuser" -results["s01-parse"]["LePresidente/jellyseerr-logs"][1].Evt.Meta["log_type"] == "jellyseerr_failed_auth" +results["s01-parse"]["LePresidente/jellyseerr-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/jellyseerr-logs"][1].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" +results["s01-parse"]["LePresidente/jellyseerr-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/jellyseerr-logs"][1].Evt.Meta["service"] == "jellyseerr" results["s01-parse"]["LePresidente/jellyseerr-logs"][1].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/jellyseerr-logs"][1].Evt.Meta["user"] == "fakeuser" -results["s01-parse"]["LePresidente/jellyseerr-logs"][1].Evt.Meta["datasource_path"] == "jellyseerr-logs.log" -results["s01-parse"]["LePresidente/jellyseerr-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["LePresidente/jellyseerr-logs"][1].Evt.Meta["target_user"] == "fakeuser" +results["s01-parse"]["LePresidente/jellyseerr-logs"][1].Evt.Whitelisted == false results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Success == true +results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"::ffff:127.0.0.1\",\"email\":\"fakeuser@example.com\"}" +results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Evt.Parsed["program"] == "jellyseerr" results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Evt.Parsed["timestamp"] == "2022-06-20T09:52:17.637Z" results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Evt.Parsed["username"] == "fakeuser@example.com" -results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"::ffff:127.0.0.1\",\"email\":\"fakeuser@example.com\"}" -results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Evt.Parsed["program"] == "jellyseerr" +results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" +results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Evt.Meta["service"] == "jellyseerr" results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Evt.Meta["user"] == "fakeuser@example.com" -results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Evt.Meta["datasource_path"] == "jellyseerr-logs.log" -results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Evt.Meta["log_type"] == "jellyseerr_failed_auth" +results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Evt.Meta["target_user"] == "fakeuser@example.com" +results["s01-parse"]["LePresidente/jellyseerr-logs"][2].Evt.Whitelisted == false results["s01-parse"]["LePresidente/jellyseerr-logs"][3].Success == true results["s01-parse"]["LePresidente/jellyseerr-logs"][3].Evt.Parsed["message"] == "2022-06-20T09:52:34.281Z [info][Auth]: Failed login attempt from user with incorrect Jellyfin credentials {\"account\":{\"ip\":\"::ffff:127.0.0.1\",\"email\":\"fakeuser\",\"password\":\"__REDACTED__\"}}" results["s01-parse"]["LePresidente/jellyseerr-logs"][3].Evt.Parsed["program"] == "jellyseerr" results["s01-parse"]["LePresidente/jellyseerr-logs"][3].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["LePresidente/jellyseerr-logs"][3].Evt.Parsed["timestamp"] == "2022-06-20T09:52:34.281Z" results["s01-parse"]["LePresidente/jellyseerr-logs"][3].Evt.Parsed["username"] == "fakeuser" -results["s01-parse"]["LePresidente/jellyseerr-logs"][3].Evt.Meta["datasource_path"] == "jellyseerr-logs.log" +results["s01-parse"]["LePresidente/jellyseerr-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/jellyseerr-logs"][3].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" results["s01-parse"]["LePresidente/jellyseerr-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/jellyseerr-logs"][3].Evt.Meta["log_type"] == "jellyseerr_failed_auth" results["s01-parse"]["LePresidente/jellyseerr-logs"][3].Evt.Meta["service"] == "jellyseerr" results["s01-parse"]["LePresidente/jellyseerr-logs"][3].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/jellyseerr-logs"][3].Evt.Meta["user"] == "fakeuser" +results["s01-parse"]["LePresidente/jellyseerr-logs"][3].Evt.Meta["target_user"] == "fakeuser" +results["s01-parse"]["LePresidente/jellyseerr-logs"][3].Evt.Whitelisted == false results["s01-parse"]["LePresidente/jellyseerr-logs"][4].Success == true results["s01-parse"]["LePresidente/jellyseerr-logs"][4].Evt.Parsed["message"] == "2022-06-20T09:52:50.332Z [info][Auth]: Failed login attempt from user with incorrect Jellyfin credentials {\"account\":{\"ip\":\"::ffff:127.0.0.1\",\"email\":\"realuser\",\"password\":\"__REDACTED__\"}}" results["s01-parse"]["LePresidente/jellyseerr-logs"][4].Evt.Parsed["program"] == "jellyseerr" results["s01-parse"]["LePresidente/jellyseerr-logs"][4].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["LePresidente/jellyseerr-logs"][4].Evt.Parsed["timestamp"] == "2022-06-20T09:52:50.332Z" results["s01-parse"]["LePresidente/jellyseerr-logs"][4].Evt.Parsed["username"] == "realuser" +results["s01-parse"]["LePresidente/jellyseerr-logs"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/jellyseerr-logs"][4].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" +results["s01-parse"]["LePresidente/jellyseerr-logs"][4].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/jellyseerr-logs"][4].Evt.Meta["service"] == "jellyseerr" results["s01-parse"]["LePresidente/jellyseerr-logs"][4].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/jellyseerr-logs"][4].Evt.Meta["user"] == "realuser" -results["s01-parse"]["LePresidente/jellyseerr-logs"][4].Evt.Meta["datasource_path"] == "jellyseerr-logs.log" -results["s01-parse"]["LePresidente/jellyseerr-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/jellyseerr-logs"][4].Evt.Meta["log_type"] == "jellyseerr_failed_auth" +results["s01-parse"]["LePresidente/jellyseerr-logs"][4].Evt.Meta["target_user"] == "realuser" +results["s01-parse"]["LePresidente/jellyseerr-logs"][4].Evt.Whitelisted == false results["s01-parse"]["LePresidente/jellyseerr-logs"][5].Success == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 5 +results["s01-parse"]["LePresidente/jellyseerr-logs"][6].Success == true +results["s01-parse"]["LePresidente/jellyseerr-logs"][6].Evt.Parsed["message"] == "2022-08-03T06:41:00.000Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"127.0.0.1\",\"email\":\"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\"}" +results["s01-parse"]["LePresidente/jellyseerr-logs"][6].Evt.Parsed["program"] == "jellyseerr" +results["s01-parse"]["LePresidente/jellyseerr-logs"][6].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s01-parse"]["LePresidente/jellyseerr-logs"][6].Evt.Parsed["timestamp"] == "2022-08-03T06:41:00.000Z" +results["s01-parse"]["LePresidente/jellyseerr-logs"][6].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["LePresidente/jellyseerr-logs"][6].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/jellyseerr-logs"][6].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" +results["s01-parse"]["LePresidente/jellyseerr-logs"][6].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["LePresidente/jellyseerr-logs"][6].Evt.Meta["service"] == "jellyseerr" +results["s01-parse"]["LePresidente/jellyseerr-logs"][6].Evt.Meta["source_ip"] == "127.0.0.1" +results["s01-parse"]["LePresidente/jellyseerr-logs"][6].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["LePresidente/jellyseerr-logs"][6].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"::ffff:127.0.0.1\",\"email\":\"fakeuser\"}" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "jellyseerr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2022-06-20T09:52:17.637Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "fakeuser" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"::ffff:127.0.0.1\",\"email\":\"fakeuser\"}" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "jellyseerr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "127.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-06-20T09:52:17.637Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "fakeuser" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "jellyseerr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "jellyseerr_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "jellyseerr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "fakeuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-06-20T09:52:17.637Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-06-20T09:52:17.637Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"127.0.0.1\",\"email\":\"fakeuser\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "jellyseerr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2022-06-20T09:52:17.637Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "fakeuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "jellyseerr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "fakeuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-06-20T09:52:17.637Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "fakeuser" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "jellyseerr-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "jellyseerr_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-06-20T09:52:17.637Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"::ffff:127.0.0.1\",\"email\":\"fakeuser@example.com\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "jellyseerr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "2022-06-20T09:52:17.637Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "fakeuser@example.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"::ffff:127.0.0.1\",\"email\":\"fakeuser@example.com\"}" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "jellyseerr_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "jellyseerr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "fakeuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2022-06-20T09:52:17.637Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["user"] == "fakeuser@example.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "jellyseerr-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2022-06-20T09:52:17.637Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "2022-06-20T09:52:34.281Z [info][Auth]: Failed login attempt from user with incorrect Jellyfin credentials {\"account\":{\"ip\":\"::ffff:127.0.0.1\",\"email\":\"fakeuser\",\"password\":\"__REDACTED__\"}}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "jellyseerr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "2022-06-20T09:52:34.281Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "fakeuser" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2022-06-20T09:52:34.281Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["user"] == "fakeuser" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "jellyseerr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "jellyseerr_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "jellyseerr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "fakeuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2022-06-20T09:52:34.281Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2022-06-20T09:52:34.281Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "2022-06-20T09:52:50.332Z [info][Auth]: Failed login attempt from user with incorrect Jellyfin credentials {\"account\":{\"ip\":\"::ffff:127.0.0.1\",\"email\":\"realuser\",\"password\":\"__REDACTED__\"}}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "jellyseerr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "2022-06-20T09:52:50.332Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username"] == "realuser" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "jellyseerr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "jellyseerr_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "jellyseerr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2022-06-20T09:52:50.332Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["user"] == "realuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2022-06-20T09:52:50.332Z" -len(results["success"][""]) == 0 \ No newline at end of file +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "2022-08-03T06:41:00.000Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"127.0.0.1\",\"email\":\"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\"}" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "jellyseerr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "2022-08-03T06:41:00.000Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "jellyseerr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "jellyseerr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2022-08-03T06:41:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2022-08-03T06:41:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/jira_cve-2021-26086/parser.assert b/.tests/jira_cve-2021-26086/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/joplin-server-bf/parser.assert b/.tests/joplin-server-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/joplin-server-bf/scenario.assert b/.tests/joplin-server-bf/scenario.assert index 8aafb630b55..e44510eff45 100644 --- a/.tests/joplin-server-bf/scenario.assert +++ b/.tests/joplin-server-bf/scenario.assert @@ -4,34 +4,34 @@ results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" results[0].Overflow.Sources["1.2.3.4"].Range == "" results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "joplin-server-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "joplin-server-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "joplin_server_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "joplin" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "user@example.com" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-09-23T10:33:45Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "joplin-server-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "joplin-server-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "joplin_server_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "joplin" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "user@example.com" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-09-23T10:34:45Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "joplin-server-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "joplin-server-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "joplin_server_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "joplin" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "user@example.com" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-09-23T10:35:45Z" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "joplin-server-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "joplin-server-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "joplin_server_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "joplin" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "user@example.com" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-09-23T10:36:45Z" results[0].Overflow.Alert.GetScenario() == "xs539/joplin-server-bf" results[0].Overflow.Alert.Remediation == true -results[0].Overflow.Alert.GetEventsCount() == 4 \ No newline at end of file +results[0].Overflow.Alert.GetEventsCount() == 4 diff --git a/.tests/joplin-server-logs/joplin-server-logs.log b/.tests/joplin-server-logs/joplin-server-logs.log index e3ac3ba50fc..2d23e400818 100644 --- a/.tests/joplin-server-logs/joplin-server-logs.log +++ b/.tests/joplin-server-logs/joplin-server-logs.log @@ -1,3 +1,4 @@ 2023-09-23 10:33:45: [error] App: 403: POST /api/sessions: 1.2.3.4: Invalid username or password: {"email":"user@example.com"} 11:47:34 1|app | 2025-12-09 11:47:34: App: 192.168.1.1: 38 B: POST /login (403) (1ms) -12:04:26 1|app | 2025-12-09 12:04:26: App: fe80::1: 35 B: POST /login (403) (3ms) \ No newline at end of file +12:04:26 1|app | 2025-12-09 12:04:26: App: fe80::1: 35 B: POST /login (403) (3ms) +2025-12-09 12:05:00: App: 1.2.3.4: 50 B: POST /api/sessions: Invalid username or password: {"email":"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl"} \ No newline at end of file diff --git a/.tests/joplin-server-logs/parser.assert b/.tests/joplin-server-logs/parser.assert index 44c0d3bf4a4..2253a425106 100644 --- a/.tests/joplin-server-logs/parser.assert +++ b/.tests/joplin-server-logs/parser.assert @@ -1,5 +1,5 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 3 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 4 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2023-09-23 10:33:45: [error] App: 403: POST /api/sessions: 1.2.3.4: Invalid username or password: {\"email\":\"user@example.com\"}" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "joplin-server" @@ -18,20 +18,27 @@ results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "jopl basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "joplin-server-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 3 +results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "2025-12-09 12:05:00: App: 1.2.3.4: 50 B: POST /api/sessions: Invalid username or password: {\"email\":\"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\"}" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "joplin-server" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "joplin-server-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false -len(results["s01-parse"]["xs539/joplin-server-logs"]) == 3 +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false +len(results["s01-parse"]["xs539/joplin-server-logs"]) == 4 results["s01-parse"]["xs539/joplin-server-logs"][0].Success == true results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Parsed["message"] == "2023-09-23 10:33:45: [error] App: 403: POST /api/sessions: 1.2.3.4: Invalid username or password: {\"email\":\"user@example.com\"}" results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Parsed["program"] == "joplin-server" results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Parsed["remote_addr"] == "1.2.3.4" results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Parsed["target_user"] == "user@example.com" results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Parsed["timestamp"] == "2023-09-23 10:33:45" +results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Meta["datasource_path"]) == "joplin-server-logs.log" results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Meta["log_type"] == "joplin_server_failed_auth" results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Meta["service"] == "joplin" results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Meta["target_user"] == "user@example.com" @@ -46,9 +53,9 @@ results["s01-parse"]["xs539/joplin-server-logs"][1].Evt.Parsed["program"] == "jo results["s01-parse"]["xs539/joplin-server-logs"][1].Evt.Parsed["remote_addr"] == "192.168.1.1" results["s01-parse"]["xs539/joplin-server-logs"][1].Evt.Parsed["response_time"] == "1" results["s01-parse"]["xs539/joplin-server-logs"][1].Evt.Parsed["timestamp"] == "2025-12-09 11:47:34" +results["s01-parse"]["xs539/joplin-server-logs"][1].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["xs539/joplin-server-logs"][1].Evt.Meta["datasource_path"]) == "joplin-server-logs.log" results["s01-parse"]["xs539/joplin-server-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["xs539/joplin-server-logs"][1].Evt.Meta["log_type"] == "joplin_server_failed_auth" results["s01-parse"]["xs539/joplin-server-logs"][1].Evt.Meta["service"] == "joplin" results["s01-parse"]["xs539/joplin-server-logs"][1].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["xs539/joplin-server-logs"][1].Evt.Whitelisted == false @@ -62,12 +69,13 @@ results["s01-parse"]["xs539/joplin-server-logs"][2].Evt.Parsed["program"] == "jo results["s01-parse"]["xs539/joplin-server-logs"][2].Evt.Parsed["remote_addr"] == "fe80::1" results["s01-parse"]["xs539/joplin-server-logs"][2].Evt.Parsed["response_time"] == "3" results["s01-parse"]["xs539/joplin-server-logs"][2].Evt.Parsed["timestamp"] == "2025-12-09 12:04:26" +results["s01-parse"]["xs539/joplin-server-logs"][2].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["xs539/joplin-server-logs"][2].Evt.Meta["datasource_path"]) == "joplin-server-logs.log" results["s01-parse"]["xs539/joplin-server-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["xs539/joplin-server-logs"][2].Evt.Meta["log_type"] == "joplin_server_failed_auth" results["s01-parse"]["xs539/joplin-server-logs"][2].Evt.Meta["service"] == "joplin" results["s01-parse"]["xs539/joplin-server-logs"][2].Evt.Meta["source_ip"] == "fe80::1" results["s01-parse"]["xs539/joplin-server-logs"][2].Evt.Whitelisted == false +results["s01-parse"]["xs539/joplin-server-logs"][3].Success == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 3 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2023-09-23 10:33:45: [error] App: 403: POST /api/sessions: 1.2.3.4: Invalid username or password: {\"email\":\"user@example.com\"}" @@ -75,9 +83,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["target_user"] == "user@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2023-09-23 10:33:45" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "joplin-server-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "joplin_server_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "joplin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "user@example.com" @@ -94,9 +102,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["response_time"] == "1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2025-12-09 11:47:34" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "joplin-server-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "joplin_server_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "joplin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-12-09T11:47:34Z" @@ -112,9 +120,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "fe80::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["response_time"] == "3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "2025-12-09 12:04:26" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "joplin-server-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "joplin_server_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "joplin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "fe80::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-12-09T12:04:26Z" diff --git a/.tests/k8s-audit-pod-exec-file/parser.assert b/.tests/k8s-audit-pod-exec-file/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/k8s-audit-priv-pod-file/parser.assert b/.tests/k8s-audit-priv-pod-file/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/kasm-bruteforce/parser.assert b/.tests/kasm-bruteforce/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/laurel-base64-exec/parser.assert b/.tests/laurel-base64-exec/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/laurel-suid-crash/parser.assert b/.tests/laurel-suid-crash/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/lemonldap-ng-bf/parser.assert b/.tests/lemonldap-ng-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/litellm-logs/parser.assert b/.tests/litellm-logs/parser.assert index 223f10bac43..18676deca27 100644 --- a/.tests/litellm-logs/parser.assert +++ b/.tests/litellm-logs/parser.assert @@ -52,9 +52,9 @@ results["s01-parse"]["LearningSpot/litellm-logs"][0].Evt.Parsed["program"] == "l results["s01-parse"]["LearningSpot/litellm-logs"][0].Evt.Parsed["query"] == "/login" results["s01-parse"]["LearningSpot/litellm-logs"][0].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["LearningSpot/litellm-logs"][0].Evt.Parsed["status"] == "401" +results["s01-parse"]["LearningSpot/litellm-logs"][0].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LearningSpot/litellm-logs"][0].Evt.Meta["datasource_path"]) == "litellm-logs.log" results["s01-parse"]["LearningSpot/litellm-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LearningSpot/litellm-logs"][0].Evt.Meta["log_type"] == "litellm_failed_auth" results["s01-parse"]["LearningSpot/litellm-logs"][0].Evt.Meta["service"] == "litellm" results["s01-parse"]["LearningSpot/litellm-logs"][0].Evt.Meta["status"] == "401" results["s01-parse"]["LearningSpot/litellm-logs"][0].Evt.Whitelisted == false @@ -66,9 +66,9 @@ results["s01-parse"]["LearningSpot/litellm-logs"][1].Evt.Parsed["program"] == "l results["s01-parse"]["LearningSpot/litellm-logs"][1].Evt.Parsed["query"] == "/models?return_wildcard_routes=false" results["s01-parse"]["LearningSpot/litellm-logs"][1].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["LearningSpot/litellm-logs"][1].Evt.Parsed["status"] == "401" +results["s01-parse"]["LearningSpot/litellm-logs"][1].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LearningSpot/litellm-logs"][1].Evt.Meta["datasource_path"]) == "litellm-logs.log" results["s01-parse"]["LearningSpot/litellm-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LearningSpot/litellm-logs"][1].Evt.Meta["log_type"] == "litellm_failed_auth" results["s01-parse"]["LearningSpot/litellm-logs"][1].Evt.Meta["service"] == "litellm" results["s01-parse"]["LearningSpot/litellm-logs"][1].Evt.Meta["status"] == "401" results["s01-parse"]["LearningSpot/litellm-logs"][1].Evt.Whitelisted == false @@ -80,9 +80,9 @@ results["s01-parse"]["LearningSpot/litellm-logs"][2].Evt.Parsed["program"] == "l results["s01-parse"]["LearningSpot/litellm-logs"][2].Evt.Parsed["query"] == "/v1/models?return_wildcard_routes=false" results["s01-parse"]["LearningSpot/litellm-logs"][2].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["LearningSpot/litellm-logs"][2].Evt.Parsed["status"] == "401" +results["s01-parse"]["LearningSpot/litellm-logs"][2].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LearningSpot/litellm-logs"][2].Evt.Meta["datasource_path"]) == "litellm-logs.log" results["s01-parse"]["LearningSpot/litellm-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LearningSpot/litellm-logs"][2].Evt.Meta["log_type"] == "litellm_failed_auth" results["s01-parse"]["LearningSpot/litellm-logs"][2].Evt.Meta["service"] == "litellm" results["s01-parse"]["LearningSpot/litellm-logs"][2].Evt.Meta["status"] == "401" results["s01-parse"]["LearningSpot/litellm-logs"][2].Evt.Whitelisted == false @@ -94,9 +94,9 @@ results["s01-parse"]["LearningSpot/litellm-logs"][3].Evt.Parsed["program"] == "l results["s01-parse"]["LearningSpot/litellm-logs"][3].Evt.Parsed["query"] == "/chat/completions?model=mistral" results["s01-parse"]["LearningSpot/litellm-logs"][3].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["LearningSpot/litellm-logs"][3].Evt.Parsed["status"] == "401" +results["s01-parse"]["LearningSpot/litellm-logs"][3].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LearningSpot/litellm-logs"][3].Evt.Meta["datasource_path"]) == "litellm-logs.log" results["s01-parse"]["LearningSpot/litellm-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LearningSpot/litellm-logs"][3].Evt.Meta["log_type"] == "litellm_failed_auth" results["s01-parse"]["LearningSpot/litellm-logs"][3].Evt.Meta["service"] == "litellm" results["s01-parse"]["LearningSpot/litellm-logs"][3].Evt.Meta["status"] == "401" results["s01-parse"]["LearningSpot/litellm-logs"][3].Evt.Whitelisted == false @@ -108,9 +108,9 @@ results["s01-parse"]["LearningSpot/litellm-logs"][4].Evt.Parsed["program"] == "l results["s01-parse"]["LearningSpot/litellm-logs"][4].Evt.Parsed["query"] == "/v1/chat/completions?model=mistral" results["s01-parse"]["LearningSpot/litellm-logs"][4].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["LearningSpot/litellm-logs"][4].Evt.Parsed["status"] == "401" +results["s01-parse"]["LearningSpot/litellm-logs"][4].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LearningSpot/litellm-logs"][4].Evt.Meta["datasource_path"]) == "litellm-logs.log" results["s01-parse"]["LearningSpot/litellm-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LearningSpot/litellm-logs"][4].Evt.Meta["log_type"] == "litellm_failed_auth" results["s01-parse"]["LearningSpot/litellm-logs"][4].Evt.Meta["service"] == "litellm" results["s01-parse"]["LearningSpot/litellm-logs"][4].Evt.Meta["status"] == "401" results["s01-parse"]["LearningSpot/litellm-logs"][4].Evt.Whitelisted == false @@ -122,9 +122,9 @@ results["s01-parse"]["LearningSpot/litellm-logs"][5].Evt.Parsed["program"] == "l results["s01-parse"]["LearningSpot/litellm-logs"][5].Evt.Parsed["query"] == "/v1/completions?model=mistral" results["s01-parse"]["LearningSpot/litellm-logs"][5].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["LearningSpot/litellm-logs"][5].Evt.Parsed["status"] == "401" +results["s01-parse"]["LearningSpot/litellm-logs"][5].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["LearningSpot/litellm-logs"][5].Evt.Meta["datasource_path"]) == "litellm-logs.log" results["s01-parse"]["LearningSpot/litellm-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LearningSpot/litellm-logs"][5].Evt.Meta["log_type"] == "litellm_failed_auth" results["s01-parse"]["LearningSpot/litellm-logs"][5].Evt.Meta["service"] == "litellm" results["s01-parse"]["LearningSpot/litellm-logs"][5].Evt.Meta["status"] == "401" results["s01-parse"]["LearningSpot/litellm-logs"][5].Evt.Whitelisted == false diff --git a/.tests/litespeed-admin-bf/parser.assert b/.tests/litespeed-admin-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/litespeed-http-sensitive-files/parser.assert b/.tests/litespeed-http-sensitive-files/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/magento-ccs-by-as/parser.assert b/.tests/magento-ccs-by-as/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/magento-ccs-by-country/parser.assert b/.tests/magento-ccs-by-country/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/magento-ccs/parser.assert b/.tests/magento-ccs/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/mailu-admin-bf/parser.assert b/.tests/mailu-admin-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/mariadb-bf/parser.assert b/.tests/mariadb-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/mariadb-bf/scenario.assert b/.tests/mariadb-bf/scenario.assert index 92958d05baf..3a6db8a0f72 100644 --- a/.tests/mariadb-bf/scenario.assert +++ b/.tests/mariadb-bf/scenario.assert @@ -4,36 +4,48 @@ results[0].Overflow.Sources["172.17.0.1"].IP == "172.17.0.1" results[0].Overflow.Sources["172.17.0.1"].Range == "" results[0].Overflow.Sources["172.17.0.1"].GetScope() == "Ip" results[0].Overflow.Sources["172.17.0.1"].GetValue() == "172.17.0.1" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "mariadb-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "mariadb-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "mariadb_failed_auth" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "mariadb" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.17.0.1" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "example-user" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "mariadb-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "example-user" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2021-11-09T05:13:11Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "mariadb-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "mariadb_failed_auth" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "mariadb" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "172.17.0.1" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "example-user" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "mariadb-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "example-user" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2021-11-09T05:13:11Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "mariadb-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "mariadb_failed_auth" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "mariadb" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "172.17.0.1" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "example-user" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "mariadb-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "example-user" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2021-11-09T05:13:11Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "mariadb-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "mariadb_failed_auth" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "mariadb" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "172.17.0.1" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "example-user" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "mariadb-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "example-user" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2021-11-09T05:13:11Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "mariadb-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "mariadb_failed_auth" +results[0].Overflow.Alert.Events[4].GetMeta("service") == "mariadb" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "172.17.0.1" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "example-user" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "mariadb-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "example-user" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2021-11-09T05:13:11Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "mariadb-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "mariadb_failed_auth" +results[0].Overflow.Alert.Events[5].GetMeta("service") == "mariadb" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "172.17.0.1" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "example-user" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "example-user" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2021-11-09T05:13:11Z" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/mariadb-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/mariadb-logs/parser.assert b/.tests/mariadb-logs/parser.assert index 363c8748af0..5c60f7a1a84 100644 --- a/.tests/mariadb-logs/parser.assert +++ b/.tests/mariadb-logs/parser.assert @@ -46,9 +46,9 @@ results["s01-parse"]["crowdsecurity/mariadb-logs"][0].Evt.Parsed["time"] == "5:1 results["s01-parse"]["crowdsecurity/mariadb-logs"][0].Evt.Parsed["user"] == "example-user" results["s01-parse"]["crowdsecurity/mariadb-logs"][0].Evt.Meta["datasource_path"] == "mariadb-logs.log" results["s01-parse"]["crowdsecurity/mariadb-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/mariadb-logs"][0].Evt.Meta["log_type"] == "mariadb_failed_auth" +results["s01-parse"]["crowdsecurity/mariadb-logs"][0].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/mariadb-logs"][0].Evt.Meta["source_ip"] == "172.17.0.1" -results["s01-parse"]["crowdsecurity/mariadb-logs"][0].Evt.Meta["user"] == "example-user" +results["s01-parse"]["crowdsecurity/mariadb-logs"][0].Evt.Meta["target_user"] == "example-user" results["s01-parse"]["crowdsecurity/mariadb-logs"][1].Success == true results["s01-parse"]["crowdsecurity/mariadb-logs"][1].Evt.Parsed["year"] == "2021" results["s01-parse"]["crowdsecurity/mariadb-logs"][1].Evt.Parsed["program"] == "mariadb" @@ -61,9 +61,9 @@ results["s01-parse"]["crowdsecurity/mariadb-logs"][1].Evt.Parsed["user"] == "exa results["s01-parse"]["crowdsecurity/mariadb-logs"][1].Evt.Parsed["using_password"] == "NO" results["s01-parse"]["crowdsecurity/mariadb-logs"][1].Evt.Parsed["date"] == "2021-11-09" results["s01-parse"]["crowdsecurity/mariadb-logs"][1].Evt.Parsed["day"] == "09" -results["s01-parse"]["crowdsecurity/mariadb-logs"][1].Evt.Meta["log_type"] == "mariadb_failed_auth" +results["s01-parse"]["crowdsecurity/mariadb-logs"][1].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/mariadb-logs"][1].Evt.Meta["source_ip"] == "172.17.0.1" -results["s01-parse"]["crowdsecurity/mariadb-logs"][1].Evt.Meta["user"] == "example-user" +results["s01-parse"]["crowdsecurity/mariadb-logs"][1].Evt.Meta["target_user"] == "example-user" results["s01-parse"]["crowdsecurity/mariadb-logs"][1].Evt.Meta["datasource_path"] == "mariadb-logs.log" results["s01-parse"]["crowdsecurity/mariadb-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/mariadb-logs"][2].Success == true @@ -79,9 +79,9 @@ results["s01-parse"]["crowdsecurity/mariadb-logs"][2].Evt.Parsed["time"] == "11: results["s01-parse"]["crowdsecurity/mariadb-logs"][2].Evt.Parsed["using_password"] == "NO" results["s01-parse"]["crowdsecurity/mariadb-logs"][2].Evt.Parsed["date"] == "2022-05-01" results["s01-parse"]["crowdsecurity/mariadb-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/mariadb-logs"][2].Evt.Meta["log_type"] == "mariadb_failed_auth" +results["s01-parse"]["crowdsecurity/mariadb-logs"][2].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/mariadb-logs"][2].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["crowdsecurity/mariadb-logs"][2].Evt.Meta["user"] == "root" +results["s01-parse"]["crowdsecurity/mariadb-logs"][2].Evt.Meta["target_user"] == "root" results["s01-parse"]["crowdsecurity/mariadb-logs"][2].Evt.Meta["datasource_path"] == "mariadb-logs.log" results["s01-parse"]["crowdsecurity/mariadb-logs"][3].Success == true results["s01-parse"]["crowdsecurity/mariadb-logs"][3].Evt.Parsed["time"] == "14:49:17" @@ -95,9 +95,9 @@ results["s01-parse"]["crowdsecurity/mariadb-logs"][3].Evt.Parsed["user"] == "roo results["s01-parse"]["crowdsecurity/mariadb-logs"][3].Evt.Parsed["using_password"] == "YES" results["s01-parse"]["crowdsecurity/mariadb-logs"][3].Evt.Meta["datasource_path"] == "mariadb-logs.log" results["s01-parse"]["crowdsecurity/mariadb-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/mariadb-logs"][3].Evt.Meta["log_type"] == "mariadb_failed_auth" +results["s01-parse"]["crowdsecurity/mariadb-logs"][3].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/mariadb-logs"][3].Evt.Meta["source_ip"] == "192.168.1.192" -results["s01-parse"]["crowdsecurity/mariadb-logs"][3].Evt.Meta["user"] == "root" +results["s01-parse"]["crowdsecurity/mariadb-logs"][3].Evt.Meta["target_user"] == "root" results["s01-parse"]["crowdsecurity/mariadb-logs"][4].Success == true results["s01-parse"]["crowdsecurity/mariadb-logs"][4].Evt.Parsed["message"] == "220109 14:49:17 [Warning] Access denied for user 'root'@'192.168.1.192' (using password: NO)" results["s01-parse"]["crowdsecurity/mariadb-logs"][4].Evt.Parsed["month"] == "01" @@ -109,9 +109,9 @@ results["s01-parse"]["crowdsecurity/mariadb-logs"][4].Evt.Parsed["year"] == "22" results["s01-parse"]["crowdsecurity/mariadb-logs"][4].Evt.Parsed["day"] == "09" results["s01-parse"]["crowdsecurity/mariadb-logs"][4].Evt.Parsed["source_ip"] == "192.168.1.192" results["s01-parse"]["crowdsecurity/mariadb-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/mariadb-logs"][4].Evt.Meta["log_type"] == "mariadb_failed_auth" +results["s01-parse"]["crowdsecurity/mariadb-logs"][4].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/mariadb-logs"][4].Evt.Meta["source_ip"] == "192.168.1.192" -results["s01-parse"]["crowdsecurity/mariadb-logs"][4].Evt.Meta["user"] == "root" +results["s01-parse"]["crowdsecurity/mariadb-logs"][4].Evt.Meta["target_user"] == "root" results["s01-parse"]["crowdsecurity/mariadb-logs"][4].Evt.Meta["datasource_path"] == "mariadb-logs.log" len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true @@ -128,10 +128,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["using_password"] == "YES" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "mariadb-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "mariadb_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2021-11-09T05:13:12Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "example-user" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "example-user" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2021-11-09T05:13:12Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["user"] == "example-user" @@ -147,10 +147,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "mariadb-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "mariadb_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2021-11-09T05:13:13Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "example-user" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "example-user" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2021-11-09T05:13:13Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["day"] == "01" @@ -166,10 +166,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["year"] == results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "2022-05-01 11:38:05 356 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: NO)" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "mariadb-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "mariadb_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2022-05-01T11:38:05Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["user"] == "root" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2022-05-01T11:38:05Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "192.168.1.192" @@ -183,10 +183,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["day"] == results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["month"] == "11" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "mariadb-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "mariadb_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "192.168.1.192" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2022-11-28T14:49:17Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["user"] == "root" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2022-11-28T14:49:17Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["day"] == "09" @@ -199,10 +199,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["time"] == results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["using_password"] == "NO" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "mariadb_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "192.168.1.192" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2022-01-09T14:49:17Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["user"] == "root" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "mariadb-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2022-01-09T14:49:17Z" results["s01-parse"]["crowdsecurity/mariadb-logs"][5].Success == true @@ -218,8 +218,8 @@ results["s01-parse"]["crowdsecurity/mariadb-logs"][5].Evt.Parsed["time"] == "19: results["s01-parse"]["crowdsecurity/mariadb-logs"][5].Evt.Parsed["using_password"] == "NO" results["s01-parse"]["crowdsecurity/mariadb-logs"][5].Evt.Parsed["date"] == "2023-11-21" results["s01-parse"]["crowdsecurity/mariadb-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/mariadb-logs"][5].Evt.Meta["log_type"] == "mariadb_failed_auth" +results["s01-parse"]["crowdsecurity/mariadb-logs"][5].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/mariadb-logs"][5].Evt.Meta["source_ip"] == "34.140.248.32" -results["s01-parse"]["crowdsecurity/mariadb-logs"][5].Evt.Meta["user"] == "root" +results["s01-parse"]["crowdsecurity/mariadb-logs"][5].Evt.Meta["target_user"] == "root" results["s01-parse"]["crowdsecurity/mariadb-logs"][5].Evt.Meta["datasource_path"] == "mariadb-logs.log" len(results["success"][""]) == 0 \ No newline at end of file diff --git a/.tests/meshcentral-bf/parser.assert b/.tests/meshcentral-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/meshcentral-bf/scenario.assert b/.tests/meshcentral-bf/scenario.assert index acba828cbc5..13b998440a5 100644 --- a/.tests/meshcentral-bf/scenario.assert +++ b/.tests/meshcentral-bf/scenario.assert @@ -4,48 +4,48 @@ results[0].Overflow.Sources["85.209.1.1"].IP == "85.209.1.1" results[0].Overflow.Sources["85.209.1.1"].Range == "" results[0].Overflow.Sources["85.209.1.1"].GetScope() == "Ip" results[0].Overflow.Sources["85.209.1.1"].GetValue() == "85.209.1.1" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "meshcentral-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "meshcentral-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "meshcentral_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "meshcentral" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "85.209.1.1" -results[0].Overflow.Alert.Events[0].GetMeta("timestamp")[4:] == "-02-10T17:33:10Z" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "undefined" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "meshcentral-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "undefined" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-02-10T17:33:10Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "meshcentral-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "meshcentral_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "meshcentral" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "85.209.1.1" -results[0].Overflow.Alert.Events[1].GetMeta("timestamp")[4:] == "-02-10T17:33:10Z" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "undefined" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "meshcentral-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "undefined" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-02-10T17:33:10Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "meshcentral-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "meshcentral_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "meshcentral" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "85.209.1.1" -results[0].Overflow.Alert.Events[2].GetMeta("timestamp")[4:] == "-02-10T17:33:10Z" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "undefined" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "meshcentral-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "undefined" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-02-10T17:33:10Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "meshcentral-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "meshcentral_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "meshcentral" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "85.209.1.1" -results[0].Overflow.Alert.Events[3].GetMeta("timestamp")[4:] == "-02-10T17:33:10Z" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "undefined" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "meshcentral-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "undefined" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-02-10T17:33:10Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "meshcentral-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "meshcentral_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "meshcentral" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "85.209.1.1" -results[0].Overflow.Alert.Events[4].GetMeta("timestamp")[4:] == "-02-10T17:33:10Z" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "undefined" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "meshcentral-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "undefined" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-02-10T17:33:10Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "meshcentral-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "meshcentral_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "meshcentral" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "85.209.1.1" -results[0].Overflow.Alert.Events[5].GetMeta("timestamp")[4:] == "-02-10T17:33:10Z" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "undefined" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "undefined" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-02-10T17:33:10Z" results[0].Overflow.Alert.GetScenario() == "a1ad/meshcentral-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/meshcentral-logs/meshcentral-logs.log b/.tests/meshcentral-logs/meshcentral-logs.log index c902f51da92..956f741f1cc 100644 --- a/.tests/meshcentral-logs/meshcentral-logs.log +++ b/.tests/meshcentral-logs/meshcentral-logs.log @@ -1,2 +1,3 @@ Feb 10 15:24:51 meshcentral https[26880]: Accepted password for admin from 79.78.1.1 port 2228 Feb 10 17:33:10 meshcentral https[26880]: Failed password for undefined from 85.209.1.1 port 57951 +Feb 10 17:34:00 meshcentral https[26880]: Failed password for crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl from 85.209.1.1 port 57952 diff --git a/.tests/meshcentral-logs/parser.assert b/.tests/meshcentral-logs/parser.assert index 0f075e3d8b7..58096a05b7e 100644 --- a/.tests/meshcentral-logs/parser.assert +++ b/.tests/meshcentral-logs/parser.assert @@ -1,45 +1,84 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 2 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 3 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "Feb 10 15:24:51 meshcentral https[26880]: Accepted password for admin from 79.78.1.1 port 2228" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "meshcentral" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "meshcentral-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "meshcentral-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "Feb 10 17:33:10 meshcentral https[26880]: Failed password for undefined from 85.209.1.1 port 57951" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "meshcentral" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "meshcentral-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "meshcentral-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2 +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "Feb 10 17:34:00 meshcentral https[26880]: Failed password for crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl from 85.209.1.1 port 57952" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "meshcentral" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "meshcentral-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 3 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false -len(results["s01-parse"]["a1ad/meshcentral-logs"]) == 2 +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false +len(results["s01-parse"]["a1ad/meshcentral-logs"]) == 3 results["s01-parse"]["a1ad/meshcentral-logs"][0].Success == false results["s01-parse"]["a1ad/meshcentral-logs"][1].Success == true +results["s01-parse"]["a1ad/meshcentral-logs"][1].Evt.Parsed["message"] == "Feb 10 17:33:10 meshcentral https[26880]: Failed password for undefined from 85.209.1.1 port 57951" +results["s01-parse"]["a1ad/meshcentral-logs"][1].Evt.Parsed["program"] == "meshcentral" results["s01-parse"]["a1ad/meshcentral-logs"][1].Evt.Parsed["source_ip"] == "85.209.1.1" results["s01-parse"]["a1ad/meshcentral-logs"][1].Evt.Parsed["timestamp"] == "Feb 10 17:33:10" results["s01-parse"]["a1ad/meshcentral-logs"][1].Evt.Parsed["username"] == "undefined" -results["s01-parse"]["a1ad/meshcentral-logs"][1].Evt.Parsed["message"] == "Feb 10 17:33:10 meshcentral https[26880]: Failed password for undefined from 85.209.1.1 port 57951" -results["s01-parse"]["a1ad/meshcentral-logs"][1].Evt.Parsed["program"] == "meshcentral" -results["s01-parse"]["a1ad/meshcentral-logs"][1].Evt.Meta["datasource_path"] == "meshcentral-logs.log" +results["s01-parse"]["a1ad/meshcentral-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["a1ad/meshcentral-logs"][1].Evt.Meta["datasource_path"]) == "meshcentral-logs.log" results["s01-parse"]["a1ad/meshcentral-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["a1ad/meshcentral-logs"][1].Evt.Meta["log_type"] == "meshcentral_failed_auth" results["s01-parse"]["a1ad/meshcentral-logs"][1].Evt.Meta["service"] == "meshcentral" results["s01-parse"]["a1ad/meshcentral-logs"][1].Evt.Meta["source_ip"] == "85.209.1.1" -results["s01-parse"]["a1ad/meshcentral-logs"][1].Evt.Meta["user"] == "undefined" -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 1 +results["s01-parse"]["a1ad/meshcentral-logs"][1].Evt.Meta["target_user"] == "undefined" +results["s01-parse"]["a1ad/meshcentral-logs"][1].Evt.Whitelisted == false +results["s01-parse"]["a1ad/meshcentral-logs"][2].Success == true +results["s01-parse"]["a1ad/meshcentral-logs"][2].Evt.Parsed["message"] == "Feb 10 17:34:00 meshcentral https[26880]: Failed password for crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl from 85.209.1.1 port 57952" +results["s01-parse"]["a1ad/meshcentral-logs"][2].Evt.Parsed["program"] == "meshcentral" +results["s01-parse"]["a1ad/meshcentral-logs"][2].Evt.Parsed["source_ip"] == "85.209.1.1" +results["s01-parse"]["a1ad/meshcentral-logs"][2].Evt.Parsed["timestamp"] == "Feb 10 17:34:00" +results["s01-parse"]["a1ad/meshcentral-logs"][2].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["a1ad/meshcentral-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["a1ad/meshcentral-logs"][2].Evt.Meta["datasource_path"]) == "meshcentral-logs.log" +results["s01-parse"]["a1ad/meshcentral-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["a1ad/meshcentral-logs"][2].Evt.Meta["service"] == "meshcentral" +results["s01-parse"]["a1ad/meshcentral-logs"][2].Evt.Meta["source_ip"] == "85.209.1.1" +results["s01-parse"]["a1ad/meshcentral-logs"][2].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["a1ad/meshcentral-logs"][2].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "undefined" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "Feb 10 17:33:10 meshcentral https[26880]: Failed password for undefined from 85.209.1.1 port 57951" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "meshcentral" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "85.209.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Feb 10 17:33:10" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "undefined" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "meshcentral-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "undefined" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "meshcentral-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "meshcentral_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "meshcentral" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "85.209.1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"][4:] == "-02-10T17:33:10Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"][4:] == "-02-10T17:33:10Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "undefined" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-02-10T17:33:10Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-02-10T17:33:10Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "Feb 10 17:34:00 meshcentral https[26880]: Failed password for crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl from 85.209.1.1 port 57952" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "meshcentral" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "85.209.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Feb 10 17:34:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "meshcentral-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "meshcentral" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "85.209.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-02-10T17:34:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-02-10T17:34:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/mikrotik-bf/parser.assert b/.tests/mikrotik-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/mikrotik-bf/scenario.assert b/.tests/mikrotik-bf/scenario.assert index 66bc381afcf..ea92fd6403f 100644 --- a/.tests/mikrotik-bf/scenario.assert +++ b/.tests/mikrotik-bf/scenario.assert @@ -4,48 +4,48 @@ results[0].Overflow.Sources["10.10.0.35"].IP == "10.10.0.35" results[0].Overflow.Sources["10.10.0.35"].Range == "" results[0].Overflow.Sources["10.10.0.35"].GetScope() == "Ip" results[0].Overflow.Sources["10.10.0.35"].GetValue() == "10.10.0.35" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "mikrotik-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "mikrotik-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "mikrotik_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "mikrotik" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.10.0.35" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "admin" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-03-19T12:34:09.757188+01:00" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "admin" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "mikrotik-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "mikrotik-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "mikrotik_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "mikrotik" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "10.10.0.35" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "admin" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-03-19T12:34:09.757188+01:00" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "admin" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "mikrotik-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "mikrotik-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "mikrotik_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "mikrotik" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "10.10.0.35" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "admin" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-03-19T12:34:09.757188+01:00" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "admin" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "mikrotik-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "mikrotik-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "mikrotik_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "mikrotik" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "10.10.0.35" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "admin" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-03-19T12:34:09.757188+01:00" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "admin" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "mikrotik-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "mikrotik-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "mikrotik_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "mikrotik" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "10.10.0.35" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "admin" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-03-19T12:34:09.757188+01:00" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "admin" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "mikrotik-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "mikrotik-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "mikrotik_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "mikrotik" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "10.10.0.35" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "admin" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-03-19T12:34:09.757188+01:00" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "admin" results[0].Overflow.Alert.GetScenario() == "a1ad/mikrotik-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/mikrotik-logs/mikrotik-logs.log b/.tests/mikrotik-logs/mikrotik-logs.log index a17f72447a1..28feb31d7bf 100644 --- a/.tests/mikrotik-logs/mikrotik-logs.log +++ b/.tests/mikrotik-logs/mikrotik-logs.log @@ -2,3 +2,4 @@ 2023-03-18T20:35:05.734637+01:00 10.120.127.1 firewall,info drop-in input: in:ether1-WAN out:(unknown 0), connection-state:new src-mac 00:17:10:88:bc:02, proto UDP, 186.26.78.68:44355->81.82.202.145:53, len 65 2023-03-18T20:36:59.594792+01:00 10.120.127.1 firewall,info drop-tcp input: in:ether1-WAN out:(unknown 0), connection-state:new src-mac 00:17:10:88:bc:02, proto TCP (SYN), 36.97.161.219:59388->81.82.202.145:23, len 40 2023-03-19T12:34:09.757188+01:00 10.120.127.1 system,error,critical login failure for user admin from 10.127.0.35 via winbox +2023-03-19T12:35:00.000000+01:00 10.120.127.1 system,error,critical login failure for user crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl from 10.127.0.35 via winbox diff --git a/.tests/mikrotik-logs/parser.assert b/.tests/mikrotik-logs/parser.assert index 957b49b5bfc..3af90d875df 100644 --- a/.tests/mikrotik-logs/parser.assert +++ b/.tests/mikrotik-logs/parser.assert @@ -1,138 +1,182 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 3 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 4 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2023-03-18T20:35:05.734637+01:00 10.120.127.1 firewall,info drop-in input: in:ether1-WAN out:(unknown 0), connection-state:new src-mac 00:17:10:88:bc:02, proto UDP, 186.26.78.68:44355->81.82.202.145:53, len 65" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "mikrotik" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "mikrotik-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "mikrotik-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2023-03-18T20:36:59.594792+01:00 10.120.127.1 firewall,info drop-tcp input: in:ether1-WAN out:(unknown 0), connection-state:new src-mac 00:17:10:88:bc:02, proto TCP (SYN), 36.97.161.219:59388->81.82.202.145:23, len 40" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "mikrotik" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "mikrotik-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "mikrotik-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "mikrotik" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "2023-03-19T12:34:09.757188+01:00 10.120.127.1 system,error,critical login failure for user admin from 10.127.0.35 via winbox" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "mikrotik-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "mikrotik" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "mikrotik-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 3 +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "2023-03-19T12:35:00.000000+01:00 10.120.127.1 system,error,critical login failure for user crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl from 10.127.0.35 via winbox" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "mikrotik" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "mikrotik-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false -len(results["s01-parse"]["a1ad/mikrotik-logs"]) == 3 +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false +len(results["s01-parse"]["a1ad/mikrotik-logs"]) == 4 results["s01-parse"]["a1ad/mikrotik-logs"][0].Success == true results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["connection_state"] == "new" -results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["length"] == "65" -results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["proto"] == "UDP" results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["dst_ip"] == "81.82.202.145" -results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["if_out"] == "(unknown 0)" -results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["src_port"] == "44355" +results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["dst_port"] == "53" results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["if_in"] == "ether1-WAN" +results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["if_out"] == "(unknown 0)" +results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["length"] == "65" results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["message"] == "2023-03-18T20:35:05.734637+01:00 10.120.127.1 firewall,info drop-in input: in:ether1-WAN out:(unknown 0), connection-state:new src-mac 00:17:10:88:bc:02, proto UDP, 186.26.78.68:44355->81.82.202.145:53, len 65" results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["program"] == "mikrotik" +results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["proto"] == "UDP" results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["source_ip"] == "186.26.78.68" results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["src_mac"] == "00:17:10:88:bc:02" -results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["dst_port"] == "53" +results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["src_port"] == "44355" results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["tag"] == "drop-in" results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Parsed["timestamp"] == "2023-03-18T20:35:05.734637+01:00" -results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Meta["service"] == "tcp_udp" -results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Meta["source_ip"] == "186.26.78.68" -results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Meta["datasource_path"] == "mikrotik-logs.log" +basename(results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Meta["datasource_path"]) == "mikrotik-logs.log" results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Meta["dst_port"] == "53" results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Meta["log_type"] == "mikrotik_drop" +results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Meta["service"] == "tcp_udp" +results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Meta["source_ip"] == "186.26.78.68" +results["s01-parse"]["a1ad/mikrotik-logs"][0].Evt.Whitelisted == false results["s01-parse"]["a1ad/mikrotik-logs"][1].Success == true +results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["connection_state"] == "new" results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["dst_ip"] == "81.82.202.145" +results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["dst_port"] == "23" +results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["if_in"] == "ether1-WAN" +results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["if_out"] == "(unknown 0)" results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["length"] == "40" results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["message"] == "2023-03-18T20:36:59.594792+01:00 10.120.127.1 firewall,info drop-tcp input: in:ether1-WAN out:(unknown 0), connection-state:new src-mac 00:17:10:88:bc:02, proto TCP (SYN), 36.97.161.219:59388->81.82.202.145:23, len 40" -results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["if_in"] == "ether1-WAN" -results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["src_mac"] == "00:17:10:88:bc:02" -results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["timestamp"] == "2023-03-18T20:36:59.594792+01:00" results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["program"] == "mikrotik" -results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["src_port"] == "59388" -results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["tag"] == "drop-tcp" -results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["connection_state"] == "new" -results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["dst_port"] == "23" -results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["if_out"] == "(unknown 0)" results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["proto"] == "TCP" results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["source_ip"] == "36.97.161.219" -results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Meta["source_ip"] == "36.97.161.219" -results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Meta["datasource_path"] == "mikrotik-logs.log" +results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["src_mac"] == "00:17:10:88:bc:02" +results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["src_port"] == "59388" +results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["tag"] == "drop-tcp" +results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Parsed["timestamp"] == "2023-03-18T20:36:59.594792+01:00" +basename(results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Meta["datasource_path"]) == "mikrotik-logs.log" results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Meta["dst_port"] == "23" results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Meta["log_type"] == "mikrotik_drop" results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Meta["service"] == "tcp_udp" +results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Meta["source_ip"] == "36.97.161.219" +results["s01-parse"]["a1ad/mikrotik-logs"][1].Evt.Whitelisted == false results["s01-parse"]["a1ad/mikrotik-logs"][2].Success == true +results["s01-parse"]["a1ad/mikrotik-logs"][2].Evt.Parsed["invalid_user"] == "admin" results["s01-parse"]["a1ad/mikrotik-logs"][2].Evt.Parsed["message"] == "2023-03-19T12:34:09.757188+01:00 10.120.127.1 system,error,critical login failure for user admin from 10.127.0.35 via winbox" results["s01-parse"]["a1ad/mikrotik-logs"][2].Evt.Parsed["program"] == "mikrotik" results["s01-parse"]["a1ad/mikrotik-logs"][2].Evt.Parsed["source_ip"] == "10.127.0.35" results["s01-parse"]["a1ad/mikrotik-logs"][2].Evt.Parsed["timestamp"] == "2023-03-19T12:34:09.757188+01:00" -results["s01-parse"]["a1ad/mikrotik-logs"][2].Evt.Parsed["invalid_user"] == "admin" -results["s01-parse"]["a1ad/mikrotik-logs"][2].Evt.Meta["datasource_path"] == "mikrotik-logs.log" +results["s01-parse"]["a1ad/mikrotik-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["a1ad/mikrotik-logs"][2].Evt.Meta["datasource_path"]) == "mikrotik-logs.log" results["s01-parse"]["a1ad/mikrotik-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["a1ad/mikrotik-logs"][2].Evt.Meta["log_type"] == "mikrotik_failed_auth" results["s01-parse"]["a1ad/mikrotik-logs"][2].Evt.Meta["service"] == "mikrotik" results["s01-parse"]["a1ad/mikrotik-logs"][2].Evt.Meta["source_ip"] == "10.127.0.35" -results["s01-parse"]["a1ad/mikrotik-logs"][2].Evt.Meta["user"] == "admin" -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 3 +results["s01-parse"]["a1ad/mikrotik-logs"][2].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["a1ad/mikrotik-logs"][2].Evt.Whitelisted == false +results["s01-parse"]["a1ad/mikrotik-logs"][3].Success == true +results["s01-parse"]["a1ad/mikrotik-logs"][3].Evt.Parsed["invalid_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["a1ad/mikrotik-logs"][3].Evt.Parsed["message"] == "2023-03-19T12:35:00.000000+01:00 10.120.127.1 system,error,critical login failure for user crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl from 10.127.0.35 via winbox" +results["s01-parse"]["a1ad/mikrotik-logs"][3].Evt.Parsed["program"] == "mikrotik" +results["s01-parse"]["a1ad/mikrotik-logs"][3].Evt.Parsed["source_ip"] == "10.127.0.35" +results["s01-parse"]["a1ad/mikrotik-logs"][3].Evt.Parsed["timestamp"] == "2023-03-19T12:35:00.000000+01:00" +results["s01-parse"]["a1ad/mikrotik-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["a1ad/mikrotik-logs"][3].Evt.Meta["datasource_path"]) == "mikrotik-logs.log" +results["s01-parse"]["a1ad/mikrotik-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["a1ad/mikrotik-logs"][3].Evt.Meta["service"] == "mikrotik" +results["s01-parse"]["a1ad/mikrotik-logs"][3].Evt.Meta["source_ip"] == "10.127.0.35" +results["s01-parse"]["a1ad/mikrotik-logs"][3].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["a1ad/mikrotik-logs"][3].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 4 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["src_mac"] == "00:17:10:88:bc:02" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["tag"] == "drop-in" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["connection_state"] == "new" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["dst_ip"] == "81.82.202.145" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["dst_port"] == "53" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["if_in"] == "ether1-WAN" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["length"] == "65" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2023-03-18T20:35:05.734637+01:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["connection_state"] == "new" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["if_out"] == "(unknown 0)" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["length"] == "65" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2023-03-18T20:35:05.734637+01:00 10.120.127.1 firewall,info drop-in input: in:ether1-WAN out:(unknown 0), connection-state:new src-mac 00:17:10:88:bc:02, proto UDP, 186.26.78.68:44355->81.82.202.145:53, len 65" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["proto"] == "UDP" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["src_port"] == "44355" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["dst_ip"] == "81.82.202.145" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "mikrotik" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["proto"] == "UDP" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "186.26.78.68" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "186.26.78.68" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-03-18T20:35:05.734637+01:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "mikrotik-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["src_mac"] == "00:17:10:88:bc:02" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["src_port"] == "44355" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["tag"] == "drop-in" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2023-03-18T20:35:05.734637+01:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "mikrotik-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["dst_port"] == "53" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "mikrotik_drop" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "tcp_udp" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "186.26.78.68" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-03-18T20:35:05.734637+01:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-03-18T20:35:05.734637+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["tag"] == "drop-tcp" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["connection_state"] == "new" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["dst_ip"] == "81.82.202.145" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["dst_port"] == "23" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["if_in"] == "ether1-WAN" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["if_out"] == "(unknown 0)" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["length"] == "40" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "2023-03-18T20:36:59.594792+01:00 10.120.127.1 firewall,info drop-tcp input: in:ether1-WAN out:(unknown 0), connection-state:new src-mac 00:17:10:88:bc:02, proto TCP (SYN), 36.97.161.219:59388->81.82.202.145:23, len 40" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "mikrotik" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["proto"] == "TCP" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["src_port"] == "59388" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "36.97.161.219" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["src_mac"] == "00:17:10:88:bc:02" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["src_port"] == "59388" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["tag"] == "drop-tcp" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2023-03-18T20:36:59.594792+01:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["connection_state"] == "new" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["dst_ip"] == "81.82.202.145" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["dst_port"] == "23" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["if_in"] == "ether1-WAN" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["if_out"] == "(unknown 0)" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "mikrotik-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["dst_port"] == "23" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "mikrotik_drop" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "tcp_udp" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "36.97.161.219" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-03-18T20:36:59.594792+01:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "mikrotik-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-03-18T20:36:59.594792+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["invalid_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "2023-03-19T12:34:09.757188+01:00 10.120.127.1 system,error,critical login failure for user admin from 10.127.0.35 via winbox" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "mikrotik" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "10.127.0.35" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "2023-03-19T12:34:09.757188+01:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["invalid_user"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "mikrotik-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "mikrotik-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "mikrotik_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "mikrotik" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "10.127.0.35" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-03-19T12:34:09.757188+01:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2023-03-19T12:34:09.757188+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["invalid_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "2023-03-19T12:35:00.000000+01:00 10.120.127.1 system,error,critical login failure for user crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl from 10.127.0.35 via winbox" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "mikrotik" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "10.127.0.35" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "2023-03-19T12:35:00.000000+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "mikrotik-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "mikrotik" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "10.127.0.35" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2023-03-19T12:35:00+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2023-03-19T12:35:00+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/mikrotik-scan-multi_ports/parser.assert b/.tests/mikrotik-scan-multi_ports/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/miniflux-bf/parser.assert b/.tests/miniflux-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/miniflux-bf/scenario.assert b/.tests/miniflux-bf/scenario.assert index 2bc27ff89ea..e0393998799 100644 --- a/.tests/miniflux-bf/scenario.assert +++ b/.tests/miniflux-bf/scenario.assert @@ -4,60 +4,60 @@ results[0].Overflow.Sources["192.168.0.254"].IP == "192.168.0.254" results[0].Overflow.Sources["192.168.0.254"].Range == "" results[0].Overflow.Sources["192.168.0.254"].GetScope() == "Ip" results[0].Overflow.Sources["192.168.0.254"].GetValue() == "192.168.0.254" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "miniflux-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "miniflux-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("evt.StrTimeFormat") == "2006-01-02T15:04:05.999Z" results[0].Overflow.Alert.Events[0].GetMeta("log_subtype") == "miniflux_bad_user" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "miniflux_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "miniflux" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.254" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "hacker1" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-01-12T22:54:36.307Z" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "hacker1" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "miniflux-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "miniflux-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("evt.StrTimeFormat") == "2006-01-02T15:04:05.999Z" results[0].Overflow.Alert.Events[1].GetMeta("log_subtype") == "miniflux_bad_user" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "miniflux_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "miniflux" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.0.254" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "hacker2" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-01-12T22:54:37.307Z" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "hacker2" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "miniflux-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "miniflux-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("evt.StrTimeFormat") == "2006-01-02T15:04:05.999Z" results[0].Overflow.Alert.Events[2].GetMeta("log_subtype") == "miniflux_bad_user" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "miniflux_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "miniflux" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.0.254" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "hacker3" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-01-12T22:54:38.307Z" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "hacker3" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "miniflux-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "miniflux-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("evt.StrTimeFormat") == "2006-01-02T15:04:05.999Z" results[0].Overflow.Alert.Events[3].GetMeta("log_subtype") == "miniflux_bad_user" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "miniflux_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "miniflux" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.0.254" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "hacker4" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-01-12T22:54:39.307Z" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "hacker4" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "miniflux-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "miniflux-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[4].GetMeta("evt.StrTimeFormat") == "2006-01-02T15:04:05.999Z" results[0].Overflow.Alert.Events[4].GetMeta("log_subtype") == "miniflux_bad_user" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "miniflux_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "miniflux" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.0.254" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "hacker5" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2024-01-12T22:54:40.307Z" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "hacker5" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "miniflux-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "miniflux-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[5].GetMeta("evt.StrTimeFormat") == "2006-01-02T15:04:05.999Z" results[0].Overflow.Alert.Events[5].GetMeta("log_subtype") == "miniflux_bad_user" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "miniflux_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "miniflux" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.0.254" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "hacker6" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2024-01-12T22:54:41.307Z" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "hacker6" results[0].Overflow.Alert.GetScenario() == "jbowdre/miniflux-bf_user-enum" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 @@ -66,60 +66,60 @@ results[1].Overflow.Sources["192.168.0.254"].IP == "192.168.0.254" results[1].Overflow.Sources["192.168.0.254"].Range == "" results[1].Overflow.Sources["192.168.0.254"].GetScope() == "Ip" results[1].Overflow.Sources["192.168.0.254"].GetValue() == "192.168.0.254" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "miniflux-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "miniflux-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[0].GetMeta("evt.StrTimeFormat") == "2006-01-02T15:04:05.999Z" results[1].Overflow.Alert.Events[0].GetMeta("log_subtype") == "miniflux_bad_user" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "miniflux_failed_auth" results[1].Overflow.Alert.Events[0].GetMeta("service") == "miniflux" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.254" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "hacker1" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-01-12T22:54:36.307Z" -results[1].Overflow.Alert.Events[0].GetMeta("user") == "hacker1" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "miniflux-bf.log" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "miniflux-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[1].GetMeta("evt.StrTimeFormat") == "2006-01-02T15:04:05.999Z" results[1].Overflow.Alert.Events[1].GetMeta("log_subtype") == "miniflux_bad_user" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "miniflux_failed_auth" results[1].Overflow.Alert.Events[1].GetMeta("service") == "miniflux" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.0.254" +results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "hacker2" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-01-12T22:54:37.307Z" -results[1].Overflow.Alert.Events[1].GetMeta("user") == "hacker2" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "miniflux-bf.log" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "miniflux-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[2].GetMeta("evt.StrTimeFormat") == "2006-01-02T15:04:05.999Z" results[1].Overflow.Alert.Events[2].GetMeta("log_subtype") == "miniflux_bad_user" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "miniflux_failed_auth" results[1].Overflow.Alert.Events[2].GetMeta("service") == "miniflux" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.0.254" +results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "hacker3" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-01-12T22:54:38.307Z" -results[1].Overflow.Alert.Events[2].GetMeta("user") == "hacker3" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "miniflux-bf.log" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "miniflux-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[3].GetMeta("evt.StrTimeFormat") == "2006-01-02T15:04:05.999Z" results[1].Overflow.Alert.Events[3].GetMeta("log_subtype") == "miniflux_bad_user" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "miniflux_failed_auth" results[1].Overflow.Alert.Events[3].GetMeta("service") == "miniflux" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.0.254" +results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "hacker4" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-01-12T22:54:39.307Z" -results[1].Overflow.Alert.Events[3].GetMeta("user") == "hacker4" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "miniflux-bf.log" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "miniflux-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[4].GetMeta("evt.StrTimeFormat") == "2006-01-02T15:04:05.999Z" results[1].Overflow.Alert.Events[4].GetMeta("log_subtype") == "miniflux_bad_user" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "miniflux_failed_auth" results[1].Overflow.Alert.Events[4].GetMeta("service") == "miniflux" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.0.254" +results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "hacker5" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2024-01-12T22:54:40.307Z" -results[1].Overflow.Alert.Events[4].GetMeta("user") == "hacker5" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "miniflux-bf.log" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "miniflux-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[5].GetMeta("evt.StrTimeFormat") == "2006-01-02T15:04:05.999Z" results[1].Overflow.Alert.Events[5].GetMeta("log_subtype") == "miniflux_bad_user" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "miniflux_failed_auth" results[1].Overflow.Alert.Events[5].GetMeta("service") == "miniflux" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.0.254" +results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "hacker6" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2024-01-12T22:54:41.307Z" -results[1].Overflow.Alert.Events[5].GetMeta("user") == "hacker6" results[1].Overflow.Alert.GetScenario() == "jbowdre/miniflux-bf" results[1].Overflow.Alert.Remediation == true results[1].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/miniflux-logs/miniflux-logs.log b/.tests/miniflux-logs/miniflux-logs.log index 7ce51f28828..ccacb8a0bc7 100644 --- a/.tests/miniflux-logs/miniflux-logs.log +++ b/.tests/miniflux-logs/miniflux-logs.log @@ -1,2 +1,3 @@ miniflux | time=2024-01-12T22:54:56.307Z level=WARN msg="Incorrect username or password" authentication_failed=true client_ip=192.168.0.254 user_agent="Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" username=hacker1 error="store: unable to find this user: hacker1" -miniflux | time=2024-01-12T22:55:30.265Z level=WARN msg="Incorrect username or password" authentication_failed=true client_ip=192.168.0.254 user_agent="Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" username=user1 error="store: invalid password for \"user1\" (crypto/bcrypt: hashedPassword is not the hash of the given password)" \ No newline at end of file +miniflux | time=2024-01-12T22:55:30.265Z level=WARN msg="Incorrect username or password" authentication_failed=true client_ip=192.168.0.254 user_agent="Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" username=user1 error="store: invalid password for \"user1\" (crypto/bcrypt: hashedPassword is not the hash of the given password)" +miniflux | time=2024-01-12T22:56:00.000Z level=WARN msg="Incorrect username or password" authentication_failed=true client_ip=192.168.0.254 user_agent="Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" username=crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl error="store: unable to find this user: crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" \ No newline at end of file diff --git a/.tests/miniflux-logs/parser.assert b/.tests/miniflux-logs/parser.assert index 8d61a72f2b4..79699877964 100644 --- a/.tests/miniflux-logs/parser.assert +++ b/.tests/miniflux-logs/parser.assert @@ -1,35 +1,42 @@ len(results) == 3 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 2 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 3 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "miniflux | time=2024-01-12T22:54:56.307Z level=WARN msg=\"Incorrect username or password\" authentication_failed=true client_ip=192.168.0.254 user_agent=\"Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\" username=hacker1 error=\"store: unable to find this user: hacker1\"" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "miniflux" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "miniflux-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "miniflux-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "miniflux | time=2024-01-12T22:55:30.265Z level=WARN msg=\"Incorrect username or password\" authentication_failed=true client_ip=192.168.0.254 user_agent=\"Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\" username=user1 error=\"store: invalid password for \\\"user1\\\" (crypto/bcrypt: hashedPassword is not the hash of the given password)\"" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "miniflux" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "miniflux-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "miniflux-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2 +results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "miniflux | time=2024-01-12T22:56:00.000Z level=WARN msg=\"Incorrect username or password\" authentication_failed=true client_ip=192.168.0.254 user_agent=\"Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\" username=crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl error=\"store: unable to find this user: crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\"" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "miniflux" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "miniflux-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 3 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false -len(results["s01-parse"]["jbowdre/miniflux-logs"]) == 2 +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false +len(results["s01-parse"]["jbowdre/miniflux-logs"]) == 3 results["s01-parse"]["jbowdre/miniflux-logs"][0].Success == true results["s01-parse"]["jbowdre/miniflux-logs"][0].Evt.Parsed["message"] == "miniflux | time=2024-01-12T22:54:56.307Z level=WARN msg=\"Incorrect username or password\" authentication_failed=true client_ip=192.168.0.254 user_agent=\"Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\" username=hacker1 error=\"store: unable to find this user: hacker1\"" results["s01-parse"]["jbowdre/miniflux-logs"][0].Evt.Parsed["program"] == "miniflux" results["s01-parse"]["jbowdre/miniflux-logs"][0].Evt.Parsed["source_ip"] == "192.168.0.254" results["s01-parse"]["jbowdre/miniflux-logs"][0].Evt.Parsed["timestamp"] == "2024-01-12T22:54:56.307Z" results["s01-parse"]["jbowdre/miniflux-logs"][0].Evt.Parsed["username"] == "hacker1" -results["s01-parse"]["jbowdre/miniflux-logs"][0].Evt.Meta["datasource_path"] == "miniflux-logs.log" +results["s01-parse"]["jbowdre/miniflux-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["jbowdre/miniflux-logs"][0].Evt.Meta["datasource_path"]) == "miniflux-logs.log" results["s01-parse"]["jbowdre/miniflux-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["jbowdre/miniflux-logs"][0].Evt.Meta["evt.StrTimeFormat"] == "2006-01-02T15:04:05.999Z" results["s01-parse"]["jbowdre/miniflux-logs"][0].Evt.Meta["log_subtype"] == "miniflux_bad_user" -results["s01-parse"]["jbowdre/miniflux-logs"][0].Evt.Meta["log_type"] == "miniflux_failed_auth" results["s01-parse"]["jbowdre/miniflux-logs"][0].Evt.Meta["service"] == "miniflux" results["s01-parse"]["jbowdre/miniflux-logs"][0].Evt.Meta["source_ip"] == "192.168.0.254" -results["s01-parse"]["jbowdre/miniflux-logs"][0].Evt.Meta["user"] == "hacker1" +results["s01-parse"]["jbowdre/miniflux-logs"][0].Evt.Meta["target_user"] == "hacker1" results["s01-parse"]["jbowdre/miniflux-logs"][0].Evt.Whitelisted == false results["s01-parse"]["jbowdre/miniflux-logs"][1].Success == true results["s01-parse"]["jbowdre/miniflux-logs"][1].Evt.Parsed["message"] == "miniflux | time=2024-01-12T22:55:30.265Z level=WARN msg=\"Incorrect username or password\" authentication_failed=true client_ip=192.168.0.254 user_agent=\"Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\" username=user1 error=\"store: invalid password for \\\"user1\\\" (crypto/bcrypt: hashedPassword is not the hash of the given password)\"" @@ -37,13 +44,28 @@ results["s01-parse"]["jbowdre/miniflux-logs"][1].Evt.Parsed["program"] == "minif results["s01-parse"]["jbowdre/miniflux-logs"][1].Evt.Parsed["source_ip"] == "192.168.0.254" results["s01-parse"]["jbowdre/miniflux-logs"][1].Evt.Parsed["timestamp"] == "2024-01-12T22:55:30.265Z" results["s01-parse"]["jbowdre/miniflux-logs"][1].Evt.Parsed["username"] == "user1" -results["s01-parse"]["jbowdre/miniflux-logs"][1].Evt.Meta["datasource_path"] == "miniflux-logs.log" +results["s01-parse"]["jbowdre/miniflux-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["jbowdre/miniflux-logs"][1].Evt.Meta["datasource_path"]) == "miniflux-logs.log" results["s01-parse"]["jbowdre/miniflux-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["jbowdre/miniflux-logs"][1].Evt.Meta["evt.StrTimeFormat"] == "2006-01-02T15:04:05.999Z" results["s01-parse"]["jbowdre/miniflux-logs"][1].Evt.Meta["log_subtype"] == "miniflux_bad_password" -results["s01-parse"]["jbowdre/miniflux-logs"][1].Evt.Meta["log_type"] == "miniflux_failed_auth" results["s01-parse"]["jbowdre/miniflux-logs"][1].Evt.Meta["service"] == "miniflux" results["s01-parse"]["jbowdre/miniflux-logs"][1].Evt.Meta["source_ip"] == "192.168.0.254" -results["s01-parse"]["jbowdre/miniflux-logs"][1].Evt.Meta["user"] == "user1" +results["s01-parse"]["jbowdre/miniflux-logs"][1].Evt.Meta["target_user"] == "user1" results["s01-parse"]["jbowdre/miniflux-logs"][1].Evt.Whitelisted == false +results["s01-parse"]["jbowdre/miniflux-logs"][2].Success == true +results["s01-parse"]["jbowdre/miniflux-logs"][2].Evt.Parsed["message"] == "miniflux | time=2024-01-12T22:56:00.000Z level=WARN msg=\"Incorrect username or password\" authentication_failed=true client_ip=192.168.0.254 user_agent=\"Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\" username=crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl error=\"store: unable to find this user: crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\"" +results["s01-parse"]["jbowdre/miniflux-logs"][2].Evt.Parsed["program"] == "miniflux" +results["s01-parse"]["jbowdre/miniflux-logs"][2].Evt.Parsed["source_ip"] == "192.168.0.254" +results["s01-parse"]["jbowdre/miniflux-logs"][2].Evt.Parsed["timestamp"] == "2024-01-12T22:56:00.000Z" +results["s01-parse"]["jbowdre/miniflux-logs"][2].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["jbowdre/miniflux-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["jbowdre/miniflux-logs"][2].Evt.Meta["datasource_path"]) == "miniflux-logs.log" +results["s01-parse"]["jbowdre/miniflux-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["jbowdre/miniflux-logs"][2].Evt.Meta["evt.StrTimeFormat"] == "2006-01-02T15:04:05.999Z" +results["s01-parse"]["jbowdre/miniflux-logs"][2].Evt.Meta["log_subtype"] == "miniflux_bad_user" +results["s01-parse"]["jbowdre/miniflux-logs"][2].Evt.Meta["service"] == "miniflux" +results["s01-parse"]["jbowdre/miniflux-logs"][2].Evt.Meta["source_ip"] == "192.168.0.254" +results["s01-parse"]["jbowdre/miniflux-logs"][2].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["jbowdre/miniflux-logs"][2].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/modsecurity-nginx/parser.assert b/.tests/modsecurity-nginx/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/modsecurity/parser.assert b/.tests/modsecurity/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/mongodb-bf/parser.assert b/.tests/mongodb-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/mongodb-bf/scenario.assert b/.tests/mongodb-bf/scenario.assert index b9bb175c3dd..8b393e1dac8 100644 --- a/.tests/mongodb-bf/scenario.assert +++ b/.tests/mongodb-bf/scenario.assert @@ -4,54 +4,54 @@ results[0].Overflow.Sources["::1"].IP == "::1" results[0].Overflow.Sources["::1"].Range == "" results[0].Overflow.Sources["::1"].GetScope() == "Ip" results[0].Overflow.Sources["::1"].GetValue() == "::1" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[0].GetMeta("authentication_database") == "admin" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "mongodb-bf.log" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "mongodb-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "mongodb_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "mongodb" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "::1" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "root" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-07-28T19:05:12.278+02:00" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "root" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[1].GetMeta("authentication_database") == "local" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "mongodb-bf.log" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "mongodb-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "mongodb_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "mongodb" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "::1" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "root" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-07-28T19:05:16.428+02:00" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "root" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[2].GetMeta("authentication_database") == "test" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "mongodb-bf.log" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "mongodb-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "mongodb_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "mongodb" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "::1" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "root" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-07-28T19:05:24.532+02:00" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "root" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[3].GetMeta("authentication_database") == "demo" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "mongodb-bf.log" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "mongodb-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "mongodb_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "mongodb" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "::1" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "root" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-07-28T19:05:36.158+02:00" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "root" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[4].GetMeta("authentication_database") == "root" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "mongodb-bf.log" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "mongodb-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "mongodb_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "mongodb" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "::1" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "root" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-07-28T19:05:44.286+02:00" -results[0].Overflow.Alert.Events[4].GetMeta("username") == "root" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[5].GetMeta("authentication_database") == "hidden" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "mongodb-bf.log" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "mongodb-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "mongodb_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "mongodb" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "::1" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "root" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-07-28T19:05:50.397+02:00" -results[0].Overflow.Alert.Events[5].GetMeta("username") == "root" results[0].Overflow.Alert.GetScenario() == "timokoessler/mongodb-bf_auth-db-enum" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 @@ -60,54 +60,54 @@ results[1].Overflow.Sources["127.0.0.1"].IP == "127.0.0.1" results[1].Overflow.Sources["127.0.0.1"].Range == "" results[1].Overflow.Sources["127.0.0.1"].GetScope() == "Ip" results[1].Overflow.Sources["127.0.0.1"].GetValue() == "127.0.0.1" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" results[1].Overflow.Alert.Events[0].GetMeta("authentication_database") == "admin" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "mongodb-bf.log" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "mongodb-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "mongodb_failed_auth" results[1].Overflow.Alert.Events[0].GetMeta("service") == "mongodb" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "root" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-07-28T18:00:00.903+02:00" -results[1].Overflow.Alert.Events[0].GetMeta("username") == "root" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" results[1].Overflow.Alert.Events[1].GetMeta("authentication_database") == "admin" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "mongodb-bf.log" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "mongodb-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "mongodb_failed_auth" results[1].Overflow.Alert.Events[1].GetMeta("service") == "mongodb" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.1" +results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "root" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-07-28T18:00:02.125+02:00" -results[1].Overflow.Alert.Events[1].GetMeta("username") == "root" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" results[1].Overflow.Alert.Events[2].GetMeta("authentication_database") == "admin" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "mongodb-bf.log" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "mongodb-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "mongodb_failed_auth" results[1].Overflow.Alert.Events[2].GetMeta("service") == "mongodb" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.1" +results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "root" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-07-28T18:00:05.826+02:00" -results[1].Overflow.Alert.Events[2].GetMeta("username") == "root" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" results[1].Overflow.Alert.Events[3].GetMeta("authentication_database") == "admin" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "mongodb-bf.log" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "mongodb-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "mongodb_failed_auth" results[1].Overflow.Alert.Events[3].GetMeta("service") == "mongodb" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.1" +results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "root" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-07-28T18:00:07.437+02:00" -results[1].Overflow.Alert.Events[3].GetMeta("username") == "root" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" results[1].Overflow.Alert.Events[4].GetMeta("authentication_database") == "admin" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "mongodb-bf.log" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "mongodb-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "mongodb_failed_auth" results[1].Overflow.Alert.Events[4].GetMeta("service") == "mongodb" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.1" +results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "root" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-07-28T18:00:11.791+02:00" -results[1].Overflow.Alert.Events[4].GetMeta("username") == "root" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" results[1].Overflow.Alert.Events[5].GetMeta("authentication_database") == "admin" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "mongodb-bf.log" +basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "mongodb-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "mongodb_failed_auth" results[1].Overflow.Alert.Events[5].GetMeta("service") == "mongodb" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.1" +results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "root" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-07-28T18:00:14.278+02:00" -results[1].Overflow.Alert.Events[5].GetMeta("username") == "root" results[1].Overflow.Alert.GetScenario() == "timokoessler/mongodb-bf" results[1].Overflow.Alert.Remediation == true -results[1].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[1].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/mongodb-logs/parser.assert b/.tests/mongodb-logs/parser.assert index 61f12013acb..309c2c89750 100644 --- a/.tests/mongodb-logs/parser.assert +++ b/.tests/mongodb-logs/parser.assert @@ -1,25 +1,45 @@ +len(results) == 3 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 2 +results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "{\"t\":{\"$date\":\"2022-07-28T18:00:00.903+02:00\"},\"s\":\"I\", \"c\":\"ACCESS\", \"id\":20249, \"ctx\":\"conn1\",\"msg\":\"Authentication failed\",\"attr\":{\"mechanism\":\"SCRAM-SHA-256\",\"speculative\":false,\"principalName\":\"root\",\"authenticationDatabase\":\"admin\",\"remote\":\"127.0.0.1:4071\",\"extraInfo\":{},\"error\":\"AuthenticationFailed: SCRAM authentication failed, storedKey mismatch\"}}" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "mongodb" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "mongodb-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "{\"t\":{\"$date\":\"2022-07-28T18:16:40.466+02:00\"},\"s\":\"I\", \"c\":\"ACCESS\", \"id\":20249, \"ctx\":\"conn12\",\"msg\":\"Authentication failed\",\"attr\":{\"mechanism\":\"SCRAM-SHA-256\",\"speculative\":true,\"principalName\":\"root\",\"authenticationDatabase\":\"admin\",\"remote\":\"[::1]:1053\",\"extraInfo\":{},\"error\":\"AuthenticationFailed: SCRAM authentication failed, storedKey mismatch\"}}" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "mongodb" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "mongodb-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false len(results["s01-parse"]["timokoessler/mongodb-logs"]) == 2 results["s01-parse"]["timokoessler/mongodb-logs"][0].Success == true results["s01-parse"]["timokoessler/mongodb-logs"][0].Evt.Parsed["message"] == "{\"t\":{\"$date\":\"2022-07-28T18:00:00.903+02:00\"},\"s\":\"I\", \"c\":\"ACCESS\", \"id\":20249, \"ctx\":\"conn1\",\"msg\":\"Authentication failed\",\"attr\":{\"mechanism\":\"SCRAM-SHA-256\",\"speculative\":false,\"principalName\":\"root\",\"authenticationDatabase\":\"admin\",\"remote\":\"127.0.0.1:4071\",\"extraInfo\":{},\"error\":\"AuthenticationFailed: SCRAM authentication failed, storedKey mismatch\"}}" results["s01-parse"]["timokoessler/mongodb-logs"][0].Evt.Parsed["program"] == "mongodb" results["s01-parse"]["timokoessler/mongodb-logs"][0].Evt.Parsed["remote_addr"] == "127.0.0.1" results["s01-parse"]["timokoessler/mongodb-logs"][0].Evt.Parsed["timestamp"] == "2022-07-28T18:00:00.903+02:00" -results["s01-parse"]["timokoessler/mongodb-logs"][0].Evt.Meta["service"] == "mongodb" -results["s01-parse"]["timokoessler/mongodb-logs"][0].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["timokoessler/mongodb-logs"][0].Evt.Meta["username"] == "root" +results["s01-parse"]["timokoessler/mongodb-logs"][0].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["timokoessler/mongodb-logs"][0].Evt.Meta["authentication_database"] == "admin" -results["s01-parse"]["timokoessler/mongodb-logs"][0].Evt.Meta["datasource_path"] == "mongodb-logs.log" +basename(results["s01-parse"]["timokoessler/mongodb-logs"][0].Evt.Meta["datasource_path"]) == "mongodb-logs.log" results["s01-parse"]["timokoessler/mongodb-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["timokoessler/mongodb-logs"][0].Evt.Meta["log_type"] == "mongodb_failed_auth" +results["s01-parse"]["timokoessler/mongodb-logs"][0].Evt.Meta["service"] == "mongodb" +results["s01-parse"]["timokoessler/mongodb-logs"][0].Evt.Meta["source_ip"] == "127.0.0.1" +results["s01-parse"]["timokoessler/mongodb-logs"][0].Evt.Meta["target_user"] == "root" +results["s01-parse"]["timokoessler/mongodb-logs"][0].Evt.Whitelisted == false results["s01-parse"]["timokoessler/mongodb-logs"][1].Success == true -results["s01-parse"]["timokoessler/mongodb-logs"][1].Evt.Parsed["timestamp"] == "2022-07-28T18:16:40.466+02:00" results["s01-parse"]["timokoessler/mongodb-logs"][1].Evt.Parsed["message"] == "{\"t\":{\"$date\":\"2022-07-28T18:16:40.466+02:00\"},\"s\":\"I\", \"c\":\"ACCESS\", \"id\":20249, \"ctx\":\"conn12\",\"msg\":\"Authentication failed\",\"attr\":{\"mechanism\":\"SCRAM-SHA-256\",\"speculative\":true,\"principalName\":\"root\",\"authenticationDatabase\":\"admin\",\"remote\":\"[::1]:1053\",\"extraInfo\":{},\"error\":\"AuthenticationFailed: SCRAM authentication failed, storedKey mismatch\"}}" results["s01-parse"]["timokoessler/mongodb-logs"][1].Evt.Parsed["program"] == "mongodb" results["s01-parse"]["timokoessler/mongodb-logs"][1].Evt.Parsed["remote_addr"] == "::1" -results["s01-parse"]["timokoessler/mongodb-logs"][1].Evt.Meta["datasource_path"] == "mongodb-logs.log" +results["s01-parse"]["timokoessler/mongodb-logs"][1].Evt.Parsed["timestamp"] == "2022-07-28T18:16:40.466+02:00" +results["s01-parse"]["timokoessler/mongodb-logs"][1].Evt.Meta["auth_status"] == "failed" +results["s01-parse"]["timokoessler/mongodb-logs"][1].Evt.Meta["authentication_database"] == "admin" +basename(results["s01-parse"]["timokoessler/mongodb-logs"][1].Evt.Meta["datasource_path"]) == "mongodb-logs.log" results["s01-parse"]["timokoessler/mongodb-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["timokoessler/mongodb-logs"][1].Evt.Meta["log_type"] == "mongodb_failed_auth" results["s01-parse"]["timokoessler/mongodb-logs"][1].Evt.Meta["service"] == "mongodb" results["s01-parse"]["timokoessler/mongodb-logs"][1].Evt.Meta["source_ip"] == "::1" -results["s01-parse"]["timokoessler/mongodb-logs"][1].Evt.Meta["username"] == "root" -results["s01-parse"]["timokoessler/mongodb-logs"][1].Evt.Meta["authentication_database"] == "admin" \ No newline at end of file +results["s01-parse"]["timokoessler/mongodb-logs"][1].Evt.Meta["target_user"] == "root" +results["s01-parse"]["timokoessler/mongodb-logs"][1].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/mysql-bf/parser.assert b/.tests/mysql-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/mysql-bf/scenario.assert b/.tests/mysql-bf/scenario.assert index 3c6f063c610..364e0da6919 100644 --- a/.tests/mysql-bf/scenario.assert +++ b/.tests/mysql-bf/scenario.assert @@ -1,39 +1,57 @@ +len(results) == 1 "27.155.87.54" in results[0].Overflow.GetSources() results[0].Overflow.Sources["27.155.87.54"].IP == "27.155.87.54" results[0].Overflow.Sources["27.155.87.54"].Range == "" results[0].Overflow.Sources["27.155.87.54"].GetScope() == "Ip" results[0].Overflow.Sources["27.155.87.54"].GetValue() == "27.155.87.54" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "mysql-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "mysql-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "mysql_failed_auth" +results[0].Overflow.Alert.Events[0].GetMeta("machine") == "ip-172-31-36-243.ap-northeast-2.compute.internal" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "mysql" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "27.155.87.54" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "root" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "mysql-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "root" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2020-04-16T05:13:40.861934Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "mysql-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "mysql_failed_auth" +results[0].Overflow.Alert.Events[1].GetMeta("machine") == "ip-172-31-36-243.ap-northeast-2.compute.internal" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "mysql" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "27.155.87.54" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "root" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "mysql-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "root" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2020-04-16T05:13:40.861934Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "mysql-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "mysql_failed_auth" +results[0].Overflow.Alert.Events[2].GetMeta("machine") == "ip-172-31-36-243.ap-northeast-2.compute.internal" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "mysql" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "27.155.87.54" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "root" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "mysql-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "root" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2020-04-16T05:13:40.861934Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "mysql-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "mysql_failed_auth" +results[0].Overflow.Alert.Events[3].GetMeta("machine") == "ip-172-31-36-243.ap-northeast-2.compute.internal" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "mysql" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "27.155.87.54" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "root" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "mysql-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "root" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2020-04-16T05:13:40.861934Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "mysql-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "mysql_failed_auth" +results[0].Overflow.Alert.Events[4].GetMeta("machine") == "ip-172-31-36-243.ap-northeast-2.compute.internal" +results[0].Overflow.Alert.Events[4].GetMeta("service") == "mysql" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "27.155.87.54" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "root" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "mysql-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "root" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2020-04-16T05:13:40.861934Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "mysql-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "mysql_failed_auth" +results[0].Overflow.Alert.Events[5].GetMeta("machine") == "ip-172-31-36-243.ap-northeast-2.compute.internal" +results[0].Overflow.Alert.Events[5].GetMeta("service") == "mysql" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "27.155.87.54" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "root" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "root" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2020-04-16T05:13:40.861934Z" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/mysql-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 - diff --git a/.tests/mysql-logs/parser.assert b/.tests/mysql-logs/parser.assert index bc43103fd3a..0eef587c5a4 100644 --- a/.tests/mysql-logs/parser.assert +++ b/.tests/mysql-logs/parser.assert @@ -35,9 +35,9 @@ results["s01-parse"]["crowdsecurity/mysql-logs"][0].Evt.Parsed["user"] == "root" results["s01-parse"]["crowdsecurity/mysql-logs"][0].Evt.Parsed["using_password"] == "YES" results["s01-parse"]["crowdsecurity/mysql-logs"][0].Evt.Meta["datasource_path"] == "mysql-logs.log" results["s01-parse"]["crowdsecurity/mysql-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/mysql-logs"][0].Evt.Meta["log_type"] == "mysql_failed_auth" +results["s01-parse"]["crowdsecurity/mysql-logs"][0].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/mysql-logs"][0].Evt.Meta["source_ip"] == "27.155.87.54" -results["s01-parse"]["crowdsecurity/mysql-logs"][0].Evt.Meta["user"] == "root" +results["s01-parse"]["crowdsecurity/mysql-logs"][0].Evt.Meta["target_user"] == "root" results["s01-parse"]["crowdsecurity/mysql-logs"][1].Success == true results["s01-parse"]["crowdsecurity/mysql-logs"][1].Evt.Parsed["using_password"] == "NO" results["s01-parse"]["crowdsecurity/mysql-logs"][1].Evt.Parsed["message"] == "2020-04-16T05:13:41.144260Z 345 [Note] Access denied for user 'root'@'27.155.87.54' (using password: NO)" @@ -46,9 +46,9 @@ results["s01-parse"]["crowdsecurity/mysql-logs"][1].Evt.Parsed["source_ip"] == " results["s01-parse"]["crowdsecurity/mysql-logs"][1].Evt.Parsed["time"] == "2020-04-16T05:13:41.144260Z" results["s01-parse"]["crowdsecurity/mysql-logs"][1].Evt.Parsed["user"] == "root" results["s01-parse"]["crowdsecurity/mysql-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/mysql-logs"][1].Evt.Meta["log_type"] == "mysql_failed_auth" +results["s01-parse"]["crowdsecurity/mysql-logs"][1].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/mysql-logs"][1].Evt.Meta["source_ip"] == "27.155.87.54" -results["s01-parse"]["crowdsecurity/mysql-logs"][1].Evt.Meta["user"] == "root" +results["s01-parse"]["crowdsecurity/mysql-logs"][1].Evt.Meta["target_user"] == "root" results["s01-parse"]["crowdsecurity/mysql-logs"][1].Evt.Meta["datasource_path"] == "mysql-logs.log" results["s01-parse"]["crowdsecurity/mysql-logs"][2].Success == true results["s01-parse"]["crowdsecurity/mysql-logs"][2].Evt.Parsed["time"] == "2021-10-28T08:06:45.411498Z" @@ -59,9 +59,9 @@ results["s01-parse"]["crowdsecurity/mysql-logs"][2].Evt.Parsed["message"] == "20 results["s01-parse"]["crowdsecurity/mysql-logs"][2].Evt.Parsed["program"] == "mysql" results["s01-parse"]["crowdsecurity/mysql-logs"][2].Evt.Parsed["source_ip"] == "42.42.42.42" results["s01-parse"]["crowdsecurity/mysql-logs"][2].Evt.Parsed["subsystem"] == "Server" -results["s01-parse"]["crowdsecurity/mysql-logs"][2].Evt.Meta["log_type"] == "mysql_failed_auth" +results["s01-parse"]["crowdsecurity/mysql-logs"][2].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/mysql-logs"][2].Evt.Meta["source_ip"] == "42.42.42.42" -results["s01-parse"]["crowdsecurity/mysql-logs"][2].Evt.Meta["user"] == "seb" +results["s01-parse"]["crowdsecurity/mysql-logs"][2].Evt.Meta["target_user"] == "seb" results["s01-parse"]["crowdsecurity/mysql-logs"][2].Evt.Meta["datasource_path"] == "mysql-logs.log" results["s01-parse"]["crowdsecurity/mysql-logs"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/mysql-logs"][3].Success == true @@ -72,9 +72,9 @@ results["s01-parse"]["crowdsecurity/mysql-logs"][3].Evt.Parsed["using_password"] results["s01-parse"]["crowdsecurity/mysql-logs"][3].Evt.Parsed["message"] == "2023-07-31T08:34:16.116872Z 14 Connect Access denied for user 'user'@'192.168.121.1' (using password: YES)" results["s01-parse"]["crowdsecurity/mysql-logs"][3].Evt.Parsed["program"] == "mysql" results["s01-parse"]["crowdsecurity/mysql-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/mysql-logs"][3].Evt.Meta["log_type"] == "mysql_failed_auth" +results["s01-parse"]["crowdsecurity/mysql-logs"][3].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/mysql-logs"][3].Evt.Meta["source_ip"] == "192.168.121.1" -results["s01-parse"]["crowdsecurity/mysql-logs"][3].Evt.Meta["user"] == "user" +results["s01-parse"]["crowdsecurity/mysql-logs"][3].Evt.Meta["target_user"] == "user" results["s01-parse"]["crowdsecurity/mysql-logs"][3].Evt.Meta["datasource_path"] == "mysql-logs.log" len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 4 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true @@ -86,10 +86,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "mysql" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "mysql-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "mysql_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "27.155.87.54" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2020-04-16T05:13:40.861934Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "root" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2020-04-16T05:13:40.861934Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["time"] == "2020-04-16T05:13:41.144260Z" @@ -98,10 +98,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["using_pas results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "2020-04-16T05:13:41.144260Z 345 [Note] Access denied for user 'root'@'27.155.87.54' (using password: NO)" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "mysql" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "27.155.87.54" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "root" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "mysql-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "mysql_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "27.155.87.54" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2020-04-16T05:13:41.14426Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2020-04-16T05:13:41.14426Z" @@ -114,10 +114,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["err_code" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "2021-10-28T08:06:45.411498Z 25 [Note] [MY-010926] [Server] Access denied for user 'seb'@'42.42.42.42' (using password: NO)" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "mysql" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "42.42.42.42" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["user"] == "seb" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "seb" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "mysql-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "mysql_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "42.42.42.42" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2021-10-28T08:06:45.411498Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2021-10-28T08:06:45.411498Z" @@ -130,9 +130,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "192.168.121.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "mysql-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "mysql_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "192.168.121.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2023-07-31T08:34:16.116872Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["user"] == "user" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "user" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2023-07-31T08:34:16.116872Z" len(results["success"][""]) == 0 diff --git a/.tests/navidrome-bf/scenario.assert b/.tests/navidrome-bf/scenario.assert index 994b0c70c8c..e30e1d03b3c 100644 --- a/.tests/navidrome-bf/scenario.assert +++ b/.tests/navidrome-bf/scenario.assert @@ -4,51 +4,51 @@ results[0].Overflow.Sources["198.51.100.31"].IP == "198.51.100.31" results[0].Overflow.Sources["198.51.100.31"].Range == "" results[0].Overflow.Sources["198.51.100.31"].GetScope() == "Ip" results[0].Overflow.Sources["198.51.100.31"].GetValue() == "198.51.100.31" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "navidrome-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("http_status") == "401" results[0].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "navidrome_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "navidrome" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "198.51.100.31" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-01-30T05:07:30Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "navidrome-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("http_status") == "401" results[0].Overflow.Alert.Events[1].GetMeta("http_user_agent") == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "navidrome_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "navidrome" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "198.51.100.31" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-01-30T05:07:32Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "navidrome-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("http_status") == "401" results[0].Overflow.Alert.Events[2].GetMeta("http_user_agent") == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "navidrome_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "navidrome" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "198.51.100.31" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-01-30T05:07:34Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "navidrome-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("http_status") == "401" results[0].Overflow.Alert.Events[3].GetMeta("http_user_agent") == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "navidrome_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "navidrome" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "198.51.100.31" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-01-30T05:07:36Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "navidrome-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[4].GetMeta("http_status") == "401" results[0].Overflow.Alert.Events[4].GetMeta("http_user_agent") == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "navidrome_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "navidrome" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "198.51.100.31" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-01-30T05:07:38Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "navidrome-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[5].GetMeta("http_status") == "401" results[0].Overflow.Alert.Events[5].GetMeta("http_user_agent") == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "navidrome_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "navidrome" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "198.51.100.31" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-01-30T05:07:40Z" diff --git a/.tests/navidrome-logs/parser.assert b/.tests/navidrome-logs/parser.assert index 93b24a6a04b..31bbff7dcce 100644 --- a/.tests/navidrome-logs/parser.assert +++ b/.tests/navidrome-logs/parser.assert @@ -19,86 +19,86 @@ len(results["s01-parse"]["sdwilsh/navidrome-logs"]) == 2 results["s01-parse"]["sdwilsh/navidrome-logs"][0].Success == true results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Parsed["message"] == "time=\"2025-01-30T05:07:37Z\" level=warning msg=\"HTTP: POST http://example.com/auth/login\" elapsedTime=\"792.538µs\" httpStatus=401 remoteAddr=192.168.1.1 requestId=navidrome-statefulset-0/YzKDTM4yVE-001467 responseSize=40 userAgent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\"" results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Parsed["program"] == "navidrome" +results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Meta["datasource_path"]) == "navidrome-logs.log" results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Meta["http_status"] == "401" results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0" -results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Meta["log_type"] == "navidrome_failed_auth" results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Meta["service"] == "navidrome" results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Unmarshaled["navidrome"]["httpStatus"] == "401" -results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Unmarshaled["navidrome"]["msg"] == "HTTP: POST http://example.com/auth/login" -results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Unmarshaled["navidrome"]["responseSize"] == "40" -results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Unmarshaled["navidrome"]["time"] == "2025-01-30T05:07:37Z" -results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Unmarshaled["navidrome"]["level"] == "warning" results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Unmarshaled["navidrome"]["remoteAddr"] == "192.168.1.1" results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Unmarshaled["navidrome"]["requestId"] == "navidrome-statefulset-0/YzKDTM4yVE-001467" +results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Unmarshaled["navidrome"]["responseSize"] == "40" +results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Unmarshaled["navidrome"]["msg"] == "HTTP: POST http://example.com/auth/login" +results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Unmarshaled["navidrome"]["time"] == "2025-01-30T05:07:37Z" results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Unmarshaled["navidrome"]["userAgent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0" results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Unmarshaled["navidrome"]["elapsedTime"] == "792.538µs" +results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Unmarshaled["navidrome"]["httpStatus"] == "401" +results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Unmarshaled["navidrome"]["level"] == "warning" results["s01-parse"]["sdwilsh/navidrome-logs"][0].Evt.Whitelisted == false results["s01-parse"]["sdwilsh/navidrome-logs"][1].Success == true results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Parsed["message"] == "time=\"2025-08-03T15:20:27Z\" level=warning msg=\"HTTP: POST http://navidrome.example.com/nav/auth/login\" elapsedTime=8.5ms httpStatus=401 remoteAddr=\"::1\" requestId=cb472a3fcf9a/49PgJ3c7sx-000076 responseSize=40 userAgent=\"Mozilla/5.0 (Android 12; Mobile; rv:141.0) Gecko/141.0 Firefox/141.0\"" results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Parsed["program"] == "navidrome" +results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Meta["datasource_path"]) == "navidrome-logs.log" results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Meta["http_status"] == "401" results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Android 12; Mobile; rv:141.0) Gecko/141.0 Firefox/141.0" -results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Meta["log_type"] == "navidrome_failed_auth" results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Meta["service"] == "navidrome" results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Unmarshaled["navidrome"]["httpStatus"] == "401" results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Unmarshaled["navidrome"]["level"] == "warning" -results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Unmarshaled["navidrome"]["requestId"] == "cb472a3fcf9a/49PgJ3c7sx-000076" +results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Unmarshaled["navidrome"]["remoteAddr"] == "::1" results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Unmarshaled["navidrome"]["responseSize"] == "40" -results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Unmarshaled["navidrome"]["time"] == "2025-08-03T15:20:27Z" +results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Unmarshaled["navidrome"]["elapsedTime"] == "8.5ms" results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Unmarshaled["navidrome"]["msg"] == "HTTP: POST http://navidrome.example.com/nav/auth/login" -results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Unmarshaled["navidrome"]["remoteAddr"] == "::1" +results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Unmarshaled["navidrome"]["requestId"] == "cb472a3fcf9a/49PgJ3c7sx-000076" +results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Unmarshaled["navidrome"]["time"] == "2025-08-03T15:20:27Z" results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Unmarshaled["navidrome"]["userAgent"] == "Mozilla/5.0 (Android 12; Mobile; rv:141.0) Gecko/141.0 Firefox/141.0" -results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Unmarshaled["navidrome"]["elapsedTime"] == "8.5ms" results["s01-parse"]["sdwilsh/navidrome-logs"][1].Evt.Whitelisted == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "time=\"2025-01-30T05:07:37Z\" level=warning msg=\"HTTP: POST http://example.com/auth/login\" elapsedTime=\"792.538µs\" httpStatus=401 remoteAddr=192.168.1.1 requestId=navidrome-statefulset-0/YzKDTM4yVE-001467 responseSize=40 userAgent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "navidrome" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "navidrome-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_status"] == "401" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "navidrome_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "navidrome" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-01-30T05:07:37Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-01-30T05:07:37Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["navidrome"]["level"] == "warning" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["navidrome"]["remoteAddr"] == "192.168.1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["navidrome"]["userAgent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["navidrome"]["elapsedTime"] == "792.538µs" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["navidrome"]["httpStatus"] == "401" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["navidrome"]["msg"] == "HTTP: POST http://example.com/auth/login" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["navidrome"]["requestId"] == "navidrome-statefulset-0/YzKDTM4yVE-001467" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["navidrome"]["remoteAddr"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["navidrome"]["responseSize"] == "40" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["navidrome"]["time"] == "2025-01-30T05:07:37Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["navidrome"]["userAgent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["navidrome"]["elapsedTime"] == "792.538µs" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["navidrome"]["level"] == "warning" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["navidrome"]["requestId"] == "navidrome-statefulset-0/YzKDTM4yVE-001467" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "time=\"2025-08-03T15:20:27Z\" level=warning msg=\"HTTP: POST http://navidrome.example.com/nav/auth/login\" elapsedTime=8.5ms httpStatus=401 remoteAddr=\"::1\" requestId=cb472a3fcf9a/49PgJ3c7sx-000076 responseSize=40 userAgent=\"Mozilla/5.0 (Android 12; Mobile; rv:141.0) Gecko/141.0 Firefox/141.0\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "navidrome" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "navidrome-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["http_status"] == "401" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Android 12; Mobile; rv:141.0) Gecko/141.0 Firefox/141.0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "navidrome_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "navidrome" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-08-03T15:20:27Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-08-03T15:20:27Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["navidrome"]["time"] == "2025-08-03T15:20:27Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["navidrome"]["remoteAddr"] == "::1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["navidrome"]["responseSize"] == "40" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["navidrome"]["userAgent"] == "Mozilla/5.0 (Android 12; Mobile; rv:141.0) Gecko/141.0 Firefox/141.0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["navidrome"]["elapsedTime"] == "8.5ms" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["navidrome"]["httpStatus"] == "401" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["navidrome"]["level"] == "warning" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["navidrome"]["msg"] == "HTTP: POST http://navidrome.example.com/nav/auth/login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["navidrome"]["requestId"] == "cb472a3fcf9a/49PgJ3c7sx-000076" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["navidrome"]["responseSize"] == "40" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["navidrome"]["time"] == "2025-08-03T15:20:27Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["navidrome"]["userAgent"] == "Mozilla/5.0 (Android 12; Mobile; rv:141.0) Gecko/141.0 Firefox/141.0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["navidrome"]["httpStatus"] == "401" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["navidrome"]["remoteAddr"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/netgear_rce/parser.assert b/.tests/netgear_rce/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/nextcloud-bf/parser.assert b/.tests/nextcloud-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/nextcloud-bf/scenario.assert b/.tests/nextcloud-bf/scenario.assert index ab7c1bd3588..634761ce37c 100644 --- a/.tests/nextcloud-bf/scenario.assert +++ b/.tests/nextcloud-bf/scenario.assert @@ -1,47 +1,47 @@ -len(results) == 4 +len(results) == 3 "2001:db8::d71" in results[0].Overflow.GetSources() results[0].Overflow.Sources["2001:db8::d71"].IP == "2001:db8::d71" results[0].Overflow.Sources["2001:db8::d71"].Range == "" results[0].Overflow.Sources["2001:db8::d71"].GetScope() == "Ip" results[0].Overflow.Sources["2001:db8::d71"].GetValue() == "2001:db8::d71" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "nextcloud-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "nextcloud-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "nextcloud_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "nextcloud" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "2001:db8::d71" results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "foo" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-01-16T15:42:37Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "nextcloud-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "nextcloud-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "nextcloud_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "nextcloud" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "2001:db8::d71" results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "foo1" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-01-16T15:42:37Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "nextcloud-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "nextcloud-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "nextcloud_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "nextcloud" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "2001:db8::d71" results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "foo2" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-01-16T15:42:37Z" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "nextcloud-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "nextcloud-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "nextcloud_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "nextcloud" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "2001:db8::d71" results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "foo3" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-01-16T15:42:37Z" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "nextcloud-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "nextcloud-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "nextcloud_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "nextcloud" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "2001:db8::d71" results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "foo4" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-01-16T15:42:37Z" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "nextcloud-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "nextcloud-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "nextcloud_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "nextcloud" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "2001:db8::d71" results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "foo5" @@ -54,37 +54,37 @@ results[1].Overflow.Sources["172.18.0.200"].IP == "172.18.0.200" results[1].Overflow.Sources["172.18.0.200"].Range == "" results[1].Overflow.Sources["172.18.0.200"].GetScope() == "Ip" results[1].Overflow.Sources["172.18.0.200"].GetValue() == "172.18.0.200" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "nextcloud-bf.log" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "nextcloud-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "nextcloud_domain_error" results[1].Overflow.Alert.Events[0].GetMeta("service") == "nextcloud" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.18.0.200" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-02-14T17:28:33Z" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "nextcloud-bf.log" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "nextcloud-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "nextcloud_domain_error" results[1].Overflow.Alert.Events[1].GetMeta("service") == "nextcloud" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "172.18.0.200" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-02-14T17:28:33Z" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "nextcloud-bf.log" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "nextcloud-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "nextcloud_domain_error" results[1].Overflow.Alert.Events[2].GetMeta("service") == "nextcloud" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "172.18.0.200" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-02-14T17:28:33Z" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "nextcloud-bf.log" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "nextcloud-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "nextcloud_domain_error" results[1].Overflow.Alert.Events[3].GetMeta("service") == "nextcloud" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "172.18.0.200" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-02-14T17:28:33Z" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "nextcloud-bf.log" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "nextcloud-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "nextcloud_domain_error" results[1].Overflow.Alert.Events[4].GetMeta("service") == "nextcloud" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "172.18.0.200" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-02-14T17:28:33Z" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "nextcloud-bf.log" +basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "nextcloud-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "nextcloud_domain_error" results[1].Overflow.Alert.Events[5].GetMeta("service") == "nextcloud" @@ -93,103 +93,53 @@ results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-02-14T17:28:33 results[1].Overflow.Alert.GetScenario() == "crowdsecurity/nextcloud-bf_domain_error" results[1].Overflow.Alert.Remediation == true results[1].Overflow.Alert.GetEventsCount() == 6 -"2001:db8::d72" in results[2].Overflow.GetSources() -results[2].Overflow.Sources["2001:db8::d72"].IP == "2001:db8::d72" -results[2].Overflow.Sources["2001:db8::d72"].Range == "" -results[2].Overflow.Sources["2001:db8::d72"].GetScope() == "Ip" -results[2].Overflow.Sources["2001:db8::d72"].GetValue() == "2001:db8::d72" -results[2].Overflow.Alert.Events[0].GetMeta("action") == "login" -results[2].Overflow.Alert.Events[0].GetMeta("datasource_path") == "nextcloud-bf.log" +"2001:db8::d71" in results[2].Overflow.GetSources() +results[2].Overflow.Sources["2001:db8::d71"].IP == "2001:db8::d71" +results[2].Overflow.Sources["2001:db8::d71"].Range == "" +results[2].Overflow.Sources["2001:db8::d71"].GetScope() == "Ip" +results[2].Overflow.Sources["2001:db8::d71"].GetValue() == "2001:db8::d71" +results[2].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "nextcloud-bf.log" results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[0].GetMeta("log_type") == "nextcloud_bruteforce_attempt" results[2].Overflow.Alert.Events[0].GetMeta("service") == "nextcloud" -results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "2001:db8::d72" +results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "2001:db8::d71" +results[2].Overflow.Alert.Events[0].GetMeta("target_user") == "foo" results[2].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-01-16T15:42:37Z" -results[2].Overflow.Alert.Events[1].GetMeta("action") == "login" -results[2].Overflow.Alert.Events[1].GetMeta("datasource_path") == "nextcloud-bf.log" +results[2].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "nextcloud-bf.log" results[2].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[1].GetMeta("log_type") == "nextcloud_bruteforce_attempt" results[2].Overflow.Alert.Events[1].GetMeta("service") == "nextcloud" -results[2].Overflow.Alert.Events[1].GetMeta("source_ip") == "2001:db8::d72" +results[2].Overflow.Alert.Events[1].GetMeta("source_ip") == "2001:db8::d71" +results[2].Overflow.Alert.Events[1].GetMeta("target_user") == "foo1" results[2].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-01-16T15:42:37Z" -results[2].Overflow.Alert.Events[2].GetMeta("action") == "login" -results[2].Overflow.Alert.Events[2].GetMeta("datasource_path") == "nextcloud-bf.log" +results[2].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "nextcloud-bf.log" results[2].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[2].GetMeta("log_type") == "nextcloud_bruteforce_attempt" results[2].Overflow.Alert.Events[2].GetMeta("service") == "nextcloud" -results[2].Overflow.Alert.Events[2].GetMeta("source_ip") == "2001:db8::d72" +results[2].Overflow.Alert.Events[2].GetMeta("source_ip") == "2001:db8::d71" +results[2].Overflow.Alert.Events[2].GetMeta("target_user") == "foo2" results[2].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-01-16T15:42:37Z" -results[2].Overflow.Alert.Events[3].GetMeta("action") == "login" -results[2].Overflow.Alert.Events[3].GetMeta("datasource_path") == "nextcloud-bf.log" +results[2].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "nextcloud-bf.log" results[2].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[3].GetMeta("log_type") == "nextcloud_bruteforce_attempt" results[2].Overflow.Alert.Events[3].GetMeta("service") == "nextcloud" -results[2].Overflow.Alert.Events[3].GetMeta("source_ip") == "2001:db8::d72" +results[2].Overflow.Alert.Events[3].GetMeta("source_ip") == "2001:db8::d71" +results[2].Overflow.Alert.Events[3].GetMeta("target_user") == "foo3" results[2].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-01-16T15:42:37Z" -results[2].Overflow.Alert.Events[4].GetMeta("action") == "login" -results[2].Overflow.Alert.Events[4].GetMeta("datasource_path") == "nextcloud-bf.log" +results[2].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "nextcloud-bf.log" results[2].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[4].GetMeta("log_type") == "nextcloud_bruteforce_attempt" results[2].Overflow.Alert.Events[4].GetMeta("service") == "nextcloud" -results[2].Overflow.Alert.Events[4].GetMeta("source_ip") == "2001:db8::d72" +results[2].Overflow.Alert.Events[4].GetMeta("source_ip") == "2001:db8::d71" +results[2].Overflow.Alert.Events[4].GetMeta("target_user") == "foo4" results[2].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-01-16T15:42:37Z" -results[2].Overflow.Alert.Events[5].GetMeta("action") == "login" -results[2].Overflow.Alert.Events[5].GetMeta("datasource_path") == "nextcloud-bf.log" +results[2].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "nextcloud-bf.log" results[2].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[5].GetMeta("log_type") == "nextcloud_bruteforce_attempt" results[2].Overflow.Alert.Events[5].GetMeta("service") == "nextcloud" -results[2].Overflow.Alert.Events[5].GetMeta("source_ip") == "2001:db8::d72" +results[2].Overflow.Alert.Events[5].GetMeta("source_ip") == "2001:db8::d71" +results[2].Overflow.Alert.Events[5].GetMeta("target_user") == "foo5" results[2].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-01-16T15:42:37Z" results[2].Overflow.Alert.GetScenario() == "crowdsecurity/nextcloud-bf" results[2].Overflow.Alert.Remediation == true results[2].Overflow.Alert.GetEventsCount() == 6 -"2001:db8::d71" in results[3].Overflow.GetSources() -results[3].Overflow.Sources["2001:db8::d71"].IP == "2001:db8::d71" -results[3].Overflow.Sources["2001:db8::d71"].Range == "" -results[3].Overflow.Sources["2001:db8::d71"].GetScope() == "Ip" -results[3].Overflow.Sources["2001:db8::d71"].GetValue() == "2001:db8::d71" -results[3].Overflow.Alert.Events[0].GetMeta("datasource_path") == "nextcloud-bf.log" -results[3].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[0].GetMeta("log_type") == "nextcloud_failed_auth" -results[3].Overflow.Alert.Events[0].GetMeta("service") == "nextcloud" -results[3].Overflow.Alert.Events[0].GetMeta("source_ip") == "2001:db8::d71" -results[3].Overflow.Alert.Events[0].GetMeta("target_user") == "foo" -results[3].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-01-16T15:42:37Z" -results[3].Overflow.Alert.Events[1].GetMeta("datasource_path") == "nextcloud-bf.log" -results[3].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[1].GetMeta("log_type") == "nextcloud_failed_auth" -results[3].Overflow.Alert.Events[1].GetMeta("service") == "nextcloud" -results[3].Overflow.Alert.Events[1].GetMeta("source_ip") == "2001:db8::d71" -results[3].Overflow.Alert.Events[1].GetMeta("target_user") == "foo1" -results[3].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-01-16T15:42:37Z" -results[3].Overflow.Alert.Events[2].GetMeta("datasource_path") == "nextcloud-bf.log" -results[3].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[2].GetMeta("log_type") == "nextcloud_failed_auth" -results[3].Overflow.Alert.Events[2].GetMeta("service") == "nextcloud" -results[3].Overflow.Alert.Events[2].GetMeta("source_ip") == "2001:db8::d71" -results[3].Overflow.Alert.Events[2].GetMeta("target_user") == "foo2" -results[3].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-01-16T15:42:37Z" -results[3].Overflow.Alert.Events[3].GetMeta("datasource_path") == "nextcloud-bf.log" -results[3].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[3].GetMeta("log_type") == "nextcloud_failed_auth" -results[3].Overflow.Alert.Events[3].GetMeta("service") == "nextcloud" -results[3].Overflow.Alert.Events[3].GetMeta("source_ip") == "2001:db8::d71" -results[3].Overflow.Alert.Events[3].GetMeta("target_user") == "foo3" -results[3].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-01-16T15:42:37Z" -results[3].Overflow.Alert.Events[4].GetMeta("datasource_path") == "nextcloud-bf.log" -results[3].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[4].GetMeta("log_type") == "nextcloud_failed_auth" -results[3].Overflow.Alert.Events[4].GetMeta("service") == "nextcloud" -results[3].Overflow.Alert.Events[4].GetMeta("source_ip") == "2001:db8::d71" -results[3].Overflow.Alert.Events[4].GetMeta("target_user") == "foo4" -results[3].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-01-16T15:42:37Z" -results[3].Overflow.Alert.Events[5].GetMeta("datasource_path") == "nextcloud-bf.log" -results[3].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[5].GetMeta("log_type") == "nextcloud_failed_auth" -results[3].Overflow.Alert.Events[5].GetMeta("service") == "nextcloud" -results[3].Overflow.Alert.Events[5].GetMeta("source_ip") == "2001:db8::d71" -results[3].Overflow.Alert.Events[5].GetMeta("target_user") == "foo5" -results[3].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-01-16T15:42:37Z" -results[3].Overflow.Alert.GetScenario() == "crowdsecurity/nextcloud-bf" -results[3].Overflow.Alert.Remediation == true -results[3].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/nextcloud-logs/nextcloud-logs.log b/.tests/nextcloud-logs/nextcloud-logs.log index a4da873df5d..2e718a6542f 100644 --- a/.tests/nextcloud-logs/nextcloud-logs.log +++ b/.tests/nextcloud-logs/nextcloud-logs.log @@ -3,3 +3,4 @@ {"reqId":"dCA39mNG3NHLwbibVCFp","level":1,"time":"2023-02-14T17:28:33+00:00","remoteAddr":"172.18.0.200","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. \"172.18.0.200\" tried to access using \"cloud.test.com\" as host.","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0","version":"25.0.3.2","data":{"app":"core"}} {"reqId":"U1rsiIxFtovEqTt77CJN","level":2,"time":"2022-01-16T15:42:37+00:00","remoteAddr":"2001:db8::d71","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: foo@example.com (Remote IP: 2001:db8::d71)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0","version":"23.0.0.10"} {"reqId":"U1rsiI1FtovEqT312412","level":2,"time":"2022-01-16T15:42:37+00:00","remoteAddr":"2001:db8::d71","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: 'foo@example.com' (Remote IP: '2001:db8::d71')","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0","version":"23.0.0.10"} +{"reqId":"test123456789012345678901234567890","level":2,"time":"2022-01-16T15:43:00+00:00","remoteAddr":"2001:db8::d71","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl (Remote IP: 2001:db8::d71)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0","version":"23.0.0.10"} diff --git a/.tests/nextcloud-logs/parser.assert b/.tests/nextcloud-logs/parser.assert index 20de7cb659a..8d4671ba23d 100644 --- a/.tests/nextcloud-logs/parser.assert +++ b/.tests/nextcloud-logs/parser.assert @@ -1,50 +1,57 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 5 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 6 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "{\"reqId\":\"U1rsiIxFtovEqTt77CJN\",\"level\":2,\"time\":\"2022-01-16T15:42:37+00:00\",\"remoteAddr\":\"2001:db8::d71\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: foo (Remote IP: 2001:db8::d71)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0\",\"version\":\"23.0.0.10\"}" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "Nextcloud" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "nextcloud-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "nextcloud-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "{\"reqId\":\"U1rsiIxFtovEqTt77CJN\",\"level\":1,\"time\":\"2022-01-16T15:42:37+00:00\",\"remoteAddr\":\"2001:db8::d71\",\"user\":\"--\",\"app\":\"core\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Bruteforce attempt from \\\"2001:db8::d71\\\" detected for action \\\"login\\\".\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0\",\"version\":\"23.0.0.10\"}" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "Nextcloud" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "nextcloud-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "nextcloud-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "{\"reqId\":\"dCA39mNG3NHLwbibVCFp\",\"level\":1,\"time\":\"2023-02-14T17:28:33+00:00\",\"remoteAddr\":\"172.18.0.200\",\"user\":\"--\",\"app\":\"core\",\"method\":\"GET\",\"url\":\"/\",\"message\":\"Trusted domain error. \\\"172.18.0.200\\\" tried to access using \\\"cloud.test.com\\\" as host.\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0\",\"version\":\"25.0.3.2\",\"data\":{\"app\":\"core\"}}" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "Nextcloud" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "nextcloud-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "nextcloud-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "{\"reqId\":\"U1rsiIxFtovEqTt77CJN\",\"level\":2,\"time\":\"2022-01-16T15:42:37+00:00\",\"remoteAddr\":\"2001:db8::d71\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: foo@example.com (Remote IP: 2001:db8::d71)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0\",\"version\":\"23.0.0.10\"}" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "Nextcloud" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "nextcloud-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "nextcloud-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "{\"reqId\":\"U1rsiI1FtovEqT312412\",\"level\":2,\"time\":\"2022-01-16T15:42:37+00:00\",\"remoteAddr\":\"2001:db8::d71\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: 'foo@example.com' (Remote IP: '2001:db8::d71')\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0\",\"version\":\"23.0.0.10\"}" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "Nextcloud" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "nextcloud-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"]) == "nextcloud-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 5 +results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "{\"reqId\":\"test123456789012345678901234567890\",\"level\":2,\"time\":\"2022-01-16T15:43:00+00:00\",\"remoteAddr\":\"2001:db8::d71\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl (Remote IP: 2001:db8::d71)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0\",\"version\":\"23.0.0.10\"}" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "Nextcloud" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"]) == "nextcloud-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 6 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false -len(results["s01-parse"]["crowdsecurity/nextcloud-logs"]) == 5 +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == false +len(results["s01-parse"]["crowdsecurity/nextcloud-logs"]) == 6 results["s01-parse"]["crowdsecurity/nextcloud-logs"][0].Success == true results["s01-parse"]["crowdsecurity/nextcloud-logs"][0].Evt.Parsed["message"] == "{\"reqId\":\"U1rsiIxFtovEqTt77CJN\",\"level\":2,\"time\":\"2022-01-16T15:42:37+00:00\",\"remoteAddr\":\"2001:db8::d71\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: foo (Remote IP: 2001:db8::d71)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0\",\"version\":\"23.0.0.10\"}" results["s01-parse"]["crowdsecurity/nextcloud-logs"][0].Evt.Parsed["program"] == "Nextcloud" results["s01-parse"]["crowdsecurity/nextcloud-logs"][0].Evt.Parsed["source_ip"] == "2001:db8::d71" results["s01-parse"]["crowdsecurity/nextcloud-logs"][0].Evt.Parsed["target_user"] == "foo" -results["s01-parse"]["crowdsecurity/nextcloud-logs"][0].Evt.Meta["datasource_path"] == "nextcloud-logs.log" +results["s01-parse"]["crowdsecurity/nextcloud-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/nextcloud-logs"][0].Evt.Meta["datasource_path"]) == "nextcloud-logs.log" results["s01-parse"]["crowdsecurity/nextcloud-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/nextcloud-logs"][0].Evt.Meta["log_type"] == "nextcloud_failed_auth" results["s01-parse"]["crowdsecurity/nextcloud-logs"][0].Evt.Meta["service"] == "nextcloud" results["s01-parse"]["crowdsecurity/nextcloud-logs"][0].Evt.Meta["source_ip"] == "2001:db8::d71" results["s01-parse"]["crowdsecurity/nextcloud-logs"][0].Evt.Meta["target_user"] == "foo" @@ -55,7 +62,7 @@ results["s01-parse"]["crowdsecurity/nextcloud-logs"][1].Evt.Parsed["message"] == results["s01-parse"]["crowdsecurity/nextcloud-logs"][1].Evt.Parsed["program"] == "Nextcloud" results["s01-parse"]["crowdsecurity/nextcloud-logs"][1].Evt.Parsed["source_ip"] == "2001:db8::d71" results["s01-parse"]["crowdsecurity/nextcloud-logs"][1].Evt.Meta["action"] == "login" -results["s01-parse"]["crowdsecurity/nextcloud-logs"][1].Evt.Meta["datasource_path"] == "nextcloud-logs.log" +basename(results["s01-parse"]["crowdsecurity/nextcloud-logs"][1].Evt.Meta["datasource_path"]) == "nextcloud-logs.log" results["s01-parse"]["crowdsecurity/nextcloud-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/nextcloud-logs"][1].Evt.Meta["log_type"] == "nextcloud_bruteforce_attempt" results["s01-parse"]["crowdsecurity/nextcloud-logs"][1].Evt.Meta["service"] == "nextcloud" @@ -65,7 +72,7 @@ results["s01-parse"]["crowdsecurity/nextcloud-logs"][2].Success == true results["s01-parse"]["crowdsecurity/nextcloud-logs"][2].Evt.Parsed["message"] == "{\"reqId\":\"dCA39mNG3NHLwbibVCFp\",\"level\":1,\"time\":\"2023-02-14T17:28:33+00:00\",\"remoteAddr\":\"172.18.0.200\",\"user\":\"--\",\"app\":\"core\",\"method\":\"GET\",\"url\":\"/\",\"message\":\"Trusted domain error. \\\"172.18.0.200\\\" tried to access using \\\"cloud.test.com\\\" as host.\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0\",\"version\":\"25.0.3.2\",\"data\":{\"app\":\"core\"}}" results["s01-parse"]["crowdsecurity/nextcloud-logs"][2].Evt.Parsed["program"] == "Nextcloud" results["s01-parse"]["crowdsecurity/nextcloud-logs"][2].Evt.Parsed["source_ip"] == "172.18.0.200" -results["s01-parse"]["crowdsecurity/nextcloud-logs"][2].Evt.Meta["datasource_path"] == "nextcloud-logs.log" +basename(results["s01-parse"]["crowdsecurity/nextcloud-logs"][2].Evt.Meta["datasource_path"]) == "nextcloud-logs.log" results["s01-parse"]["crowdsecurity/nextcloud-logs"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/nextcloud-logs"][2].Evt.Meta["log_type"] == "nextcloud_domain_error" results["s01-parse"]["crowdsecurity/nextcloud-logs"][2].Evt.Meta["service"] == "nextcloud" @@ -76,9 +83,9 @@ results["s01-parse"]["crowdsecurity/nextcloud-logs"][3].Evt.Parsed["message"] == results["s01-parse"]["crowdsecurity/nextcloud-logs"][3].Evt.Parsed["program"] == "Nextcloud" results["s01-parse"]["crowdsecurity/nextcloud-logs"][3].Evt.Parsed["source_ip"] == "2001:db8::d71" results["s01-parse"]["crowdsecurity/nextcloud-logs"][3].Evt.Parsed["target_user"] == "foo@example.com" -results["s01-parse"]["crowdsecurity/nextcloud-logs"][3].Evt.Meta["datasource_path"] == "nextcloud-logs.log" +results["s01-parse"]["crowdsecurity/nextcloud-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/nextcloud-logs"][3].Evt.Meta["datasource_path"]) == "nextcloud-logs.log" results["s01-parse"]["crowdsecurity/nextcloud-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/nextcloud-logs"][3].Evt.Meta["log_type"] == "nextcloud_failed_auth" results["s01-parse"]["crowdsecurity/nextcloud-logs"][3].Evt.Meta["service"] == "nextcloud" results["s01-parse"]["crowdsecurity/nextcloud-logs"][3].Evt.Meta["source_ip"] == "2001:db8::d71" results["s01-parse"]["crowdsecurity/nextcloud-logs"][3].Evt.Meta["target_user"] == "foo@example.com" @@ -88,22 +95,34 @@ results["s01-parse"]["crowdsecurity/nextcloud-logs"][4].Evt.Parsed["message"] == results["s01-parse"]["crowdsecurity/nextcloud-logs"][4].Evt.Parsed["program"] == "Nextcloud" results["s01-parse"]["crowdsecurity/nextcloud-logs"][4].Evt.Parsed["source_ip"] == "2001:db8::d71" results["s01-parse"]["crowdsecurity/nextcloud-logs"][4].Evt.Parsed["target_user"] == "foo@example.com" -results["s01-parse"]["crowdsecurity/nextcloud-logs"][4].Evt.Meta["datasource_path"] == "nextcloud-logs.log" +results["s01-parse"]["crowdsecurity/nextcloud-logs"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/nextcloud-logs"][4].Evt.Meta["datasource_path"]) == "nextcloud-logs.log" results["s01-parse"]["crowdsecurity/nextcloud-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/nextcloud-logs"][4].Evt.Meta["log_type"] == "nextcloud_failed_auth" results["s01-parse"]["crowdsecurity/nextcloud-logs"][4].Evt.Meta["service"] == "nextcloud" results["s01-parse"]["crowdsecurity/nextcloud-logs"][4].Evt.Meta["source_ip"] == "2001:db8::d71" results["s01-parse"]["crowdsecurity/nextcloud-logs"][4].Evt.Meta["target_user"] == "foo@example.com" results["s01-parse"]["crowdsecurity/nextcloud-logs"][4].Evt.Whitelisted == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 5 +results["s01-parse"]["crowdsecurity/nextcloud-logs"][5].Success == true +results["s01-parse"]["crowdsecurity/nextcloud-logs"][5].Evt.Parsed["message"] == "{\"reqId\":\"test123456789012345678901234567890\",\"level\":2,\"time\":\"2022-01-16T15:43:00+00:00\",\"remoteAddr\":\"2001:db8::d71\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl (Remote IP: 2001:db8::d71)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0\",\"version\":\"23.0.0.10\"}" +results["s01-parse"]["crowdsecurity/nextcloud-logs"][5].Evt.Parsed["program"] == "Nextcloud" +results["s01-parse"]["crowdsecurity/nextcloud-logs"][5].Evt.Parsed["source_ip"] == "2001:db8::d71" +results["s01-parse"]["crowdsecurity/nextcloud-logs"][5].Evt.Parsed["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["crowdsecurity/nextcloud-logs"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/nextcloud-logs"][5].Evt.Meta["datasource_path"]) == "nextcloud-logs.log" +results["s01-parse"]["crowdsecurity/nextcloud-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/nextcloud-logs"][5].Evt.Meta["service"] == "nextcloud" +results["s01-parse"]["crowdsecurity/nextcloud-logs"][5].Evt.Meta["source_ip"] == "2001:db8::d71" +results["s01-parse"]["crowdsecurity/nextcloud-logs"][5].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["crowdsecurity/nextcloud-logs"][5].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "{\"reqId\":\"U1rsiIxFtovEqTt77CJN\",\"level\":2,\"time\":\"2022-01-16T15:42:37+00:00\",\"remoteAddr\":\"2001:db8::d71\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: foo (Remote IP: 2001:db8::d71)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0\",\"version\":\"23.0.0.10\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "Nextcloud" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "2001:db8::d71" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["target_user"] == "foo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "nextcloud-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "nextcloud-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "nextcloud_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "nextcloud" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "2001:db8::d71" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "foo" @@ -116,7 +135,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "Nextcloud" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "2001:db8::d71" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["action"] == "login" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "nextcloud-logs.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "nextcloud-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "nextcloud_bruteforce_attempt" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "nextcloud" @@ -128,7 +147,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "{\"reqId\":\"dCA39mNG3NHLwbibVCFp\",\"level\":1,\"time\":\"2023-02-14T17:28:33+00:00\",\"remoteAddr\":\"172.18.0.200\",\"user\":\"--\",\"app\":\"core\",\"method\":\"GET\",\"url\":\"/\",\"message\":\"Trusted domain error. \\\"172.18.0.200\\\" tried to access using \\\"cloud.test.com\\\" as host.\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0\",\"version\":\"25.0.3.2\",\"data\":{\"app\":\"core\"}}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "Nextcloud" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "172.18.0.200" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "nextcloud-logs.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "nextcloud-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "nextcloud_domain_error" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "nextcloud" @@ -141,9 +160,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "Nextcloud" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "2001:db8::d71" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["target_user"] == "foo@example.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "nextcloud-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "nextcloud-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "nextcloud_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "nextcloud" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "2001:db8::d71" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "foo@example.com" @@ -155,13 +174,27 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "Nextcloud" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "2001:db8::d71" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["target_user"] == "foo@example.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "nextcloud-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "nextcloud-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "nextcloud_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "nextcloud" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "2001:db8::d71" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_user"] == "foo@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2022-01-16T15:42:37Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2022-01-16T15:42:37Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "{\"reqId\":\"test123456789012345678901234567890\",\"level\":2,\"time\":\"2022-01-16T15:43:00+00:00\",\"remoteAddr\":\"2001:db8::d71\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl (Remote IP: 2001:db8::d71)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0\",\"version\":\"23.0.0.10\"}" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "Nextcloud" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "2001:db8::d71" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "nextcloud-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "nextcloud" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "2001:db8::d71" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2022-01-16T15:43:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2022-01-16T15:43:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/nginx-bad-user-agent/parser.assert b/.tests/nginx-bad-user-agent/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/nginx-http-backdoor/parser.assert b/.tests/nginx-http-backdoor/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/nginx-http-generic-bf/parser.assert b/.tests/nginx-http-generic-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/nginx-http-open-proxy/parser.assert b/.tests/nginx-http-open-proxy/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/nginx-http-path-traversal/parser.assert b/.tests/nginx-http-path-traversal/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/nginx-http-sensitive-files/parser.assert b/.tests/nginx-http-sensitive-files/parser.assert deleted file mode 100644 index 8b137891791..00000000000 --- a/.tests/nginx-http-sensitive-files/parser.assert +++ /dev/null @@ -1 +0,0 @@ - diff --git a/.tests/nginx-http-sqli-probing/parser.assert b/.tests/nginx-http-sqli-probing/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/nginx-http-w00twoot/parser.assert b/.tests/nginx-http-w00twoot/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/nginx-http-xss-probing/parser.assert b/.tests/nginx-http-xss-probing/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/nginx-mail-bf/parser.assert b/.tests/nginx-mail-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/nginx-mail-bf/scenario.assert b/.tests/nginx-mail-bf/scenario.assert index 0db2fbed1fd..0b3d3db34f3 100644 --- a/.tests/nginx-mail-bf/scenario.assert +++ b/.tests/nginx-mail-bf/scenario.assert @@ -1,53 +1,51 @@ -len(results) == 2 -"5.34.207.182" in results[0].Overflow.GetSources() results[0].Overflow.Sources["5.34.207.182"].IP == "5.34.207.182" results[0].Overflow.Sources["5.34.207.182"].Range == "" results[0].Overflow.Sources["5.34.207.182"].GetScope() == "Ip" results[0].Overflow.Sources["5.34.207.182"].GetValue() == "5.34.207.182" results[0].Overflow.Alert.Events[0].GetMeta("auth_result") == "AUTH not supported" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "nginx-mail-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "nginx-mail-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("dest_ip") == "0.0.0.0" results[0].Overflow.Alert.Events[0].GetMeta("dest_port") == "25" results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "mail_auth" -results[0].Overflow.Alert.Events[0].GetMeta("service") == "mail" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "nginxmail" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "5.34.207.182" -results[0].Overflow.Alert.Events[0].GetMeta("sub_type") == "auth_fail" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "linkinpark@example.com" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-04-02T13:39:51Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "linkinpark@example.com" results[0].Overflow.Alert.Events[1].GetMeta("auth_result") == "AUTH not supported" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "nginx-mail-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "nginx-mail-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("dest_ip") == "0.0.0.0" results[0].Overflow.Alert.Events[1].GetMeta("dest_port") == "25" results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "mail_auth" -results[0].Overflow.Alert.Events[1].GetMeta("service") == "mail" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "nginxmail" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "5.34.207.182" -results[0].Overflow.Alert.Events[1].GetMeta("sub_type") == "auth_fail" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "spanish@example.com" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-04-02T13:39:55Z" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "spanish@example.com" results[0].Overflow.Alert.Events[2].GetMeta("auth_result") == "AUTH not supported" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "nginx-mail-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "nginx-mail-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("dest_ip") == "0.0.0.0" results[0].Overflow.Alert.Events[2].GetMeta("dest_port") == "25" results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "mail_auth" -results[0].Overflow.Alert.Events[2].GetMeta("service") == "mail" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "nginxmail" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "5.34.207.182" -results[0].Overflow.Alert.Events[2].GetMeta("sub_type") == "auth_fail" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "relax@example.com" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-04-02T13:39:57Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "relax@example.com" results[0].Overflow.Alert.Events[3].GetMeta("auth_result") == "AUTH not supported" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "nginx-mail-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "nginx-mail-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("dest_ip") == "0.0.0.0" results[0].Overflow.Alert.Events[3].GetMeta("dest_port") == "25" results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "mail_auth" -results[0].Overflow.Alert.Events[3].GetMeta("service") == "mail" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "nginxmail" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "5.34.207.182" -results[0].Overflow.Alert.Events[3].GetMeta("sub_type") == "auth_fail" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "itw@example.com" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-04-02T13:40:04Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "itw@example.com" results[0].Overflow.Alert.GetScenario() == "hitech95/email-user-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 4 @@ -57,71 +55,72 @@ results[1].Overflow.Sources["154.250.207.69"].Range == "" results[1].Overflow.Sources["154.250.207.69"].GetScope() == "Ip" results[1].Overflow.Sources["154.250.207.69"].GetValue() == "154.250.207.69" results[1].Overflow.Alert.Events[0].GetMeta("auth_result") == "Authentication credentials invalid" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "nginx-mail-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "nginx-mail-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[0].GetMeta("dest_ip") == "0.0.0.0" results[1].Overflow.Alert.Events[0].GetMeta("dest_port") == "11143" results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "mail_auth" -results[1].Overflow.Alert.Events[0].GetMeta("service") == "mail" +results[1].Overflow.Alert.Events[0].GetMeta("service") == "nginxmail" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "154.250.207.69" -results[1].Overflow.Alert.Events[0].GetMeta("sub_type") == "auth_fail" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "admin@example.com" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-04-06T13:44:43Z" -results[1].Overflow.Alert.Events[0].GetMeta("username") == "admin@example.com" results[1].Overflow.Alert.Events[1].GetMeta("auth_result") == "Authentication credentials invalid" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "nginx-mail-bf.log" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "nginx-mail-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[1].GetMeta("dest_ip") == "0.0.0.0" results[1].Overflow.Alert.Events[1].GetMeta("dest_port") == "11143" results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "mail_auth" -results[1].Overflow.Alert.Events[1].GetMeta("service") == "mail" +results[1].Overflow.Alert.Events[1].GetMeta("service") == "nginxmail" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "154.250.207.69" -results[1].Overflow.Alert.Events[1].GetMeta("sub_type") == "auth_fail" +results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "admin@example.com" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-04-06T13:44:45Z" -results[1].Overflow.Alert.Events[1].GetMeta("username") == "admin@example.com" results[1].Overflow.Alert.Events[2].GetMeta("auth_result") == "Authentication credentials invalid" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "nginx-mail-bf.log" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "nginx-mail-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[2].GetMeta("dest_ip") == "0.0.0.0" results[1].Overflow.Alert.Events[2].GetMeta("dest_port") == "11143" results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "mail_auth" -results[1].Overflow.Alert.Events[2].GetMeta("service") == "mail" +results[1].Overflow.Alert.Events[2].GetMeta("service") == "nginxmail" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "154.250.207.69" -results[1].Overflow.Alert.Events[2].GetMeta("sub_type") == "auth_fail" +results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "admin@example.com" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-04-06T13:44:46Z" -results[1].Overflow.Alert.Events[2].GetMeta("username") == "admin@example.com" results[1].Overflow.Alert.Events[3].GetMeta("auth_result") == "Authentication credentials invalid" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "nginx-mail-bf.log" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "nginx-mail-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[3].GetMeta("dest_ip") == "0.0.0.0" results[1].Overflow.Alert.Events[3].GetMeta("dest_port") == "11143" results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "mail_auth" -results[1].Overflow.Alert.Events[3].GetMeta("service") == "mail" +results[1].Overflow.Alert.Events[3].GetMeta("service") == "nginxmail" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "154.250.207.69" -results[1].Overflow.Alert.Events[3].GetMeta("sub_type") == "auth_fail" +results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "admin@example.com" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-04-06T13:44:47Z" -results[1].Overflow.Alert.Events[3].GetMeta("username") == "admin@example.com" results[1].Overflow.Alert.Events[4].GetMeta("auth_result") == "Authentication credentials invalid" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "nginx-mail-bf.log" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "nginx-mail-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[4].GetMeta("dest_ip") == "0.0.0.0" results[1].Overflow.Alert.Events[4].GetMeta("dest_port") == "11143" results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "mail_auth" -results[1].Overflow.Alert.Events[4].GetMeta("service") == "mail" +results[1].Overflow.Alert.Events[4].GetMeta("service") == "nginxmail" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "154.250.207.69" -results[1].Overflow.Alert.Events[4].GetMeta("sub_type") == "auth_fail" +results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "admin@example.com" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-04-06T13:44:48Z" -results[1].Overflow.Alert.Events[4].GetMeta("username") == "admin@example.com" results[1].Overflow.Alert.Events[5].GetMeta("auth_result") == "Authentication credentials invalid" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "nginx-mail-bf.log" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "nginx-mail-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[5].GetMeta("dest_ip") == "0.0.0.0" results[1].Overflow.Alert.Events[5].GetMeta("dest_port") == "11143" results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "mail_auth" -results[1].Overflow.Alert.Events[5].GetMeta("service") == "mail" +results[1].Overflow.Alert.Events[5].GetMeta("service") == "nginxmail" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "154.250.207.69" -results[1].Overflow.Alert.Events[5].GetMeta("sub_type") == "auth_fail" +results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "admin@example.com" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-04-06T13:44:50Z" -results[1].Overflow.Alert.Events[5].GetMeta("username") == "admin@example.com" results[1].Overflow.Alert.GetScenario() == "hitech95/email-generic-bf" results[1].Overflow.Alert.Remediation == true -results[1].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[1].Overflow.Alert.GetEventsCount() == 6 + diff --git a/.tests/nginx-mail-logs/parser.assert b/.tests/nginx-mail-logs/parser.assert index 6d313d623dd..d67b88a1d9e 100644 --- a/.tests/nginx-mail-logs/parser.assert +++ b/.tests/nginx-mail-logs/parser.assert @@ -1,227 +1,771 @@ +len(results) == 4 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 17 +results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2022/04/02 15:45:23 [info] 8#8: *15950 client 172.77.77.254:53044 connected to 0.0.0.0:25" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "nginx" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2022/04/02 15:45:23 [error] 8#8: *15950 5.34.207.182 could not be resolved (3: Host not found) while in resolving client address, client: 5.34.207.182, server: 0.0.0.0:25" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "nginx" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "2022/04/02 15:45:25 [info] 8#8: *15950 client login failed: \"AUTH not supported\" while in http auth state, client: 5.34.207.182, server: 0.0.0.0:25, login: \"servers@example.com\"" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "nginx" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "174.233.1.144 - - [02/Apr/2022:17:11:53 +0200] \"GET / HTTP/1.1\" 403 118 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0\"" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "nginx" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "34.77.162.21 - - [05/Apr/2022:04:45:57 +0200] \"GET / HTTP/1.1\" 403 118 \"-\" \"Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com\"" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "nginx" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "2022/04/05 04:45:57 [error] 8#8: *23638 directory index of \"/static/\" is forbidden, client: 34.77.162.21, server: , request: \"GET / HTTP/1.1\", host: \"mail.example.com\"" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "nginx" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][6].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["message"] == "2022/04/05 13:25:10 [info] 8#8: *24785 client 172.77.77.254:54928 connected to 0.0.0.0:25" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "nginx" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][7].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["message"] == "2022/04/05 13:25:11 [info] 8#8: *24785 client logged in, client: 209.85.210.53, server: 0.0.0.0:25" +results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["program"] == "nginx" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][8].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["message"] == "2022/04/05 13:25:12 [info] 8#8: *24785 proxied session done, client: 209.85.210.53, server: 0.0.0.0:25" +results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["program"] == "nginx" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][9].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["message"] == "2022/04/05 13:25:30 [info] 8#8: *24790 client 172.77.77.254:40734 connected to 0.0.0.0:11587" +results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["program"] == "nginx" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][10].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Parsed["message"] == "2022/04/05 13:25:31 [error] 8#8: *24790 174.233.1.144 could not be resolved (2: Server failure) while in resolving client address, client: 174.233.1.144, server: 0.0.0.0:11587" +results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Parsed["program"] == "nginx" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][11].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Parsed["message"] == "2022/04/05 13:25:31 [info] 8#8: *24790 client logged in, client: 174.233.1.144, server: 0.0.0.0:11587, login: \"admin@example.com\", upstream: 172.69.69.9:10025" +results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Parsed["program"] == "nginx" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][12].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Parsed["message"] == "2022/04/05 13:25:31 [info] 8#8: *24790 proxied session done, client: 174.233.1.144, server: 0.0.0.0:11587, login: \"admin@example.com\", upstream: 172.69.69.9:10025" +results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Parsed["program"] == "nginx" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][13].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Parsed["message"] == "2022/04/05 13:32:06 [info] 8#8: *24819 client 172.77.77.254:46610 connected to 0.0.0.0:11143" +results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Parsed["program"] == "nginx" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][14].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Parsed["message"] == "2022/04/05 13:32:06 [info] 8#8: *24819 client logged in, client: 174.233.1.144, server: 0.0.0.0:11143, login: \"admin@example.com\", upstream: 172.69.69.10:143" +results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Parsed["program"] == "nginx" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][15].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Parsed["message"] == "2022/04/05 13:32:06 [info] 8#8: *24819 proxied session done, client: 174.233.1.144, server: 0.0.0.0:11143, login: \"admin@example.com\", upstream: 172.69.69.10:143" +results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Parsed["program"] == "nginx" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][16].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Parsed["message"] == "2023/04/05 21:00:42 [info] 126#126: *175063 client login failed: \"Authentication credentials invalid\" while in http auth state, client: 201.170.64.255 using starttls, server: 0.0.0.0:587, login: \"postmaster\"" +results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Parsed["program"] == "nginx" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 17 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][8].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][11].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][12].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][13].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][14].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][15].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][16].Success == false +len(results["s01-parse"]["crowdsecurity/nginx-logs"]) == 17 +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Success == false +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Success == false +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Success == false +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Success == true +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["body_bytes_sent"] == "118" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["http_referer"] == "-" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["http_version"] == "1.1" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["message"] == "174.233.1.144 - - [02/Apr/2022:17:11:53 +0200] \"GET / HTTP/1.1\" 403 118 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0\"" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["program"] == "nginx" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["remote_addr"] == "174.233.1.144" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["remote_user"] == "-" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["request"] == "/" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["status"] == "403" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["time_local"] == "02/Apr/2022:17:11:53 +0200" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["verb"] == "GET" +basename(results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["http_path"] == "/" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["http_status"] == "403" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["http_verb"] == "GET" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["log_type"] == "http_access-log" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["source_ip"] == "174.233.1.144" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Success == true +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["body_bytes_sent"] == "118" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["http_referer"] == "-" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["http_user_agent"] == "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["http_version"] == "1.1" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["message"] == "34.77.162.21 - - [05/Apr/2022:04:45:57 +0200] \"GET / HTTP/1.1\" 403 118 \"-\" \"Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com\"" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["program"] == "nginx" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["remote_addr"] == "34.77.162.21" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["remote_user"] == "-" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["request"] == "/" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["status"] == "403" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["time_local"] == "05/Apr/2022:04:45:57 +0200" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["verb"] == "GET" +basename(results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Meta["http_path"] == "/" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Meta["http_status"] == "403" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Meta["http_user_agent"] == "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Meta["http_verb"] == "GET" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Meta["log_type"] == "http_access-log" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Meta["source_ip"] == "34.77.162.21" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Success == true +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["cid"] == "23638" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["http_version"] == "1.1" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["loglevel"] == "error" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["message"] == "directory index of \"/static/\" is forbidden" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["pid"] == "8" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["program"] == "nginx" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["remote_addr"] == "34.77.162.21" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["request"] == "/" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["tid"] == "8" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["time"] == "2022/04/05 04:45:57" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["verb"] == "GET" +basename(results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Meta["http_path"] == "/" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Meta["http_verb"] == "GET" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Meta["log_type"] == "http_error-log" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Meta["source_ip"] == "34.77.162.21" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Success == false +results["s01-parse"]["crowdsecurity/nginx-logs"][7].Success == false +results["s01-parse"]["crowdsecurity/nginx-logs"][8].Success == false +results["s01-parse"]["crowdsecurity/nginx-logs"][9].Success == false +results["s01-parse"]["crowdsecurity/nginx-logs"][10].Success == false +results["s01-parse"]["crowdsecurity/nginx-logs"][11].Success == false +results["s01-parse"]["crowdsecurity/nginx-logs"][12].Success == false +results["s01-parse"]["crowdsecurity/nginx-logs"][13].Success == false +results["s01-parse"]["crowdsecurity/nginx-logs"][14].Success == false +results["s01-parse"]["crowdsecurity/nginx-logs"][15].Success == false +results["s01-parse"]["crowdsecurity/nginx-logs"][16].Success == false len(results["s01-parse"]["hitech95/nginx-mail-logs"]) == 14 results["s01-parse"]["hitech95/nginx-mail-logs"][0].Success == true -results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Parsed["tid"] == "8" -results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Parsed["time"] == "2022/04/02 15:45:23" +results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Parsed["cid"] == "15950" results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Parsed["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Parsed["dest_port"] == "25" +results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Parsed["loglevel"] == "info" +results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Parsed["message"] == "2022/04/02 15:45:23 [info] 8#8: *15950 client 172.77.77.254:53044 connected to 0.0.0.0:25" results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Parsed["pid"] == "8" results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Parsed["program"] == "nginx" results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Parsed["remote_addr"] == "172.77.77.254" results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Parsed["remote_port"] == "53044" -results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Parsed["cid"] == "15950" -results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Parsed["loglevel"] == "info" -results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Parsed["message"] == "2022/04/02 15:45:23 [info] 8#8: *15950 client 172.77.77.254:53044 connected to 0.0.0.0:25" +results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Parsed["tid"] == "8" +results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Parsed["time"] == "2022/04/02 15:45:23" +basename(results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Meta["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Meta["dest_port"] == "25" results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Meta["log_type"] == "mail_new_session" -results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Meta["service"] == "mail" +results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Meta["service"] == "nginxmail" results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Meta["source_ip"] == "172.77.77.254" -results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Meta["datasource_path"] == "nginx-mail-logs.log" +results["s01-parse"]["hitech95/nginx-mail-logs"][0].Evt.Whitelisted == false results["s01-parse"]["hitech95/nginx-mail-logs"][1].Success == true -results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Parsed["pid"] == "8" -results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Parsed["program"] == "nginx" -results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Parsed["remote_addr"] == "5.34.207.182" +results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Parsed["cid"] == "15950" results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Parsed["dest_ip"] == "0.0.0.0" +results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Parsed["dest_port"] == "25" results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Parsed["loglevel"] == "error" results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Parsed["message"] == "5.34.207.182 could not be resolved (3: Host not found) while in resolving client address" +results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Parsed["pid"] == "8" +results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Parsed["program"] == "nginx" +results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Parsed["remote_addr"] == "5.34.207.182" results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Parsed["tid"] == "8" results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Parsed["time"] == "2022/04/02 15:45:23" -results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Parsed["cid"] == "15950" -results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Parsed["dest_port"] == "25" +basename(results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Meta["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Meta["dest_port"] == "25" results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Meta["log_type"] == "mail_auth" -results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Meta["service"] == "mail" +results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Meta["service"] == "nginxmail" results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Meta["source_ip"] == "5.34.207.182" -results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Meta["datasource_path"] == "nginx-mail-logs.log" -results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["hitech95/nginx-mail-logs"][1].Evt.Whitelisted == false results["s01-parse"]["hitech95/nginx-mail-logs"][2].Success == true -results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["time"] == "2022/04/02 15:45:25" -results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["message"] == "client login failed: \"AUTH not supported\" while in http auth state" -results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["program"] == "nginx" -results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["loglevel"] == "info" -results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["pid"] == "8" -results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["remote_addr"] == "5.34.207.182" +results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["auth_result"] == "AUTH not supported" results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["cid"] == "15950" results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["dest_port"] == "25" -results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["username"] == "servers@example.com" -results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["auth_result"] == "AUTH not supported" +results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["loglevel"] == "info" +results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["message"] == "client login failed: \"AUTH not supported\" while in http auth state" +results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["pid"] == "8" +results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["program"] == "nginx" +results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["remote_addr"] == "5.34.207.182" results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["tid"] == "8" -results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Meta["datasource_path"] == "nginx-mail-logs.log" +results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["time"] == "2022/04/02 15:45:25" +results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Parsed["username"] == "servers@example.com" +results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Meta["auth_result"] == "AUTH not supported" +results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Meta["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Meta["dest_port"] == "25" results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Meta["log_type"] == "mail_auth" +results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Meta["service"] == "nginxmail" results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Meta["source_ip"] == "5.34.207.182" -results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Meta["sub_type"] == "auth_fail" -results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Meta["username"] == "servers@example.com" -results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Meta["auth_result"] == "AUTH not supported" -results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Meta["service"] == "mail" +results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Meta["target_user"] == "servers@example.com" +results["s01-parse"]["hitech95/nginx-mail-logs"][2].Evt.Whitelisted == false results["s01-parse"]["hitech95/nginx-mail-logs"][3].Success == true -results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Parsed["time"] == "2022/04/05 13:25:10" results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Parsed["cid"] == "24785" +results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Parsed["dest_ip"] == "0.0.0.0" +results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Parsed["dest_port"] == "25" +results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Parsed["loglevel"] == "info" results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Parsed["message"] == "2022/04/05 13:25:10 [info] 8#8: *24785 client 172.77.77.254:54928 connected to 0.0.0.0:25" -results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Parsed["remote_port"] == "54928" results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Parsed["pid"] == "8" results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Parsed["program"] == "nginx" results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Parsed["remote_addr"] == "172.77.77.254" +results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Parsed["remote_port"] == "54928" results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Parsed["tid"] == "8" -results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Parsed["dest_ip"] == "0.0.0.0" -results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Parsed["dest_port"] == "25" -results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Parsed["loglevel"] == "info" +results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Parsed["time"] == "2022/04/05 13:25:10" +basename(results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Meta["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Meta["dest_port"] == "25" results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Meta["log_type"] == "mail_new_session" -results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Meta["service"] == "mail" +results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Meta["service"] == "nginxmail" results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Meta["source_ip"] == "172.77.77.254" -results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Meta["datasource_path"] == "nginx-mail-logs.log" -results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Meta["dest_ip"] == "0.0.0.0" +results["s01-parse"]["hitech95/nginx-mail-logs"][3].Evt.Whitelisted == false results["s01-parse"]["hitech95/nginx-mail-logs"][4].Success == true +results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Parsed["cid"] == "24785" +results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Parsed["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Parsed["dest_port"] == "25" results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Parsed["loglevel"] == "info" results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Parsed["message"] == "client logged in" -results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Parsed["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Parsed["pid"] == "8" results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Parsed["program"] == "nginx" results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Parsed["remote_addr"] == "209.85.210.53" results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Parsed["tid"] == "8" results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Parsed["time"] == "2022/04/05 13:25:11" -results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Parsed["cid"] == "24785" +results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Meta["auth_status"] == "success" +basename(results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Meta["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Meta["dest_port"] == "25" results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Meta["log_type"] == "mail_auth" -results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Meta["service"] == "mail" +results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Meta["service"] == "nginxmail" results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Meta["source_ip"] == "209.85.210.53" -results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Meta["sub_type"] == "auth_success" -results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Meta["datasource_path"] == "nginx-mail-logs.log" -results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["hitech95/nginx-mail-logs"][4].Evt.Whitelisted == false results["s01-parse"]["hitech95/nginx-mail-logs"][5].Success == false results["s01-parse"]["hitech95/nginx-mail-logs"][6].Success == true +results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Parsed["cid"] == "24790" +results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Parsed["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Parsed["dest_port"] == "11587" +results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Parsed["loglevel"] == "info" +results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Parsed["message"] == "2022/04/05 13:25:30 [info] 8#8: *24790 client 172.77.77.254:40734 connected to 0.0.0.0:11587" +results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Parsed["pid"] == "8" results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Parsed["program"] == "nginx" +results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Parsed["remote_addr"] == "172.77.77.254" results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Parsed["remote_port"] == "40734" results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Parsed["tid"] == "8" results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Parsed["time"] == "2022/04/05 13:25:30" -results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Parsed["cid"] == "24790" -results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Parsed["dest_ip"] == "0.0.0.0" -results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Parsed["pid"] == "8" -results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Parsed["remote_addr"] == "172.77.77.254" -results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Parsed["loglevel"] == "info" -results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Parsed["message"] == "2022/04/05 13:25:30 [info] 8#8: *24790 client 172.77.77.254:40734 connected to 0.0.0.0:11587" -results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Meta["datasource_path"] == "nginx-mail-logs.log" +basename(results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Meta["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Meta["dest_port"] == "11587" results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Meta["log_type"] == "mail_new_session" -results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Meta["service"] == "mail" +results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Meta["service"] == "nginxmail" results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Meta["source_ip"] == "172.77.77.254" +results["s01-parse"]["hitech95/nginx-mail-logs"][6].Evt.Whitelisted == false results["s01-parse"]["hitech95/nginx-mail-logs"][7].Success == true -results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Parsed["remote_addr"] == "174.233.1.144" -results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Parsed["tid"] == "8" -results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Parsed["time"] == "2022/04/05 13:25:31" results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Parsed["cid"] == "24790" results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Parsed["dest_ip"] == "0.0.0.0" -results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Parsed["pid"] == "8" results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Parsed["dest_port"] == "11587" results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Parsed["loglevel"] == "error" results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Parsed["message"] == "174.233.1.144 could not be resolved (2: Server failure) while in resolving client address" +results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Parsed["pid"] == "8" results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Parsed["program"] == "nginx" -results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Meta["source_ip"] == "174.233.1.144" -results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Meta["datasource_path"] == "nginx-mail-logs.log" +results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Parsed["remote_addr"] == "174.233.1.144" +results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Parsed["tid"] == "8" +results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Parsed["time"] == "2022/04/05 13:25:31" +basename(results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Meta["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Meta["dest_port"] == "11587" results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Meta["log_type"] == "mail_auth" -results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Meta["service"] == "mail" +results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Meta["service"] == "nginxmail" +results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Meta["source_ip"] == "174.233.1.144" +results["s01-parse"]["hitech95/nginx-mail-logs"][7].Evt.Whitelisted == false results["s01-parse"]["hitech95/nginx-mail-logs"][8].Success == true results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Parsed["cid"] == "24790" -results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Parsed["pid"] == "8" -results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Parsed["proxy_ip"] == "172.69.69.9" -results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Parsed["username"] == "admin@example.com" -results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Parsed["tid"] == "8" results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Parsed["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Parsed["dest_port"] == "11587" results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Parsed["loglevel"] == "info" results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Parsed["message"] == "client logged in" +results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Parsed["pid"] == "8" results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Parsed["program"] == "nginx" +results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Parsed["proxy_ip"] == "172.69.69.9" results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Parsed["proxy_port"] == "10025" results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Parsed["remote_addr"] == "174.233.1.144" +results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Parsed["tid"] == "8" results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Parsed["time"] == "2022/04/05 13:25:31" -results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Meta["dest_ip"] == "0.0.0.0" -results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Meta["service"] == "mail" -results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Meta["source_ip"] == "174.233.1.144" +results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Parsed["username"] == "admin@example.com" +results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Meta["auth_status"] == "success" +basename(results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Meta["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Meta["dest_port"] == "11587" results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Meta["log_type"] == "mail_auth" -results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Meta["sub_type"] == "auth_success" -results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Meta["username"] == "admin@example.com" -results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Meta["datasource_path"] == "nginx-mail-logs.log" +results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Meta["service"] == "nginxmail" +results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Meta["source_ip"] == "174.233.1.144" +results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Meta["target_user"] == "admin@example.com" +results["s01-parse"]["hitech95/nginx-mail-logs"][8].Evt.Whitelisted == false results["s01-parse"]["hitech95/nginx-mail-logs"][9].Success == false results["s01-parse"]["hitech95/nginx-mail-logs"][10].Success == true +results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Parsed["cid"] == "24819" +results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Parsed["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Parsed["dest_port"] == "11143" results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Parsed["loglevel"] == "info" results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Parsed["message"] == "2022/04/05 13:32:06 [info] 8#8: *24819 client 172.77.77.254:46610 connected to 0.0.0.0:11143" results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Parsed["pid"] == "8" -results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Parsed["tid"] == "8" -results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Parsed["cid"] == "24819" -results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Parsed["dest_ip"] == "0.0.0.0" -results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Parsed["remote_port"] == "46610" -results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Parsed["time"] == "2022/04/05 13:32:06" results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Parsed["program"] == "nginx" results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Parsed["remote_addr"] == "172.77.77.254" +results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Parsed["remote_port"] == "46610" +results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Parsed["tid"] == "8" +results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Parsed["time"] == "2022/04/05 13:32:06" +basename(results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Meta["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Meta["dest_port"] == "11143" results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Meta["log_type"] == "mail_new_session" -results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Meta["service"] == "mail" +results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Meta["service"] == "nginxmail" results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Meta["source_ip"] == "172.77.77.254" -results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Meta["datasource_path"] == "nginx-mail-logs.log" -results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Meta["dest_ip"] == "0.0.0.0" +results["s01-parse"]["hitech95/nginx-mail-logs"][10].Evt.Whitelisted == false results["s01-parse"]["hitech95/nginx-mail-logs"][11].Success == true +results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["cid"] == "24819" +results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["dest_ip"] == "0.0.0.0" +results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["dest_port"] == "11143" results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["loglevel"] == "info" +results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["message"] == "client logged in" +results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["pid"] == "8" +results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["program"] == "nginx" results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["proxy_ip"] == "172.69.69.10" results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["proxy_port"] == "143" results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["remote_addr"] == "174.233.1.144" results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["tid"] == "8" results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["time"] == "2022/04/05 13:32:06" -results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["cid"] == "24819" -results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["dest_port"] == "11143" results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["username"] == "admin@example.com" -results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["pid"] == "8" -results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["program"] == "nginx" -results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["dest_ip"] == "0.0.0.0" -results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Parsed["message"] == "client logged in" -results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Meta["datasource_path"] == "nginx-mail-logs.log" +results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Meta["auth_status"] == "success" +basename(results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Meta["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Meta["dest_port"] == "11143" -results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Meta["service"] == "mail" -results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Meta["source_ip"] == "174.233.1.144" -results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Meta["username"] == "admin@example.com" -results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Meta["log_type"] == "mail_auth" -results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Meta["sub_type"] == "auth_success" +results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Meta["service"] == "nginxmail" +results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Meta["source_ip"] == "174.233.1.144" +results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Meta["target_user"] == "admin@example.com" +results["s01-parse"]["hitech95/nginx-mail-logs"][11].Evt.Whitelisted == false results["s01-parse"]["hitech95/nginx-mail-logs"][12].Success == false results["s01-parse"]["hitech95/nginx-mail-logs"][13].Success == true -results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["loglevel"] == "info" -results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["message"] == "client login failed: \"Authentication credentials invalid\" while in http auth state" -results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["time"] == "2023/04/05 21:00:42" -results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["username"] == "postmaster" +results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["auth_result"] == "Authentication credentials invalid" results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["cid"] == "175063" +results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["dest_port"] == "587" -results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["auth_result"] == "Authentication credentials invalid" +results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["loglevel"] == "info" +results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["message"] == "client login failed: \"Authentication credentials invalid\" while in http auth state" results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["pid"] == "126" -results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["program"] == "nginx" -results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["tid"] == "126" results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["remote_addr"] == "201.170.64.255" +results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["tid"] == "126" +results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["time"] == "2023/04/05 21:00:42" +results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Parsed["username"] == "postmaster" results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Meta["auth_result"] == "Authentication credentials invalid" +results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Meta["dest_ip"] == "0.0.0.0" results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Meta["dest_port"] == "587" results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Meta["log_type"] == "mail_auth" +results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Meta["service"] == "nginxmail" results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Meta["source_ip"] == "201.170.64.255" -results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Meta["datasource_path"] == "nginx-mail-logs.log" -results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Meta["dest_ip"] == "0.0.0.0" -results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Meta["service"] == "mail" -results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Meta["sub_type"] == "auth_fail" -results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Meta["username"] == "postmaster" \ No newline at end of file +results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Meta["target_user"] == "postmaster" +results["s01-parse"]["hitech95/nginx-mail-logs"][13].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 14 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["cid"] == "15950" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["dest_port"] == "25" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["loglevel"] == "info" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2022/04/02 15:45:23 [info] 8#8: *15950 client 172.77.77.254:53044 connected to 0.0.0.0:25" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "172.77.77.254" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_port"] == "53044" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["tid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time"] == "2022/04/02 15:45:23" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["dest_port"] == "25" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "mail_new_session" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "nginxmail" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "172.77.77.254" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-04-02T15:45:23Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-04-02T15:45:23Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["cid"] == "15950" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["dest_port"] == "25" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["loglevel"] == "error" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "5.34.207.182 could not be resolved (3: Host not found) while in resolving client address" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "5.34.207.182" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["tid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["time"] == "2022/04/02 15:45:23" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["dest_port"] == "25" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "mail_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "nginxmail" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "5.34.207.182" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-04-02T15:45:23Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-04-02T15:45:23Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["auth_result"] == "AUTH not supported" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["cid"] == "15950" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["dest_port"] == "25" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["loglevel"] == "info" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "client login failed: \"AUTH not supported\" while in http auth state" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "5.34.207.182" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["tid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["time"] == "2022/04/02 15:45:25" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "servers@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_result"] == "AUTH not supported" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["dest_port"] == "25" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "mail_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "nginxmail" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "5.34.207.182" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "servers@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2022-04-02T15:45:25Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2022-04-02T15:45:25Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["body_bytes_sent"] == "118" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["http_version"] == "1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "174.233.1.144 - - [02/Apr/2022:17:11:53 +0200] \"GET / HTTP/1.1\" 403 118 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_addr"] == "174.233.1.144" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["request"] == "/" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["status"] == "403" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["time_local"] == "02/Apr/2022:17:11:53 +0200" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["verb"] == "GET" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["http_path"] == "/" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["http_status"] == "403" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "174.233.1.144" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2022-04-02T17:11:53+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2022-04-02T17:11:53+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["body_bytes_sent"] == "118" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["http_user_agent"] == "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["http_version"] == "1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "34.77.162.21 - - [05/Apr/2022:04:45:57 +0200] \"GET / HTTP/1.1\" 403 118 \"-\" \"Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_addr"] == "34.77.162.21" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["request"] == "/" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["status"] == "403" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["time_local"] == "05/Apr/2022:04:45:57 +0200" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["verb"] == "GET" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["http_path"] == "/" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["http_status"] == "403" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["http_user_agent"] == "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "34.77.162.21" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2022-04-05T04:45:57+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2022-04-05T04:45:57+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["cid"] == "23638" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["http_version"] == "1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["loglevel"] == "error" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "directory index of \"/static/\" is forbidden" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_addr"] == "34.77.162.21" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["request"] == "/" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["tid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["time"] == "2022/04/05 04:45:57" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["verb"] == "GET" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["http_path"] == "/" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "http_error-log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "34.77.162.21" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2022-04-05T04:45:57Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2022-04-05T04:45:57Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["cid"] == "24785" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["dest_port"] == "25" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["loglevel"] == "info" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "2022/04/05 13:25:10 [info] 8#8: *24785 client 172.77.77.254:54928 connected to 0.0.0.0:25" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["pid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["remote_addr"] == "172.77.77.254" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["remote_port"] == "54928" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["tid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["time"] == "2022/04/05 13:25:10" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["dest_port"] == "25" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "mail_new_session" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "nginxmail" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "172.77.77.254" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2022-04-05T13:25:10Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2022-04-05T13:25:10Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["cid"] == "24785" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["dest_port"] == "25" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["loglevel"] == "info" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "client logged in" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["pid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["remote_addr"] == "209.85.210.53" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["tid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["time"] == "2022/04/05 13:25:11" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["auth_status"] == "success" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["dest_port"] == "25" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "mail_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "nginxmail" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "209.85.210.53" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2022-04-05T13:25:11Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2022-04-05T13:25:11Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["cid"] == "24790" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["dest_port"] == "11587" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["loglevel"] == "info" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["message"] == "2022/04/05 13:25:30 [info] 8#8: *24790 client 172.77.77.254:40734 connected to 0.0.0.0:11587" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["pid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["remote_addr"] == "172.77.77.254" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["remote_port"] == "40734" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["tid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["time"] == "2022/04/05 13:25:30" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["dest_port"] == "11587" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "mail_new_session" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "nginxmail" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "172.77.77.254" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2022-04-05T13:25:30Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Enriched["MarshaledTime"] == "2022-04-05T13:25:30Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["cid"] == "24790" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["dest_port"] == "11587" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["loglevel"] == "error" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["message"] == "174.233.1.144 could not be resolved (2: Server failure) while in resolving client address" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["pid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["remote_addr"] == "174.233.1.144" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["tid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["time"] == "2022/04/05 13:25:31" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["dest_port"] == "11587" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_type"] == "mail_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "nginxmail" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "174.233.1.144" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2022-04-05T13:25:31Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Enriched["MarshaledTime"] == "2022-04-05T13:25:31Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["cid"] == "24790" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["dest_port"] == "11587" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["loglevel"] == "info" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["message"] == "client logged in" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["pid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["proxy_ip"] == "172.69.69.9" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["proxy_port"] == "10025" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["remote_addr"] == "174.233.1.144" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["tid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["time"] == "2022/04/05 13:25:31" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["username"] == "admin@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["auth_status"] == "success" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["dest_port"] == "11587" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["log_type"] == "mail_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["service"] == "nginxmail" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["source_ip"] == "174.233.1.144" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["target_user"] == "admin@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["timestamp"] == "2022-04-05T13:25:31Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Enriched["MarshaledTime"] == "2022-04-05T13:25:31Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["cid"] == "24819" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["dest_port"] == "11143" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["loglevel"] == "info" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["message"] == "2022/04/05 13:32:06 [info] 8#8: *24819 client 172.77.77.254:46610 connected to 0.0.0.0:11143" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["pid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["remote_addr"] == "172.77.77.254" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["remote_port"] == "46610" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["tid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["time"] == "2022/04/05 13:32:06" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["dest_port"] == "11143" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["log_type"] == "mail_new_session" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["service"] == "nginxmail" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_ip"] == "172.77.77.254" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["timestamp"] == "2022-04-05T13:32:06Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Enriched["MarshaledTime"] == "2022-04-05T13:32:06Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["cid"] == "24819" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["dest_port"] == "11143" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["loglevel"] == "info" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["message"] == "client logged in" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["pid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["proxy_ip"] == "172.69.69.10" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["proxy_port"] == "143" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["remote_addr"] == "174.233.1.144" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["tid"] == "8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["time"] == "2022/04/05 13:32:06" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["username"] == "admin@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["auth_status"] == "success" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["dest_port"] == "11143" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["log_type"] == "mail_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["service"] == "nginxmail" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["source_ip"] == "174.233.1.144" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["target_user"] == "admin@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["timestamp"] == "2022-04-05T13:32:06Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Enriched["MarshaledTime"] == "2022-04-05T13:32:06Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["auth_result"] == "Authentication credentials invalid" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["cid"] == "175063" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["dest_port"] == "587" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["loglevel"] == "info" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["message"] == "client login failed: \"Authentication credentials invalid\" while in http auth state" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["pid"] == "126" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["remote_addr"] == "201.170.64.255" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["tid"] == "126" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["time"] == "2023/04/05 21:00:42" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["username"] == "postmaster" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["auth_result"] == "Authentication credentials invalid" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_path"]) == "nginx-mail-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["dest_ip"] == "0.0.0.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["dest_port"] == "587" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["log_type"] == "mail_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["service"] == "nginxmail" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["source_ip"] == "201.170.64.255" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["target_user"] == "postmaster" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["timestamp"] == "2023-04-05T21:00:42Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Enriched["MarshaledTime"] == "2023-04-05T21:00:42Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/ntfy-bf/parser.assert b/.tests/ntfy-bf/parser.assert deleted file mode 100644 index 8b137891791..00000000000 --- a/.tests/ntfy-bf/parser.assert +++ /dev/null @@ -1 +0,0 @@ - diff --git a/.tests/ntfy-bf/scenario.assert b/.tests/ntfy-bf/scenario.assert index 844536f4347..a0b9fac096f 100644 --- a/.tests/ntfy-bf/scenario.assert +++ b/.tests/ntfy-bf/scenario.assert @@ -4,39 +4,39 @@ results[0].Overflow.Sources["127.0.0.1"].IP == "127.0.0.1" results[0].Overflow.Sources["127.0.0.1"].Range == "" results[0].Overflow.Sources["127.0.0.1"].GetScope() == "Ip" results[0].Overflow.Sources["127.0.0.1"].GetValue() == "127.0.0.1" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "ntfy-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ntfy_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "ntfy" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-08-03T14:32:00.02-04:00" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "ntfy-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "ntfy_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "ntfy" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-08-03T14:32:00.02-04:00" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "ntfy-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "ntfy_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "ntfy" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-08-03T14:32:00.02-04:00" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "ntfy-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "ntfy_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "ntfy" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-08-03T14:32:00.02-04:00" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "ntfy-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "ntfy_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "ntfy" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-08-03T14:32:00.02-04:00" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "ntfy-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "ntfy_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "ntfy" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.1" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-08-03T14:32:00.02-04:00" diff --git a/.tests/ntfy-logs/parser.assert b/.tests/ntfy-logs/parser.assert index 7efcefcd175..a01e38a1d59 100644 --- a/.tests/ntfy-logs/parser.assert +++ b/.tests/ntfy-logs/parser.assert @@ -77,9 +77,9 @@ results["s01-parse"]["Jgigantino31/ntfy-logs"][1].Success == false results["s01-parse"]["Jgigantino31/ntfy-logs"][2].Success == true results["s01-parse"]["Jgigantino31/ntfy-logs"][2].Evt.Parsed["message"] == "{\"time\":\"2025-08-03T14:32:00.02-04:00\",\"level\":\"DEBUG\",\"message\":\"Connection closed with HTTP 403 (ntfy error 40301)\",\"error\":\"forbidden\",\"error_code\":40301,\"http_method\":\"GET\",\"http_path\":\"/test_topic/auth\",\"http_status\":403,\"tag\":\"http\",\"topic\":\"test_topic\",\"topic_last_access\":\"2025-08-03T14:30:16.465-04:00\",\"topic_subscribers\":0,\"visitor_auth_limiter_limit\":0.016666666666666666,\"visitor_auth_limiter_tokens\":30,\"visitor_id\":\"ip:127.0.0.1\",\"visitor_ip\":\"127.0.0.1\",\"visitor_messages\":0,\"visitor_messages_limit\":17280,\"visitor_messages_remaining\":17280,\"visitor_request_limiter_limit\":0.2,\"visitor_request_limiter_tokens\":59.0000532854,\"visitor_seen\":\"2025-08-03T14:32:00.02-04:00\"}" results["s01-parse"]["Jgigantino31/ntfy-logs"][2].Evt.Parsed["program"] == "ntfy" +results["s01-parse"]["Jgigantino31/ntfy-logs"][2].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Jgigantino31/ntfy-logs"][2].Evt.Meta["datasource_path"]) == "ntfy-logs.log" results["s01-parse"]["Jgigantino31/ntfy-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Jgigantino31/ntfy-logs"][2].Evt.Meta["log_type"] == "ntfy_failed_auth" results["s01-parse"]["Jgigantino31/ntfy-logs"][2].Evt.Meta["service"] == "ntfy" results["s01-parse"]["Jgigantino31/ntfy-logs"][2].Evt.Meta["source_ip"] == "127.0.0.1" results["s01-parse"]["Jgigantino31/ntfy-logs"][2].Evt.Whitelisted == false @@ -88,9 +88,9 @@ results["s01-parse"]["Jgigantino31/ntfy-logs"][4].Success == false results["s01-parse"]["Jgigantino31/ntfy-logs"][5].Success == true results["s01-parse"]["Jgigantino31/ntfy-logs"][5].Evt.Parsed["message"] == "{\"time\":\"2025-08-03T14:33:40.117-04:00\",\"level\":\"DEBUG\",\"message\":\"Connection closed with HTTP 401 (ntfy error 40101)\",\"error\":\"unauthorized\",\"error_code\":40101,\"http_method\":\"GET\",\"http_path\":\"/test_topic/auth\",\"http_status\":401,\"tag\":\"http\",\"visitor_auth_limiter_limit\":0.016666666666666666,\"visitor_auth_limiter_tokens\":29.000000738933334,\"visitor_id\":\"ip:127.0.0.1\",\"visitor_ip\":\"127.0.0.1\",\"visitor_messages\":0,\"visitor_messages_limit\":17280,\"visitor_messages_remaining\":17280,\"visitor_request_limiter_limit\":0.2,\"visitor_request_limiter_tokens\":60,\"visitor_seen\":\"2025-08-03T14:33:40.069-04:00\"}" results["s01-parse"]["Jgigantino31/ntfy-logs"][5].Evt.Parsed["program"] == "ntfy" +results["s01-parse"]["Jgigantino31/ntfy-logs"][5].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Jgigantino31/ntfy-logs"][5].Evt.Meta["datasource_path"]) == "ntfy-logs.log" results["s01-parse"]["Jgigantino31/ntfy-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Jgigantino31/ntfy-logs"][5].Evt.Meta["log_type"] == "ntfy_failed_auth" results["s01-parse"]["Jgigantino31/ntfy-logs"][5].Evt.Meta["service"] == "ntfy" results["s01-parse"]["Jgigantino31/ntfy-logs"][5].Evt.Meta["source_ip"] == "127.0.0.1" results["s01-parse"]["Jgigantino31/ntfy-logs"][5].Evt.Whitelisted == false @@ -99,9 +99,9 @@ results["s01-parse"]["Jgigantino31/ntfy-logs"][7].Success == false results["s01-parse"]["Jgigantino31/ntfy-logs"][8].Success == true results["s01-parse"]["Jgigantino31/ntfy-logs"][8].Evt.Parsed["message"] == "{\"time\":\"2025-08-03T14:36:21.752-04:00\",\"level\":\"DEBUG\",\"message\":\"Connection closed with HTTP 403 (ntfy error 40301)\",\"error\":\"forbidden\",\"error_code\":40301,\"http_method\":\"PUT\",\"http_path\":\"/test_topic\",\"http_status\":403,\"tag\":\"http\",\"topic\":\"test_topic\",\"topic_last_access\":\"2025-08-03T14:30:16.465-04:00\",\"topic_subscribers\":0,\"visitor_auth_limiter_limit\":0.016666666666666666,\"visitor_auth_limiter_tokens\":30,\"visitor_id\":\"ip:127.0.0.1\",\"visitor_ip\":\"127.0.0.1\",\"visitor_messages\":0,\"visitor_messages_limit\":17280,\"visitor_messages_remaining\":17280,\"visitor_request_limiter_limit\":0.2,\"visitor_request_limiter_tokens\":59.0001689236,\"visitor_seen\":\"2025-08-03T14:36:21.751-04:00\"}" results["s01-parse"]["Jgigantino31/ntfy-logs"][8].Evt.Parsed["program"] == "ntfy" +results["s01-parse"]["Jgigantino31/ntfy-logs"][8].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Jgigantino31/ntfy-logs"][8].Evt.Meta["datasource_path"]) == "ntfy-logs.log" results["s01-parse"]["Jgigantino31/ntfy-logs"][8].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Jgigantino31/ntfy-logs"][8].Evt.Meta["log_type"] == "ntfy_failed_auth" results["s01-parse"]["Jgigantino31/ntfy-logs"][8].Evt.Meta["service"] == "ntfy" results["s01-parse"]["Jgigantino31/ntfy-logs"][8].Evt.Meta["source_ip"] == "127.0.0.1" results["s01-parse"]["Jgigantino31/ntfy-logs"][8].Evt.Whitelisted == false @@ -110,9 +110,9 @@ len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 3 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "{\"time\":\"2025-08-03T14:32:00.02-04:00\",\"level\":\"DEBUG\",\"message\":\"Connection closed with HTTP 403 (ntfy error 40301)\",\"error\":\"forbidden\",\"error_code\":40301,\"http_method\":\"GET\",\"http_path\":\"/test_topic/auth\",\"http_status\":403,\"tag\":\"http\",\"topic\":\"test_topic\",\"topic_last_access\":\"2025-08-03T14:30:16.465-04:00\",\"topic_subscribers\":0,\"visitor_auth_limiter_limit\":0.016666666666666666,\"visitor_auth_limiter_tokens\":30,\"visitor_id\":\"ip:127.0.0.1\",\"visitor_ip\":\"127.0.0.1\",\"visitor_messages\":0,\"visitor_messages_limit\":17280,\"visitor_messages_remaining\":17280,\"visitor_request_limiter_limit\":0.2,\"visitor_request_limiter_tokens\":59.0000532854,\"visitor_seen\":\"2025-08-03T14:32:00.02-04:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "ntfy" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "ntfy-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "ntfy_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "ntfy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-08-03T14:32:00.02-04:00" @@ -121,9 +121,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == fa results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "{\"time\":\"2025-08-03T14:33:40.117-04:00\",\"level\":\"DEBUG\",\"message\":\"Connection closed with HTTP 401 (ntfy error 40101)\",\"error\":\"unauthorized\",\"error_code\":40101,\"http_method\":\"GET\",\"http_path\":\"/test_topic/auth\",\"http_status\":401,\"tag\":\"http\",\"visitor_auth_limiter_limit\":0.016666666666666666,\"visitor_auth_limiter_tokens\":29.000000738933334,\"visitor_id\":\"ip:127.0.0.1\",\"visitor_ip\":\"127.0.0.1\",\"visitor_messages\":0,\"visitor_messages_limit\":17280,\"visitor_messages_remaining\":17280,\"visitor_request_limiter_limit\":0.2,\"visitor_request_limiter_tokens\":60,\"visitor_seen\":\"2025-08-03T14:33:40.069-04:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "ntfy" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "ntfy-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "ntfy_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "ntfy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-08-03T14:33:40.117-04:00" @@ -132,9 +132,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == fa results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "{\"time\":\"2025-08-03T14:36:21.752-04:00\",\"level\":\"DEBUG\",\"message\":\"Connection closed with HTTP 403 (ntfy error 40301)\",\"error\":\"forbidden\",\"error_code\":40301,\"http_method\":\"PUT\",\"http_path\":\"/test_topic\",\"http_status\":403,\"tag\":\"http\",\"topic\":\"test_topic\",\"topic_last_access\":\"2025-08-03T14:30:16.465-04:00\",\"topic_subscribers\":0,\"visitor_auth_limiter_limit\":0.016666666666666666,\"visitor_auth_limiter_tokens\":30,\"visitor_id\":\"ip:127.0.0.1\",\"visitor_ip\":\"127.0.0.1\",\"visitor_messages\":0,\"visitor_messages_limit\":17280,\"visitor_messages_remaining\":17280,\"visitor_request_limiter_limit\":0.2,\"visitor_request_limiter_tokens\":59.0001689236,\"visitor_seen\":\"2025-08-03T14:36:21.751-04:00\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "ntfy" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "ntfy-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "ntfy_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "ntfy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-08-03T14:36:21.752-04:00" diff --git a/.tests/odoo-bf_user-enum/config.yaml b/.tests/odoo-bf_user-enum/config.yaml index bfd26f98eaa..b6ecc69c677 100644 --- a/.tests/odoo-bf_user-enum/config.yaml +++ b/.tests/odoo-bf_user-enum/config.yaml @@ -9,4 +9,4 @@ postoverflows: log_file: odoo.log log_type: odoo labels: {} -ignore_parsers: false +ignore_parsers: true diff --git a/.tests/odoo-bf_user-enum/parser.assert b/.tests/odoo-bf_user-enum/parser.assert deleted file mode 100644 index ec6e3aa15d6..00000000000 --- a/.tests/odoo-bf_user-enum/parser.assert +++ /dev/null @@ -1,222 +0,0 @@ -len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 6 -results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2022-04-05 14:40:34,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto@mail.fr from 172.19.0.1" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "odoo" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "odoo.log" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2022-04-05 14:40:35,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto2@mail.fr from 172.19.0.1" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "odoo" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "odoo.log" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "odoo" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "2022-04-05 14:40:36,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto3@mail.fr from 172.19.0.1" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "odoo.log" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "2022-04-05 14:40:37,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto4@mail.fr from 172.19.0.1" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "odoo" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "odoo.log" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "2022-04-05 14:40:38,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto5@mail.fr from 172.19.0.1" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "odoo" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "odoo.log" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "2022-04-05 14:40:39,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto6@mail.fr from 172.19.0.1" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "odoo" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"] == "odoo.log" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 6 -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == false -len(results["s01-parse"]["crowdsecurity/odoo-logs"]) == 6 -results["s01-parse"]["crowdsecurity/odoo-logs"][0].Success == true -results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Parsed["program"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Parsed["source_ip"] == "172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Parsed["timestamp"] == "2022-04-05 14:40:34,644" -results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Parsed["user"] == "toto@mail.fr" -results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Parsed["PID"] == "1" -results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Parsed["db_name"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Parsed["message"] == "2022-04-05 14:40:34,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto@mail.fr from 172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Meta["datasource_path"] == "odoo.log" -results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Meta["db"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Meta["log_type"] == "odoo_failed_auth" -results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Meta["source_ip"] == "172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Meta["user"] == "toto@mail.fr" -results["s01-parse"]["crowdsecurity/odoo-logs"][1].Success == true -results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Parsed["PID"] == "1" -results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Parsed["db_name"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Parsed["message"] == "2022-04-05 14:40:35,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto2@mail.fr from 172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Parsed["program"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Parsed["source_ip"] == "172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Parsed["timestamp"] == "2022-04-05 14:40:35,644" -results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Parsed["user"] == "toto2@mail.fr" -results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Meta["user"] == "toto2@mail.fr" -results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Meta["datasource_path"] == "odoo.log" -results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Meta["db"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Meta["log_type"] == "odoo_failed_auth" -results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Meta["source_ip"] == "172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][2].Success == true -results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Parsed["user"] == "toto3@mail.fr" -results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Parsed["PID"] == "1" -results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Parsed["db_name"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Parsed["message"] == "2022-04-05 14:40:36,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto3@mail.fr from 172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Parsed["program"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Parsed["source_ip"] == "172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Parsed["timestamp"] == "2022-04-05 14:40:36,644" -results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Meta["source_ip"] == "172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Meta["user"] == "toto3@mail.fr" -results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Meta["datasource_path"] == "odoo.log" -results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Meta["db"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Meta["log_type"] == "odoo_failed_auth" -results["s01-parse"]["crowdsecurity/odoo-logs"][3].Success == true -results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Parsed["db_name"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Parsed["message"] == "2022-04-05 14:40:37,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto4@mail.fr from 172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Parsed["program"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Parsed["source_ip"] == "172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Parsed["timestamp"] == "2022-04-05 14:40:37,644" -results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Parsed["user"] == "toto4@mail.fr" -results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Parsed["PID"] == "1" -results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Meta["db"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Meta["log_type"] == "odoo_failed_auth" -results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Meta["source_ip"] == "172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Meta["user"] == "toto4@mail.fr" -results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Meta["datasource_path"] == "odoo.log" -results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/odoo-logs"][4].Success == true -results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Parsed["message"] == "2022-04-05 14:40:38,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto5@mail.fr from 172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Parsed["program"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Parsed["source_ip"] == "172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Parsed["timestamp"] == "2022-04-05 14:40:38,644" -results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Parsed["user"] == "toto5@mail.fr" -results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Parsed["PID"] == "1" -results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Parsed["db_name"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Meta["datasource_path"] == "odoo.log" -results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Meta["db"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Meta["log_type"] == "odoo_failed_auth" -results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Meta["source_ip"] == "172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Meta["user"] == "toto5@mail.fr" -results["s01-parse"]["crowdsecurity/odoo-logs"][5].Success == true -results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Parsed["source_ip"] == "172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Parsed["timestamp"] == "2022-04-05 14:40:39,644" -results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Parsed["user"] == "toto6@mail.fr" -results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Parsed["PID"] == "1" -results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Parsed["db_name"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Parsed["message"] == "2022-04-05 14:40:39,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto6@mail.fr from 172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Parsed["program"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Meta["datasource_path"] == "odoo.log" -results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Meta["db"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Meta["log_type"] == "odoo_failed_auth" -results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Meta["source_ip"] == "172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Meta["user"] == "toto6@mail.fr" -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["PID"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["db_name"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2022-04-05 14:40:34,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto@mail.fr from 172.19.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "172.19.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2022-04-05 14:40:34,644" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["user"] == "toto@mail.fr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-04-05T14:40:34.644Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "toto@mail.fr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "odoo.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["db"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "odoo_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "172.19.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-04-05T14:40:34.644Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["PID"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["db_name"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "2022-04-05 14:40:35,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto2@mail.fr from 172.19.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "172.19.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2022-04-05 14:40:35,644" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["user"] == "toto2@mail.fr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "odoo.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["db"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "odoo_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "172.19.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-04-05T14:40:35.644Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "toto2@mail.fr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-04-05T14:40:35.644Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "172.19.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "2022-04-05 14:40:36,644" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["user"] == "toto3@mail.fr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["PID"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["db_name"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "2022-04-05 14:40:36,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto3@mail.fr from 172.19.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "172.19.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2022-04-05T14:40:36.644Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["user"] == "toto3@mail.fr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "odoo.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["db"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "odoo_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2022-04-05T14:40:36.644Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["user"] == "toto4@mail.fr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["PID"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["db_name"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "2022-04-05 14:40:37,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto4@mail.fr from 172.19.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "172.19.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "2022-04-05 14:40:37,644" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "odoo.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["db"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "odoo_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "172.19.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2022-04-05T14:40:37.644Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["user"] == "toto4@mail.fr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2022-04-05T14:40:37.644Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["user"] == "toto5@mail.fr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["PID"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["db_name"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "2022-04-05 14:40:38,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto5@mail.fr from 172.19.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "172.19.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "2022-04-05 14:40:38,644" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "odoo_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "172.19.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2022-04-05T14:40:38.644Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["user"] == "toto5@mail.fr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "odoo.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["db"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2022-04-05T14:40:38.644Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["db_name"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "2022-04-05 14:40:39,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto6@mail.fr from 172.19.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "172.19.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "2022-04-05 14:40:39,644" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["user"] == "toto6@mail.fr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["PID"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["user"] == "toto6@mail.fr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "odoo.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["db"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "odoo_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "172.19.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2022-04-05T14:40:39.644Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2022-04-05T14:40:39.644Z" -len(results["success"][""]) == 0 \ No newline at end of file diff --git a/.tests/odoo-bf_user-enum/scenario.assert b/.tests/odoo-bf_user-enum/scenario.assert index 39f60b35967..8f512e2d327 100644 --- a/.tests/odoo-bf_user-enum/scenario.assert +++ b/.tests/odoo-bf_user-enum/scenario.assert @@ -4,48 +4,54 @@ results[0].Overflow.Sources["172.19.0.1"].IP == "172.19.0.1" results[0].Overflow.Sources["172.19.0.1"].Range == "" results[0].Overflow.Sources["172.19.0.1"].GetScope() == "Ip" results[0].Overflow.Sources["172.19.0.1"].GetValue() == "172.19.0.1" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "odoo.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "odoo.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("db") == "odoo" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "odoo_failed_auth" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "odoo" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.19.0.1" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "toto@mail.fr" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-04-05T14:40:34.644Z" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "toto@mail.fr" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "odoo.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "odoo.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("db") == "odoo" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "odoo_failed_auth" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "odoo" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "172.19.0.1" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "toto2@mail.fr" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-04-05T14:40:35.644Z" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "toto2@mail.fr" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "odoo.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "odoo.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("db") == "odoo" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "odoo_failed_auth" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "odoo" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "172.19.0.1" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "toto3@mail.fr" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-04-05T14:40:36.644Z" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "toto3@mail.fr" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "odoo.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "odoo.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("db") == "odoo" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "odoo_failed_auth" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "odoo" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "172.19.0.1" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "toto4@mail.fr" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-04-05T14:40:37.644Z" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "toto4@mail.fr" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "odoo.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "odoo.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[4].GetMeta("db") == "odoo" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "odoo_failed_auth" +results[0].Overflow.Alert.Events[4].GetMeta("service") == "odoo" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "172.19.0.1" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "toto5@mail.fr" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-04-05T14:40:38.644Z" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "toto5@mail.fr" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "odoo.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "odoo.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[5].GetMeta("db") == "odoo" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "odoo_failed_auth" +results[0].Overflow.Alert.Events[5].GetMeta("service") == "odoo" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "172.19.0.1" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "toto6@mail.fr" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-04-05T14:40:39.644Z" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "toto6@mail.fr" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/odoo_user-enum" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 @@ -54,48 +60,54 @@ results[1].Overflow.Sources["172.19.0.1"].IP == "172.19.0.1" results[1].Overflow.Sources["172.19.0.1"].Range == "" results[1].Overflow.Sources["172.19.0.1"].GetScope() == "Ip" results[1].Overflow.Sources["172.19.0.1"].GetValue() == "172.19.0.1" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "odoo.log" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "odoo.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[0].GetMeta("db") == "odoo" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "odoo_failed_auth" +results[1].Overflow.Alert.Events[0].GetMeta("service") == "odoo" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.19.0.1" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "toto@mail.fr" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-04-05T14:40:34.644Z" -results[1].Overflow.Alert.Events[0].GetMeta("user") == "toto@mail.fr" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "odoo.log" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "odoo.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[1].GetMeta("db") == "odoo" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "odoo_failed_auth" +results[1].Overflow.Alert.Events[1].GetMeta("service") == "odoo" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "172.19.0.1" +results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "toto2@mail.fr" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-04-05T14:40:35.644Z" -results[1].Overflow.Alert.Events[1].GetMeta("user") == "toto2@mail.fr" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "odoo.log" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "odoo.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[2].GetMeta("db") == "odoo" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "odoo_failed_auth" +results[1].Overflow.Alert.Events[2].GetMeta("service") == "odoo" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "172.19.0.1" +results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "toto3@mail.fr" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-04-05T14:40:36.644Z" -results[1].Overflow.Alert.Events[2].GetMeta("user") == "toto3@mail.fr" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "odoo.log" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "odoo.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[3].GetMeta("db") == "odoo" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "odoo_failed_auth" +results[1].Overflow.Alert.Events[3].GetMeta("service") == "odoo" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "172.19.0.1" +results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "toto4@mail.fr" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-04-05T14:40:37.644Z" -results[1].Overflow.Alert.Events[3].GetMeta("user") == "toto4@mail.fr" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "odoo.log" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "odoo.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[4].GetMeta("db") == "odoo" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "odoo_failed_auth" +results[1].Overflow.Alert.Events[4].GetMeta("service") == "odoo" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "172.19.0.1" +results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "toto5@mail.fr" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-04-05T14:40:38.644Z" -results[1].Overflow.Alert.Events[4].GetMeta("user") == "toto5@mail.fr" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "odoo.log" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "odoo.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[5].GetMeta("db") == "odoo" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "odoo_failed_auth" +results[1].Overflow.Alert.Events[5].GetMeta("service") == "odoo" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "172.19.0.1" +results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "toto6@mail.fr" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-04-05T14:40:39.644Z" -results[1].Overflow.Alert.Events[5].GetMeta("user") == "toto6@mail.fr" results[1].Overflow.Alert.GetScenario() == "crowdsecurity/odoo-bf" results[1].Overflow.Alert.Remediation == true -results[1].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[1].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/odoo-logs/parser.assert b/.tests/odoo-logs/parser.assert index ec6e3aa15d6..7fe1c298c2b 100644 --- a/.tests/odoo-logs/parser.assert +++ b/.tests/odoo-logs/parser.assert @@ -49,9 +49,9 @@ results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Parsed["message"] == "202 results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Meta["datasource_path"] == "odoo.log" results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Meta["db"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Meta["log_type"] == "odoo_failed_auth" +results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Meta["source_ip"] == "172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Meta["user"] == "toto@mail.fr" +results["s01-parse"]["crowdsecurity/odoo-logs"][0].Evt.Meta["target_user"] == "toto@mail.fr" results["s01-parse"]["crowdsecurity/odoo-logs"][1].Success == true results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Parsed["PID"] == "1" results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Parsed["db_name"] == "odoo" @@ -60,11 +60,11 @@ results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Parsed["program"] == "odo results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Parsed["source_ip"] == "172.19.0.1" results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Parsed["timestamp"] == "2022-04-05 14:40:35,644" results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Parsed["user"] == "toto2@mail.fr" -results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Meta["user"] == "toto2@mail.fr" +results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Meta["target_user"] == "toto2@mail.fr" results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Meta["datasource_path"] == "odoo.log" results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Meta["db"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Meta["log_type"] == "odoo_failed_auth" +results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/odoo-logs"][1].Evt.Meta["source_ip"] == "172.19.0.1" results["s01-parse"]["crowdsecurity/odoo-logs"][2].Success == true results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Parsed["user"] == "toto3@mail.fr" @@ -75,11 +75,11 @@ results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Parsed["program"] == "odo results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Parsed["source_ip"] == "172.19.0.1" results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Parsed["timestamp"] == "2022-04-05 14:40:36,644" results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Meta["source_ip"] == "172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Meta["user"] == "toto3@mail.fr" +results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Meta["target_user"] == "toto3@mail.fr" results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Meta["datasource_path"] == "odoo.log" results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Meta["db"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Meta["log_type"] == "odoo_failed_auth" +results["s01-parse"]["crowdsecurity/odoo-logs"][2].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/odoo-logs"][3].Success == true results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Parsed["db_name"] == "odoo" results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Parsed["message"] == "2022-04-05 14:40:37,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto4@mail.fr from 172.19.0.1" @@ -89,9 +89,9 @@ results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Parsed["timestamp"] == "2 results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Parsed["user"] == "toto4@mail.fr" results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Parsed["PID"] == "1" results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Meta["db"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Meta["log_type"] == "odoo_failed_auth" +results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Meta["source_ip"] == "172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Meta["user"] == "toto4@mail.fr" +results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Meta["target_user"] == "toto4@mail.fr" results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Meta["datasource_path"] == "odoo.log" results["s01-parse"]["crowdsecurity/odoo-logs"][3].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/odoo-logs"][4].Success == true @@ -105,9 +105,9 @@ results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Parsed["db_name"] == "odo results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Meta["datasource_path"] == "odoo.log" results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Meta["db"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Meta["log_type"] == "odoo_failed_auth" +results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Meta["source_ip"] == "172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Meta["user"] == "toto5@mail.fr" +results["s01-parse"]["crowdsecurity/odoo-logs"][4].Evt.Meta["target_user"] == "toto5@mail.fr" results["s01-parse"]["crowdsecurity/odoo-logs"][5].Success == true results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Parsed["source_ip"] == "172.19.0.1" results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Parsed["timestamp"] == "2022-04-05 14:40:39,644" @@ -119,9 +119,9 @@ results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Parsed["program"] == "odo results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Meta["datasource_path"] == "odoo.log" results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Meta["db"] == "odoo" -results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Meta["log_type"] == "odoo_failed_auth" +results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Meta["source_ip"] == "172.19.0.1" -results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Meta["user"] == "toto6@mail.fr" +results["s01-parse"]["crowdsecurity/odoo-logs"][5].Evt.Meta["target_user"] == "toto6@mail.fr" len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["PID"] == "1" @@ -132,11 +132,11 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2022-04-05 14:40:34,644" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["user"] == "toto@mail.fr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-04-05T14:40:34.644Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "toto@mail.fr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "toto@mail.fr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "odoo.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["db"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "odoo_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "172.19.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-04-05T14:40:34.644Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true @@ -150,10 +150,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["user"] == results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "odoo.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["db"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "odoo_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "172.19.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-04-05T14:40:35.644Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "toto2@mail.fr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "toto2@mail.fr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-04-05T14:40:35.644Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "odoo" @@ -165,11 +165,11 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["db_name"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "2022-04-05 14:40:36,644 1 INFO odoo odoo.addons.base.models.res_users: Login failed for db:odoo login:toto3@mail.fr from 172.19.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "172.19.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2022-04-05T14:40:36.644Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["user"] == "toto3@mail.fr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "toto3@mail.fr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "odoo.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["db"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "odoo_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2022-04-05T14:40:36.644Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["user"] == "toto4@mail.fr" @@ -182,10 +182,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "odoo.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["db"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "odoo_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "172.19.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2022-04-05T14:40:37.644Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["user"] == "toto4@mail.fr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "toto4@mail.fr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2022-04-05T14:40:37.644Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["user"] == "toto5@mail.fr" @@ -195,10 +195,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "odoo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "172.19.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "2022-04-05 14:40:38,644" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "odoo_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "172.19.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2022-04-05T14:40:38.644Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["user"] == "toto5@mail.fr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_user"] == "toto5@mail.fr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "odoo.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["db"] == "odoo" @@ -211,11 +211,11 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "2022-04-05 14:40:39,644" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["user"] == "toto6@mail.fr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["PID"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["user"] == "toto6@mail.fr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_user"] == "toto6@mail.fr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "odoo.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["db"] == "odoo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "odoo_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "172.19.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2022-04-05T14:40:39.644Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2022-04-05T14:40:39.644Z" diff --git a/.tests/ombi-bf/parser.assert b/.tests/ombi-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/ombi-bf/scenario.assert b/.tests/ombi-bf/scenario.assert index a38ebefbbdb..4cb5a921104 100644 --- a/.tests/ombi-bf/scenario.assert +++ b/.tests/ombi-bf/scenario.assert @@ -4,42 +4,42 @@ results[0].Overflow.Sources["1.1.1.1"].IP == "1.1.1.1" results[0].Overflow.Sources["1.1.1.1"].Range == "" results[0].Overflow.Sources["1.1.1.1"].GetScope() == "Ip" results[0].Overflow.Sources["1.1.1.1"].GetValue() == "1.1.1.1" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "ombi-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "ombi-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ombi_auth_failed" results[0].Overflow.Alert.Events[0].GetMeta("service") == "ombi" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.1.1.1" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-11T14:07:54.11Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "ombi-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "ombi-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "ombi_auth_failed" results[0].Overflow.Alert.Events[1].GetMeta("service") == "ombi" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.1.1.1" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-11T14:07:54.11Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "ombi-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "ombi-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "ombi_auth_failed" results[0].Overflow.Alert.Events[2].GetMeta("service") == "ombi" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.1.1.1" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-11T14:07:54.11Z" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "ombi-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "ombi-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "ombi_auth_failed" results[0].Overflow.Alert.Events[3].GetMeta("service") == "ombi" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.1.1.1" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-11T14:07:54.11Z" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "ombi-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "ombi-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "ombi_auth_failed" results[0].Overflow.Alert.Events[4].GetMeta("service") == "ombi" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.1.1.1" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-11T14:07:54.11Z" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "ombi-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "ombi-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "ombi_auth_failed" results[0].Overflow.Alert.Events[5].GetMeta("service") == "ombi" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.1.1.1" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-11T14:07:54.11Z" results[0].Overflow.Alert.GetScenario() == "LePresidente/ombi-bf" results[0].Overflow.Alert.Remediation == true -results[0].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/ombi-logs/parser.assert b/.tests/ombi-logs/parser.assert index 8e336dba239..5de4ca1103c 100644 --- a/.tests/ombi-logs/parser.assert +++ b/.tests/ombi-logs/parser.assert @@ -1,11 +1,37 @@ +len(results) == 4 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 1 +results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2022-02-11 14:07:54.110 +02:00 [Warning] Failed login attempt by IP: 1.1.1.1" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "ombi" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "ombi-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 1 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false len(results["s01-parse"]["LePresidente/ombi-logs"]) == 1 results["s01-parse"]["LePresidente/ombi-logs"][0].Success == true -results["s01-parse"]["LePresidente/ombi-logs"][0].Evt.Parsed["timestamp"] == "2022-02-11 14:07:54.110" results["s01-parse"]["LePresidente/ombi-logs"][0].Evt.Parsed["message"] == "2022-02-11 14:07:54.110 +02:00 [Warning] Failed login attempt by IP: 1.1.1.1" results["s01-parse"]["LePresidente/ombi-logs"][0].Evt.Parsed["program"] == "ombi" results["s01-parse"]["LePresidente/ombi-logs"][0].Evt.Parsed["source_ip"] == "1.1.1.1" +results["s01-parse"]["LePresidente/ombi-logs"][0].Evt.Parsed["timestamp"] == "2022-02-11 14:07:54.110" +results["s01-parse"]["LePresidente/ombi-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/ombi-logs"][0].Evt.Meta["datasource_path"]) == "ombi-logs.log" results["s01-parse"]["LePresidente/ombi-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/ombi-logs"][0].Evt.Meta["log_type"] == "ombi_auth_failed" results["s01-parse"]["LePresidente/ombi-logs"][0].Evt.Meta["service"] == "ombi" results["s01-parse"]["LePresidente/ombi-logs"][0].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["LePresidente/ombi-logs"][0].Evt.Meta["datasource_path"] == "ombi-logs.log" \ No newline at end of file +results["s01-parse"]["LePresidente/ombi-logs"][0].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 1 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2022-02-11 14:07:54.110 +02:00 [Warning] Failed login attempt by IP: 1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "ombi" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2022-02-11 14:07:54.110" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "ombi-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "ombi" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-02-11T14:07:54.11Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-02-11T14:07:54.11Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/opensearch-dashboard-bf/scenario.assert b/.tests/opensearch-dashboard-bf/scenario.assert index 43bd85a3daa..37652949df1 100644 --- a/.tests/opensearch-dashboard-bf/scenario.assert +++ b/.tests/opensearch-dashboard-bf/scenario.assert @@ -4,54 +4,54 @@ results[0].Overflow.Sources["192.168.1.1"].IP == "192.168.1.1" results[0].Overflow.Sources["192.168.1.1"].Range == "" results[0].Overflow.Sources["192.168.1.1"].GetScope() == "Ip" results[0].Overflow.Sources["192.168.1.1"].GetValue() == "192.168.1.1" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "opensearch-dashboard.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "opensearch-dashboard.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "opensearch_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("machine") == "wazuh-prod" results[0].Overflow.Alert.Events[0].GetMeta("service") == "opensearch" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.1" results[0].Overflow.Alert.Events[0].GetMeta("status_code") == "401.000000" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-01-22T12:09:20Z" results[0].Overflow.Alert.Events[0].GetMeta("url") == "/auth/login?dataSourceId=" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "opensearch-dashboard.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "opensearch-dashboard.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "opensearch_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("machine") == "wazuh-prod" results[0].Overflow.Alert.Events[1].GetMeta("service") == "opensearch" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.1" results[0].Overflow.Alert.Events[1].GetMeta("status_code") == "401.000000" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-01-22T12:09:20Z" results[0].Overflow.Alert.Events[1].GetMeta("url") == "/auth/login?dataSourceId=" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "opensearch-dashboard.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "opensearch-dashboard.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "opensearch_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("machine") == "wazuh-prod" results[0].Overflow.Alert.Events[2].GetMeta("service") == "opensearch" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.1" results[0].Overflow.Alert.Events[2].GetMeta("status_code") == "401.000000" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-01-22T12:09:20Z" results[0].Overflow.Alert.Events[2].GetMeta("url") == "/auth/login?dataSourceId=" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "opensearch-dashboard.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "opensearch-dashboard.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "opensearch_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("machine") == "wazuh-prod" results[0].Overflow.Alert.Events[3].GetMeta("service") == "opensearch" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.1" results[0].Overflow.Alert.Events[3].GetMeta("status_code") == "401.000000" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-01-22T12:09:20Z" results[0].Overflow.Alert.Events[3].GetMeta("url") == "/auth/login?dataSourceId=" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "opensearch-dashboard.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "opensearch-dashboard.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "opensearch_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("machine") == "wazuh-prod" results[0].Overflow.Alert.Events[4].GetMeta("service") == "opensearch" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.1" results[0].Overflow.Alert.Events[4].GetMeta("status_code") == "401.000000" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-01-22T12:09:20Z" results[0].Overflow.Alert.Events[4].GetMeta("url") == "/auth/login?dataSourceId=" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "opensearch-dashboard.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "opensearch-dashboard.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "opensearch_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("machine") == "wazuh-prod" results[0].Overflow.Alert.Events[5].GetMeta("service") == "opensearch" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.1" diff --git a/.tests/opensearch-dashboard-logs/parser.assert b/.tests/opensearch-dashboard-logs/parser.assert index d4c583cdadd..26284519a85 100644 --- a/.tests/opensearch-dashboard-logs/parser.assert +++ b/.tests/opensearch-dashboard-logs/parser.assert @@ -6,7 +6,7 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "{\" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "9400" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "opensearch-dashboards" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp8601"] == "2025-01-22T13:09:20.606136+01:00" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"] == "opensearch-dashboard.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "opensearch-dashboard.log" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "wazuh-prod" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false @@ -17,9 +17,9 @@ results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Parsed["mess results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Parsed["pid"] == "9400" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Parsed["program"] == "opensearch-dashboards" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Parsed["timestamp8601"] == "2025-01-22T13:09:20.606136+01:00" -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Meta["datasource_path"] == "opensearch-dashboard.log" +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Meta["datasource_path"]) == "opensearch-dashboard.log" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Meta["log_type"] == "opensearch_failed_auth" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Meta["machine"] == "wazuh-prod" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Meta["service"] == "opensearch" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Meta["source_ip"] == "192.168.1.1" @@ -27,36 +27,36 @@ results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Meta["status results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Meta["timestamp"] == "2025-01-22T12:09:20Z" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Meta["url"] == "/auth/login?dataSourceId=" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["@timestamp"] == "2025-01-22T12:09:20Z" -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["res"]["responseTime"] == 333 -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["res"]["statusCode"] == 401 -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["res"]["contentLength"] == 9 -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["statusCode"] == 401 -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["type"] == "response" -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["message"] == "POST /auth/login?dataSourceId= 401 333ms - 9.0B" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["method"] == "post" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["pid"] == 9400 -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["accept"] == "*/*" +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["userAgent"] == "Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["sec-gpc"] == "1" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["accept-language"] == "fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3" -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["priority"] == "u=0" +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["host"] == "wazuh.auk.test" +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["origin"] == "https://wazuh.auk.test" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["accept-encoding"] == "gzip, deflate, br, zstd" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["connection"] == "keep-alive" +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["content-length"] == "40" +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["osd-xsrf"] == "osd-fetch" +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["sec-fetch-site"] == "same-origin" +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["sec-fetch-mode"] == "cors" +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["accept"] == "*/*" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["content-type"] == "application/json" -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["host"] == "wazuh.auk.test" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["osd-version"] == "2.16.0" -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["referer"] == "https://wazuh.auk.test/app/login?nextUrl=%2Fapp%2Fwz-home" -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["sec-fetch-site"] == "same-origin" -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["sec-gpc"] == "1" -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["content-length"] == "40" -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["user-agent"] == "Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["priority"] == "u=0" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["sec-fetch-dest"] == "empty" -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["sec-fetch-mode"] == "cors" -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["origin"] == "https://wazuh.auk.test" -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["osd-xsrf"] == "osd-fetch" +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["user-agent"] == "Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["referer"] == "https://wazuh.auk.test/app/login?nextUrl=%2Fapp%2Fwz-home" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["method"] == "post" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["referer"] == "https://wazuh.auk.test/app/login?nextUrl=%2Fapp%2Fwz-home" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["remoteAddress"] == "192.168.1.1" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["url"] == "/auth/login?dataSourceId=" -results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["req"]["userAgent"] == "Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["res"]["statusCode"] == 401 +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["res"]["contentLength"] == 9 +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["res"]["responseTime"] == 333 +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["statusCode"] == 401 +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["type"] == "response" +results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Unmarshaled["opensearch"]["message"] == "POST /auth/login?dataSourceId= 401 333ms - 9.0B" results["s01-parse"]["bouddha-fr/opensearch-dashboard-logs"][0].Evt.Whitelisted == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 1 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true @@ -65,9 +65,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "9400" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "opensearch-dashboards" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp8601"] == "2025-01-22T13:09:20.606136+01:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "opensearch-dashboard.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "opensearch-dashboard.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "opensearch_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "wazuh-prod" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "opensearch" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.1.1" @@ -75,36 +75,36 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["status_code results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-01-22T12:09:20Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["url"] == "/auth/login?dataSourceId=" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-01-22T12:09:20Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["res"]["contentLength"] == 9 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["res"]["responseTime"] == 333 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["res"]["statusCode"] == 401 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["type"] == "response" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["@timestamp"] == "2025-01-22T12:09:20Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["message"] == "POST /auth/login?dataSourceId= 401 333ms - 9.0B" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["pid"] == 9400 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["statusCode"] == 401 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["method"] == "post" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["remoteAddress"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["url"] == "/auth/login?dataSourceId=" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["userAgent"] == "Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["accept"] == "*/*" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["accept-language"] == "fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["origin"] == "https://wazuh.auk.test" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["osd-xsrf"] == "osd-fetch" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["priority"] == "u=0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["sec-fetch-mode"] == "cors" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["sec-gpc"] == "1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["host"] == "wazuh.auk.test" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["sec-fetch-dest"] == "empty" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["accept-encoding"] == "gzip, deflate, br, zstd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["content-length"] == "40" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["content-type"] == "application/json" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["host"] == "wazuh.auk.test" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["referer"] == "https://wazuh.auk.test/app/login?nextUrl=%2Fapp%2Fwz-home" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["osd-version"] == "2.16.0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["user-agent"] == "Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["connection"] == "keep-alive" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["osd-version"] == "2.16.0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["sec-fetch-dest"] == "empty" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["origin"] == "https://wazuh.auk.test" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["priority"] == "u=0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["sec-fetch-mode"] == "cors" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["accept"] == "*/*" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["osd-xsrf"] == "osd-fetch" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["referer"] == "https://wazuh.auk.test/app/login?nextUrl=%2Fapp%2Fwz-home" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["sec-fetch-site"] == "same-origin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["accept-encoding"] == "gzip, deflate, br, zstd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["headers"]["sec-gpc"] == "1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["method"] == "post" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["referer"] == "https://wazuh.auk.test/app/login?nextUrl=%2Fapp%2Fwz-home" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["remoteAddress"] == "192.168.1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["req"]["url"] == "/auth/login?dataSourceId=" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["res"]["contentLength"] == 9 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["res"]["responseTime"] == 333 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["res"]["statusCode"] == 401 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["statusCode"] == 401 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["type"] == "response" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["@timestamp"] == "2025-01-22T12:09:20Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["message"] == "POST /auth/login?dataSourceId= 401 333ms - 9.0B" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["method"] == "post" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["opensearch"]["pid"] == 9400 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/openvpn-bf/parser.assert b/.tests/openvpn-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/opnsense-gui-auth/config.yaml b/.tests/opnsense-gui-auth/config.yaml index 48b360a4267..34557142edb 100644 --- a/.tests/opnsense-gui-auth/config.yaml +++ b/.tests/opnsense-gui-auth/config.yaml @@ -9,4 +9,4 @@ postoverflows: log_file: opnsense-gui-auth.log log_type: syslog labels: {} -ignore_parsers: false +ignore_parsers: true diff --git a/.tests/opnsense-gui-auth/parser.assert b/.tests/opnsense-gui-auth/parser.assert deleted file mode 100644 index c89cf4fbe59..00000000000 --- a/.tests/opnsense-gui-auth/parser.assert +++ /dev/null @@ -1,323 +0,0 @@ -len(results) == 4 -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 6 -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "/index.php: Web GUI authentication error for 'toto' from 1.2.3.4" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "24409" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "audit" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["seq_id"] == "4" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["syslog_priority"] == "35" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["syslog_version"] == "1" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp8601"] == "2022-01-19T15:14:32+00:00" -basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "opnsense-gui-auth.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "OPNsense.localdomain" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "/index.php: Web GUI authentication error for 'toto' from 1.2.3.4" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "24409" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "audit" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["seq_id"] == "4" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["syslog_priority"] == "35" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["syslog_version"] == "1" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp8601"] == "2022-01-19T15:14:32+00:00" -basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "opnsense-gui-auth.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "OPNsense.localdomain" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "/index.php: Web GUI authentication error for 'toto' from 1.2.3.4" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "24409" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "audit" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["seq_id"] == "4" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["syslog_priority"] == "35" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["syslog_version"] == "1" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp8601"] == "2022-01-19T15:14:32+00:00" -basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "opnsense-gui-auth.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "OPNsense.localdomain" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "/index.php: Web GUI authentication error for 'toto' from 1.2.3.4" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "24409" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "audit" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["seq_id"] == "4" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["syslog_priority"] == "35" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["syslog_version"] == "1" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp8601"] == "2022-01-19T15:14:32+00:00" -basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "opnsense-gui-auth.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "OPNsense.localdomain" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "/index.php: Web GUI authentication error for 'toto' from 1.2.3.4" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "24409" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "audit" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["seq_id"] == "4" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["syslog_priority"] == "35" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["syslog_version"] == "1" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp8601"] == "2022-01-19T15:14:32+00:00" -basename(results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"]) == "opnsense-gui-auth.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "OPNsense.localdomain" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "/index.php: Web GUI authentication error for 'toto' from 1.2.3.4" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["pid"] == "24409" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "audit" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["seq_id"] == "4" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["syslog_priority"] == "35" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["syslog_version"] == "1" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp8601"] == "2022-01-19T15:14:32+00:00" -basename(results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"]) == "opnsense-gui-auth.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "OPNsense.localdomain" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false -len(results["s01-parse"]["crowdsecurity/opnsense-gui-logs"]) == 6 -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Success == true -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Evt.Parsed["message"] == "/index.php: Web GUI authentication error for 'toto' from 1.2.3.4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Evt.Parsed["pid"] == "24409" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Evt.Parsed["program"] == "audit" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Evt.Parsed["seq_id"] == "4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Evt.Parsed["syslog_priority"] == "35" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Evt.Parsed["syslog_version"] == "1" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Evt.Parsed["timestamp8601"] == "2022-01-19T15:14:32+00:00" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Evt.Parsed["username"] == "toto" -basename(results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Evt.Meta["datasource_path"]) == "opnsense-gui-auth.log" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Evt.Meta["log_type"] == "opnsense-gui-failed-auth" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Evt.Meta["machine"] == "OPNsense.localdomain" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Evt.Meta["service"] == "opnsense-gui" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Evt.Meta["username"] == "toto" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][0].Evt.Whitelisted == false -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Success == true -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Evt.Parsed["message"] == "/index.php: Web GUI authentication error for 'toto' from 1.2.3.4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Evt.Parsed["pid"] == "24409" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Evt.Parsed["program"] == "audit" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Evt.Parsed["seq_id"] == "4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Evt.Parsed["syslog_priority"] == "35" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Evt.Parsed["syslog_version"] == "1" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Evt.Parsed["timestamp8601"] == "2022-01-19T15:14:32+00:00" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Evt.Parsed["username"] == "toto" -basename(results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Evt.Meta["datasource_path"]) == "opnsense-gui-auth.log" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Evt.Meta["log_type"] == "opnsense-gui-failed-auth" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Evt.Meta["machine"] == "OPNsense.localdomain" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Evt.Meta["service"] == "opnsense-gui" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Evt.Meta["username"] == "toto" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][1].Evt.Whitelisted == false -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Success == true -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Evt.Parsed["message"] == "/index.php: Web GUI authentication error for 'toto' from 1.2.3.4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Evt.Parsed["pid"] == "24409" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Evt.Parsed["program"] == "audit" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Evt.Parsed["seq_id"] == "4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Evt.Parsed["syslog_priority"] == "35" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Evt.Parsed["syslog_version"] == "1" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Evt.Parsed["timestamp8601"] == "2022-01-19T15:14:32+00:00" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Evt.Parsed["username"] == "toto" -basename(results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Evt.Meta["datasource_path"]) == "opnsense-gui-auth.log" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Evt.Meta["log_type"] == "opnsense-gui-failed-auth" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Evt.Meta["machine"] == "OPNsense.localdomain" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Evt.Meta["service"] == "opnsense-gui" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Evt.Meta["username"] == "toto" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][2].Evt.Whitelisted == false -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Success == true -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Evt.Parsed["message"] == "/index.php: Web GUI authentication error for 'toto' from 1.2.3.4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Evt.Parsed["pid"] == "24409" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Evt.Parsed["program"] == "audit" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Evt.Parsed["seq_id"] == "4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Evt.Parsed["syslog_priority"] == "35" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Evt.Parsed["syslog_version"] == "1" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Evt.Parsed["timestamp8601"] == "2022-01-19T15:14:32+00:00" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Evt.Parsed["username"] == "toto" -basename(results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Evt.Meta["datasource_path"]) == "opnsense-gui-auth.log" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Evt.Meta["log_type"] == "opnsense-gui-failed-auth" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Evt.Meta["machine"] == "OPNsense.localdomain" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Evt.Meta["service"] == "opnsense-gui" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Evt.Meta["username"] == "toto" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][3].Evt.Whitelisted == false -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Success == true -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Evt.Parsed["message"] == "/index.php: Web GUI authentication error for 'toto' from 1.2.3.4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Evt.Parsed["pid"] == "24409" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Evt.Parsed["program"] == "audit" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Evt.Parsed["seq_id"] == "4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Evt.Parsed["syslog_priority"] == "35" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Evt.Parsed["syslog_version"] == "1" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Evt.Parsed["timestamp8601"] == "2022-01-19T15:14:32+00:00" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Evt.Parsed["username"] == "toto" -basename(results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Evt.Meta["datasource_path"]) == "opnsense-gui-auth.log" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Evt.Meta["log_type"] == "opnsense-gui-failed-auth" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Evt.Meta["machine"] == "OPNsense.localdomain" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Evt.Meta["service"] == "opnsense-gui" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Evt.Meta["username"] == "toto" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][4].Evt.Whitelisted == false -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Success == true -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Evt.Parsed["message"] == "/index.php: Web GUI authentication error for 'toto' from 1.2.3.4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Evt.Parsed["pid"] == "24409" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Evt.Parsed["program"] == "audit" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Evt.Parsed["seq_id"] == "4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Evt.Parsed["syslog_priority"] == "35" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Evt.Parsed["syslog_version"] == "1" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Evt.Parsed["timestamp8601"] == "2022-01-19T15:14:32+00:00" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Evt.Parsed["username"] == "toto" -basename(results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Evt.Meta["datasource_path"]) == "opnsense-gui-auth.log" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Evt.Meta["log_type"] == "opnsense-gui-failed-auth" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Evt.Meta["machine"] == "OPNsense.localdomain" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Evt.Meta["service"] == "opnsense-gui" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Evt.Meta["username"] == "toto" -results["s01-parse"]["crowdsecurity/opnsense-gui-logs"][5].Evt.Whitelisted == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "/index.php: Web GUI authentication error for 'toto' from 1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "24409" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "audit" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["seq_id"] == "4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["syslog_priority"] == "35" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["syslog_version"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp8601"] == "2022-01-19T15:14:32+00:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "toto" -basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "opnsense-gui-auth.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "opnsense-gui-failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "OPNsense.localdomain" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "opnsense-gui" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-01-19T15:14:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-01-19T15:14:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "/index.php: Web GUI authentication error for 'toto' from 1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "24409" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "audit" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["seq_id"] == "4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["syslog_priority"] == "35" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["syslog_version"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp8601"] == "2022-01-19T15:14:32+00:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "toto" -basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "opnsense-gui-auth.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "opnsense-gui-failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "OPNsense.localdomain" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "opnsense-gui" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-01-19T15:14:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-01-19T15:14:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "/index.php: Web GUI authentication error for 'toto' from 1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "24409" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "audit" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["seq_id"] == "4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["syslog_priority"] == "35" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["syslog_version"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp8601"] == "2022-01-19T15:14:32+00:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "toto" -basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "opnsense-gui-auth.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "opnsense-gui-failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "OPNsense.localdomain" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "opnsense-gui" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2022-01-19T15:14:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2022-01-19T15:14:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "/index.php: Web GUI authentication error for 'toto' from 1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "24409" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "audit" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["seq_id"] == "4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["syslog_priority"] == "35" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["syslog_version"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp8601"] == "2022-01-19T15:14:32+00:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "toto" -basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "opnsense-gui-auth.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "opnsense-gui-failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "OPNsense.localdomain" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "opnsense-gui" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2022-01-19T15:14:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2022-01-19T15:14:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "/index.php: Web GUI authentication error for 'toto' from 1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pid"] == "24409" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "audit" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["seq_id"] == "4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["syslog_priority"] == "35" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["syslog_version"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp8601"] == "2022-01-19T15:14:32+00:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username"] == "toto" -basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "opnsense-gui-auth.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "opnsense-gui-failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "OPNsense.localdomain" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "opnsense-gui" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2022-01-19T15:14:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2022-01-19T15:14:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "/index.php: Web GUI authentication error for 'toto' from 1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pid"] == "24409" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "audit" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["seq_id"] == "4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["syslog_priority"] == "35" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["syslog_version"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp8601"] == "2022-01-19T15:14:32+00:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["username"] == "toto" -basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "opnsense-gui-auth.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "opnsense-gui-failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["machine"] == "OPNsense.localdomain" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "opnsense-gui" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2022-01-19T15:14:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2022-01-19T15:14:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false -len(results["success"][""]) == 0 diff --git a/.tests/opnsense-gui-auth/scenario.assert b/.tests/opnsense-gui-auth/scenario.assert index b463bde4970..0d11a6282bd 100644 --- a/.tests/opnsense-gui-auth/scenario.assert +++ b/.tests/opnsense-gui-auth/scenario.assert @@ -6,52 +6,52 @@ results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "opnsense-gui-auth.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "opnsense-gui-failed-auth" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[0].GetMeta("machine") == "OPNsense.localdomain" results[0].Overflow.Alert.Events[0].GetMeta("service") == "opnsense-gui" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-01-19T15:14:32Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "toto" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "toto" results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "opnsense-gui-auth.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "opnsense-gui-failed-auth" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[1].GetMeta("machine") == "OPNsense.localdomain" results[0].Overflow.Alert.Events[1].GetMeta("service") == "opnsense-gui" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-01-19T15:14:32Z" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "toto" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "toto" results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "opnsense-gui-auth.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "opnsense-gui-failed-auth" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[2].GetMeta("machine") == "OPNsense.localdomain" results[0].Overflow.Alert.Events[2].GetMeta("service") == "opnsense-gui" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-01-19T15:14:32Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "toto" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "toto" results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "opnsense-gui-auth.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "opnsense-gui-failed-auth" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[3].GetMeta("machine") == "OPNsense.localdomain" results[0].Overflow.Alert.Events[3].GetMeta("service") == "opnsense-gui" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-01-19T15:14:32Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "toto" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "toto" results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "opnsense-gui-auth.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "opnsense-gui-failed-auth" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[4].GetMeta("machine") == "OPNsense.localdomain" results[0].Overflow.Alert.Events[4].GetMeta("service") == "opnsense-gui" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-01-19T15:14:32Z" -results[0].Overflow.Alert.Events[4].GetMeta("username") == "toto" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "toto" results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "opnsense-gui-auth.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "opnsense-gui-failed-auth" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[5].GetMeta("machine") == "OPNsense.localdomain" results[0].Overflow.Alert.Events[5].GetMeta("service") == "opnsense-gui" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-01-19T15:14:32Z" -results[0].Overflow.Alert.Events[5].GetMeta("username") == "toto" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "toto" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/opnsense-gui-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/opnsense-sshd/parser.assert b/.tests/opnsense-sshd/parser.assert index 636e48bba53..de27577a31a 100644 --- a/.tests/opnsense-sshd/parser.assert +++ b/.tests/opnsense-sshd/parser.assert @@ -144,7 +144,7 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["syslog_version"] results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:55+00:00" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["machine"] == "OPNsense.localdomain" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" @@ -163,7 +163,7 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["syslog_version"] results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:56+00:00" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["machine"] == "OPNsense.localdomain" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["source_ip"] == "1.2.3.4" @@ -182,7 +182,7 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["syslog_version"] results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:56+00:00" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["machine"] == "OPNsense.localdomain" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["source_ip"] == "1.2.3.4" @@ -201,7 +201,7 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["syslog_version"] results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:57+00:00" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["machine"] == "OPNsense.localdomain" results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["source_ip"] == "1.2.3.4" @@ -220,7 +220,7 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["syslog_version"] results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:57+00:00" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["machine"] == "OPNsense.localdomain" results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["source_ip"] == "1.2.3.4" @@ -239,7 +239,7 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["syslog_version"] results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:57+00:00" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["machine"] == "OPNsense.localdomain" results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["source_ip"] == "1.2.3.4" @@ -258,7 +258,7 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Parsed["syslog_version"] results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:58+00:00" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["machine"] == "OPNsense.localdomain" results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["source_ip"] == "1.2.3.4" @@ -277,7 +277,7 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Parsed["syslog_version"] results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:58+00:00" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["machine"] == "OPNsense.localdomain" results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["source_ip"] == "1.2.3.4" @@ -296,7 +296,7 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Parsed["syslog_version"] results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:58+00:00" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Meta["machine"] == "OPNsense.localdomain" results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Meta["source_ip"] == "1.2.3.4" @@ -315,7 +315,7 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Parsed["syslog_version"] results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:59+00:00" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["machine"] == "OPNsense.localdomain" results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["source_ip"] == "1.2.3.4" @@ -335,7 +335,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["syslog_ve results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:55+00:00" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "OPNsense.localdomain" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4" @@ -356,7 +356,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["syslog_ve results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:56+00:00" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "OPNsense.localdomain" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "1.2.3.4" @@ -377,7 +377,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["syslog_ve results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:56+00:00" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "OPNsense.localdomain" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "1.2.3.4" @@ -398,7 +398,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["syslog_ve results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:57+00:00" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "OPNsense.localdomain" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "1.2.3.4" @@ -419,7 +419,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["syslog_ve results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:57+00:00" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "OPNsense.localdomain" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "1.2.3.4" @@ -440,7 +440,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["syslog_ve results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:57+00:00" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["machine"] == "OPNsense.localdomain" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "1.2.3.4" @@ -461,7 +461,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["syslog_ve results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:58+00:00" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["machine"] == "OPNsense.localdomain" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "1.2.3.4" @@ -482,7 +482,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["syslog_ve results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:58+00:00" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["machine"] == "OPNsense.localdomain" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "1.2.3.4" @@ -503,7 +503,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["syslog_ve results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:58+00:00" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["machine"] == "OPNsense.localdomain" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "1.2.3.4" @@ -524,7 +524,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["syslog_ve results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["timestamp8601"] == "2022-01-19T14:23:59+00:00" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"]) == "opnsense-sshd.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["machine"] == "OPNsense.localdomain" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "1.2.3.4" diff --git a/.tests/opnsense-sshd/scenario.assert b/.tests/opnsense-sshd/scenario.assert index 655138b078c..c302f3f8921 100644 --- a/.tests/opnsense-sshd/scenario.assert +++ b/.tests/opnsense-sshd/scenario.assert @@ -6,7 +6,7 @@ results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "opnsense-sshd.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[0].GetMeta("machine") == "OPNsense.localdomain" results[0].Overflow.Alert.Events[0].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" @@ -14,7 +14,7 @@ results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "tutu" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-01-19T14:23:55Z" results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "opnsense-sshd.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[1].GetMeta("machine") == "OPNsense.localdomain" results[0].Overflow.Alert.Events[1].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.4" @@ -22,7 +22,7 @@ results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "tutu" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-01-19T14:23:56Z" results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "opnsense-sshd.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[2].GetMeta("machine") == "OPNsense.localdomain" results[0].Overflow.Alert.Events[2].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.4" @@ -30,7 +30,7 @@ results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "tutu" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-01-19T14:23:56Z" results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "opnsense-sshd.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[3].GetMeta("machine") == "OPNsense.localdomain" results[0].Overflow.Alert.Events[3].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.4" @@ -38,7 +38,7 @@ results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "tutu" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-01-19T14:23:57Z" results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "opnsense-sshd.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[4].GetMeta("machine") == "OPNsense.localdomain" results[0].Overflow.Alert.Events[4].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.2.3.4" @@ -46,7 +46,7 @@ results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "tutu" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-01-19T14:23:57Z" results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "opnsense-sshd.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[5].GetMeta("machine") == "OPNsense.localdomain" results[0].Overflow.Alert.Events[5].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.2.3.4" diff --git a/.tests/overseerr-bf/parser.assert b/.tests/overseerr-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/overseerr-bf/scenario.assert b/.tests/overseerr-bf/scenario.assert index 4f5687c9348..91817eb9d61 100644 --- a/.tests/overseerr-bf/scenario.assert +++ b/.tests/overseerr-bf/scenario.assert @@ -4,48 +4,48 @@ results[0].Overflow.Sources["127.0.0.2"].IP == "127.0.0.2" results[0].Overflow.Sources["127.0.0.2"].Range == "" results[0].Overflow.Sources["127.0.0.2"].GetScope() == "Ip" results[0].Overflow.Sources["127.0.0.2"].GetValue() == "127.0.0.2" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "overseerr-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "overseerr-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "overseerr_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "overseerr" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.2" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser@example.com" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser@example.com" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "overseerr-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "overseerr-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "overseerr_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "overseerr" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.2" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "fakeuser@example.com" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "fakeuser@example.com" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "overseerr-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "overseerr-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "overseerr_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "overseerr" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.2" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "fakeuser@example.com" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "fakeuser@example.com" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "overseerr-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "overseerr-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "overseerr_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "overseerr" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.2" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "fakeuser@example.com" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "fakeuser@example.com" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "overseerr-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "overseerr-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "overseerr_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "overseerr" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.2" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "fakeuser@example.com" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "fakeuser@example.com" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "overseerr-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "overseerr-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "overseerr_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "overseerr" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.2" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "fakeuser@example.com" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser@example.com" results[0].Overflow.Alert.GetScenario() == "LePresidente/overseerr-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 @@ -54,48 +54,48 @@ results[1].Overflow.Sources["127.0.0.1"].IP == "127.0.0.1" results[1].Overflow.Sources["127.0.0.1"].Range == "" results[1].Overflow.Sources["127.0.0.1"].GetScope() == "Ip" results[1].Overflow.Sources["127.0.0.1"].GetValue() == "127.0.0.1" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "overseerr-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "overseerr-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "overseerr_failed_auth" results[1].Overflow.Alert.Events[0].GetMeta("service") == "overseerr" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[1].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "overseerr-bf.log" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "overseerr-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "overseerr_failed_auth" results[1].Overflow.Alert.Events[1].GetMeta("service") == "overseerr" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.1" +results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "fakeuser" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[1].Overflow.Alert.Events[1].GetMeta("user") == "fakeuser" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "overseerr-bf.log" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "overseerr-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "overseerr_failed_auth" results[1].Overflow.Alert.Events[2].GetMeta("service") == "overseerr" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.1" +results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "fakeuser" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[1].Overflow.Alert.Events[2].GetMeta("user") == "fakeuser" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "overseerr-bf.log" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "overseerr-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "overseerr_failed_auth" results[1].Overflow.Alert.Events[3].GetMeta("service") == "overseerr" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.1" +results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "fakeuser" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[1].Overflow.Alert.Events[3].GetMeta("user") == "fakeuser" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "overseerr-bf.log" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "overseerr-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "overseerr_failed_auth" results[1].Overflow.Alert.Events[4].GetMeta("service") == "overseerr" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.1" +results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "fakeuser" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[1].Overflow.Alert.Events[4].GetMeta("user") == "fakeuser" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "overseerr-bf.log" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "overseerr-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "overseerr_failed_auth" results[1].Overflow.Alert.Events[5].GetMeta("service") == "overseerr" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.1" +results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "fakeuser" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-06-20T09:52:17.637Z" -results[1].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser" results[1].Overflow.Alert.GetScenario() == "LePresidente/overseerr-bf" results[1].Overflow.Alert.Remediation == true -results[1].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[1].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/overseerr-logs/overseerr-logs.log b/.tests/overseerr-logs/overseerr-logs.log index 852a40ee00c..e214c2b5374 100644 --- a/.tests/overseerr-logs/overseerr-logs.log +++ b/.tests/overseerr-logs/overseerr-logs.log @@ -3,3 +3,4 @@ 2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {"ip":"::ffff:127.0.0.1","email":"fakeuser@example.com"} 2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {"ip":"127.0.0.1","email":"fakeuser"} 2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {"ip":"127.0.0.1","email":"fakeuser@example.com"} +2022-06-20T09:53:00.000Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {"ip":"127.0.0.1","email":"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl"} diff --git a/.tests/overseerr-logs/parser.assert b/.tests/overseerr-logs/parser.assert index b401d9725d7..f9c7ebd50b3 100644 --- a/.tests/overseerr-logs/parser.assert +++ b/.tests/overseerr-logs/parser.assert @@ -1,54 +1,61 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 5 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 6 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2023-12-10T15:17:39.030Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"192.168.178.182\",\"email\":\"someone@nonexisting.com\"}" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "overseerr" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "overseerr-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "overseerr-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"::ffff:127.0.0.1\",\"email\":\"fakeuser\"}" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "overseerr" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "overseerr-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "overseerr-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"::ffff:127.0.0.1\",\"email\":\"fakeuser@example.com\"}" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "overseerr" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "overseerr-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "overseerr-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"127.0.0.1\",\"email\":\"fakeuser\"}" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "overseerr" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "overseerr-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "overseerr-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"127.0.0.1\",\"email\":\"fakeuser@example.com\"}" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "overseerr" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "overseerr-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"]) == "overseerr-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 5 +results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "2022-06-20T09:53:00.000Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"127.0.0.1\",\"email\":\"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\"}" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "overseerr" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"]) == "overseerr-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 6 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false -len(results["s01-parse"]["LePresidente/overseerr-logs"]) == 5 +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == false +len(results["s01-parse"]["LePresidente/overseerr-logs"]) == 6 results["s01-parse"]["LePresidente/overseerr-logs"][0].Success == true results["s01-parse"]["LePresidente/overseerr-logs"][0].Evt.Parsed["message"] == "2023-12-10T15:17:39.030Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"192.168.178.182\",\"email\":\"someone@nonexisting.com\"}" results["s01-parse"]["LePresidente/overseerr-logs"][0].Evt.Parsed["program"] == "overseerr" results["s01-parse"]["LePresidente/overseerr-logs"][0].Evt.Parsed["source_ip"] == "192.168.178.182" results["s01-parse"]["LePresidente/overseerr-logs"][0].Evt.Parsed["timestamp"] == "2023-12-10T15:17:39.030Z" results["s01-parse"]["LePresidente/overseerr-logs"][0].Evt.Parsed["username"] == "someone@nonexisting.com" -results["s01-parse"]["LePresidente/overseerr-logs"][0].Evt.Meta["datasource_path"] == "overseerr-logs.log" +results["s01-parse"]["LePresidente/overseerr-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/overseerr-logs"][0].Evt.Meta["datasource_path"]) == "overseerr-logs.log" results["s01-parse"]["LePresidente/overseerr-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/overseerr-logs"][0].Evt.Meta["log_type"] == "overseerr_failed_auth" results["s01-parse"]["LePresidente/overseerr-logs"][0].Evt.Meta["service"] == "overseerr" results["s01-parse"]["LePresidente/overseerr-logs"][0].Evt.Meta["source_ip"] == "192.168.178.182" -results["s01-parse"]["LePresidente/overseerr-logs"][0].Evt.Meta["user"] == "someone@nonexisting.com" +results["s01-parse"]["LePresidente/overseerr-logs"][0].Evt.Meta["target_user"] == "someone@nonexisting.com" results["s01-parse"]["LePresidente/overseerr-logs"][0].Evt.Whitelisted == false results["s01-parse"]["LePresidente/overseerr-logs"][1].Success == true results["s01-parse"]["LePresidente/overseerr-logs"][1].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"::ffff:127.0.0.1\",\"email\":\"fakeuser\"}" @@ -56,12 +63,12 @@ results["s01-parse"]["LePresidente/overseerr-logs"][1].Evt.Parsed["program"] == results["s01-parse"]["LePresidente/overseerr-logs"][1].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["LePresidente/overseerr-logs"][1].Evt.Parsed["timestamp"] == "2022-06-20T09:52:17.637Z" results["s01-parse"]["LePresidente/overseerr-logs"][1].Evt.Parsed["username"] == "fakeuser" -results["s01-parse"]["LePresidente/overseerr-logs"][1].Evt.Meta["datasource_path"] == "overseerr-logs.log" +results["s01-parse"]["LePresidente/overseerr-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/overseerr-logs"][1].Evt.Meta["datasource_path"]) == "overseerr-logs.log" results["s01-parse"]["LePresidente/overseerr-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/overseerr-logs"][1].Evt.Meta["log_type"] == "overseerr_failed_auth" results["s01-parse"]["LePresidente/overseerr-logs"][1].Evt.Meta["service"] == "overseerr" results["s01-parse"]["LePresidente/overseerr-logs"][1].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/overseerr-logs"][1].Evt.Meta["user"] == "fakeuser" +results["s01-parse"]["LePresidente/overseerr-logs"][1].Evt.Meta["target_user"] == "fakeuser" results["s01-parse"]["LePresidente/overseerr-logs"][1].Evt.Whitelisted == false results["s01-parse"]["LePresidente/overseerr-logs"][2].Success == true results["s01-parse"]["LePresidente/overseerr-logs"][2].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"::ffff:127.0.0.1\",\"email\":\"fakeuser@example.com\"}" @@ -69,12 +76,12 @@ results["s01-parse"]["LePresidente/overseerr-logs"][2].Evt.Parsed["program"] == results["s01-parse"]["LePresidente/overseerr-logs"][2].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["LePresidente/overseerr-logs"][2].Evt.Parsed["timestamp"] == "2022-06-20T09:52:17.637Z" results["s01-parse"]["LePresidente/overseerr-logs"][2].Evt.Parsed["username"] == "fakeuser@example.com" -results["s01-parse"]["LePresidente/overseerr-logs"][2].Evt.Meta["datasource_path"] == "overseerr-logs.log" +results["s01-parse"]["LePresidente/overseerr-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/overseerr-logs"][2].Evt.Meta["datasource_path"]) == "overseerr-logs.log" results["s01-parse"]["LePresidente/overseerr-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/overseerr-logs"][2].Evt.Meta["log_type"] == "overseerr_failed_auth" results["s01-parse"]["LePresidente/overseerr-logs"][2].Evt.Meta["service"] == "overseerr" results["s01-parse"]["LePresidente/overseerr-logs"][2].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/overseerr-logs"][2].Evt.Meta["user"] == "fakeuser@example.com" +results["s01-parse"]["LePresidente/overseerr-logs"][2].Evt.Meta["target_user"] == "fakeuser@example.com" results["s01-parse"]["LePresidente/overseerr-logs"][2].Evt.Whitelisted == false results["s01-parse"]["LePresidente/overseerr-logs"][3].Success == true results["s01-parse"]["LePresidente/overseerr-logs"][3].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"127.0.0.1\",\"email\":\"fakeuser\"}" @@ -82,12 +89,12 @@ results["s01-parse"]["LePresidente/overseerr-logs"][3].Evt.Parsed["program"] == results["s01-parse"]["LePresidente/overseerr-logs"][3].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["LePresidente/overseerr-logs"][3].Evt.Parsed["timestamp"] == "2022-06-20T09:52:17.637Z" results["s01-parse"]["LePresidente/overseerr-logs"][3].Evt.Parsed["username"] == "fakeuser" -results["s01-parse"]["LePresidente/overseerr-logs"][3].Evt.Meta["datasource_path"] == "overseerr-logs.log" +results["s01-parse"]["LePresidente/overseerr-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/overseerr-logs"][3].Evt.Meta["datasource_path"]) == "overseerr-logs.log" results["s01-parse"]["LePresidente/overseerr-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/overseerr-logs"][3].Evt.Meta["log_type"] == "overseerr_failed_auth" results["s01-parse"]["LePresidente/overseerr-logs"][3].Evt.Meta["service"] == "overseerr" results["s01-parse"]["LePresidente/overseerr-logs"][3].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/overseerr-logs"][3].Evt.Meta["user"] == "fakeuser" +results["s01-parse"]["LePresidente/overseerr-logs"][3].Evt.Meta["target_user"] == "fakeuser" results["s01-parse"]["LePresidente/overseerr-logs"][3].Evt.Whitelisted == false results["s01-parse"]["LePresidente/overseerr-logs"][4].Success == true results["s01-parse"]["LePresidente/overseerr-logs"][4].Evt.Parsed["message"] == "2022-06-20T09:52:17.637Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"127.0.0.1\",\"email\":\"fakeuser@example.com\"}" @@ -95,27 +102,40 @@ results["s01-parse"]["LePresidente/overseerr-logs"][4].Evt.Parsed["program"] == results["s01-parse"]["LePresidente/overseerr-logs"][4].Evt.Parsed["source_ip"] == "127.0.0.1" results["s01-parse"]["LePresidente/overseerr-logs"][4].Evt.Parsed["timestamp"] == "2022-06-20T09:52:17.637Z" results["s01-parse"]["LePresidente/overseerr-logs"][4].Evt.Parsed["username"] == "fakeuser@example.com" -results["s01-parse"]["LePresidente/overseerr-logs"][4].Evt.Meta["datasource_path"] == "overseerr-logs.log" +results["s01-parse"]["LePresidente/overseerr-logs"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/overseerr-logs"][4].Evt.Meta["datasource_path"]) == "overseerr-logs.log" results["s01-parse"]["LePresidente/overseerr-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["LePresidente/overseerr-logs"][4].Evt.Meta["log_type"] == "overseerr_failed_auth" results["s01-parse"]["LePresidente/overseerr-logs"][4].Evt.Meta["service"] == "overseerr" results["s01-parse"]["LePresidente/overseerr-logs"][4].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/overseerr-logs"][4].Evt.Meta["user"] == "fakeuser@example.com" +results["s01-parse"]["LePresidente/overseerr-logs"][4].Evt.Meta["target_user"] == "fakeuser@example.com" results["s01-parse"]["LePresidente/overseerr-logs"][4].Evt.Whitelisted == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 5 +results["s01-parse"]["LePresidente/overseerr-logs"][5].Success == true +results["s01-parse"]["LePresidente/overseerr-logs"][5].Evt.Parsed["message"] == "2022-06-20T09:53:00.000Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"127.0.0.1\",\"email\":\"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\"}" +results["s01-parse"]["LePresidente/overseerr-logs"][5].Evt.Parsed["program"] == "overseerr" +results["s01-parse"]["LePresidente/overseerr-logs"][5].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s01-parse"]["LePresidente/overseerr-logs"][5].Evt.Parsed["timestamp"] == "2022-06-20T09:53:00.000Z" +results["s01-parse"]["LePresidente/overseerr-logs"][5].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["LePresidente/overseerr-logs"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/overseerr-logs"][5].Evt.Meta["datasource_path"]) == "overseerr-logs.log" +results["s01-parse"]["LePresidente/overseerr-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["LePresidente/overseerr-logs"][5].Evt.Meta["service"] == "overseerr" +results["s01-parse"]["LePresidente/overseerr-logs"][5].Evt.Meta["source_ip"] == "127.0.0.1" +results["s01-parse"]["LePresidente/overseerr-logs"][5].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["LePresidente/overseerr-logs"][5].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2023-12-10T15:17:39.030Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"192.168.178.182\",\"email\":\"someone@nonexisting.com\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "overseerr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "192.168.178.182" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2023-12-10T15:17:39.030Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "someone@nonexisting.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "overseerr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "overseerr-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "overseerr_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "overseerr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.178.182" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "someone@nonexisting.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-12-10T15:17:39.03Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "someone@nonexisting.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-12-10T15:17:39.03Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true @@ -124,13 +144,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2022-06-20T09:52:17.637Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "fakeuser" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "overseerr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "overseerr-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "overseerr_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "overseerr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "fakeuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-06-20T09:52:17.637Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "fakeuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-06-20T09:52:17.637Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true @@ -139,13 +159,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "2022-06-20T09:52:17.637Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "fakeuser@example.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "overseerr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "overseerr-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "overseerr_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "overseerr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "fakeuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2022-06-20T09:52:17.637Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["user"] == "fakeuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2022-06-20T09:52:17.637Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true @@ -154,13 +174,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "2022-06-20T09:52:17.637Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "fakeuser" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "overseerr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "overseerr-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "overseerr_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "overseerr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "fakeuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2022-06-20T09:52:17.637Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["user"] == "fakeuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2022-06-20T09:52:17.637Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true @@ -169,13 +189,28 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "2022-06-20T09:52:17.637Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username"] == "fakeuser@example.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "overseerr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "overseerr-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "overseerr_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "overseerr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_user"] == "fakeuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2022-06-20T09:52:17.637Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["user"] == "fakeuser@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2022-06-20T09:52:17.637Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false -len(results["success"][""]) == 0 \ No newline at end of file +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "2022-06-20T09:53:00.000Z [warn][API]: Failed sign-in attempt using invalid Overseerr password {\"ip\":\"127.0.0.1\",\"email\":\"crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl\"}" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "overseerr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "2022-06-20T09:53:00.000Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "overseerr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "overseerr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2022-06-20T09:53:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2022-06-20T09:53:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/pam-logs/parser.assert b/.tests/pam-logs/parser.assert index 9a8d063da8e..0939f4a67b8 100644 --- a/.tests/pam-logs/parser.assert +++ b/.tests/pam-logs/parser.assert @@ -1,83 +1,86 @@ -len(results) == 4 -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Dec 7 14:53:04" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "pam_tally2(sudo:auth): user zbadguy (4001) tally 6, deny 5" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "sudo" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"] == "pam-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Dec 7 14:53:04" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "pam-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "vskub1master01p" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "pam_unix(sudo:auth): authentication failure; logname=zbadguy uid=4001 euid=0 tty=/dev/pts/12 ruser=zbadguy rhost= user=zbadguy" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "sudo" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Dec 7 14:52:59" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"] == "pam-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "pam-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "vskub1master01p" -len(results["s01-parse"]["crowdsecurity/pam-logs"]) == 2 +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/pam-logs"][0].Success == true +results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Parsed["message"] == "pam_tally2(sudo:auth): user zbadguy (4001) tally 6, deny 5" results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Parsed["program"] == "sudo" results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Parsed["timestamp"] == "Dec 7 14:53:04" results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Parsed["uid"] == "4001" -results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Parsed["message"] == "pam_tally2(sudo:auth): user zbadguy (4001) tally 6, deny 5" results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Parsed["username"] == "zbadguy" -results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Meta["machine"] == "vskub1master01p" -results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Meta["service"] == "pam" -results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Meta["username"] == "zbadguy" -results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Meta["datasource_path"] == "pam-logs.log" +basename(results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Meta["datasource_path"]) == "pam-logs.log" results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Meta["log_type"] == "pam_user_lock" +results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Meta["machine"] == "vskub1master01p" +results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Meta["service"] == "pam" +results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Meta["target_user"] == "zbadguy" +results["s01-parse"]["crowdsecurity/pam-logs"][0].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/pam-logs"][1].Success == true -results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Parsed["program"] == "sudo" -results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Parsed["ruser"] == "zbadguy" -results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Parsed["timestamp"] == "Dec 7 14:52:59" results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Parsed["euid"] == "0" +results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Parsed["logname"] == "zbadguy" results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Parsed["message"] == "pam_unix(sudo:auth): authentication failure; logname=zbadguy uid=4001 euid=0 tty=/dev/pts/12 ruser=zbadguy rhost= user=zbadguy" +results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Parsed["program"] == "sudo" +results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Parsed["ruser"] == "zbadguy" +results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Parsed["timestamp"] == "Dec 7 14:52:59" +results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Parsed["tty"] == "/dev/pts/12" results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Parsed["uid"] == "4001" results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Parsed["username"] == "zbadguy" -results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Parsed["tty"] == "/dev/pts/12" -results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Parsed["logname"] == "zbadguy" -results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Meta["username"] == "zbadguy" -results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Meta["datasource_path"] == "pam-logs.log" +results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Meta["datasource_path"]) == "pam-logs.log" results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Meta["log_type"] == "pam_failed_auth" results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Meta["machine"] == "vskub1master01p" results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Meta["service"] == "pam" -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 +results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Meta["target_user"] == "zbadguy" +results["s01-parse"]["crowdsecurity/pam-logs"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "sudo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "pam_tally2(sudo:auth): user zbadguy (4001) tally 6, deny 5" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "sudo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Dec 7 14:53:04" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["uid"] == "4001" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "zbadguy" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "pam-logs.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "pam-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "pam_user_lock" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "vskub1master01p" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "pam" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "zbadguy" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"][4:] == "-12-07T14:53:04Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "zbadguy" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-12-07T14:53:04Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-12-07T14:53:04Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["uid"] == "4001" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["euid"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logname"] == "zbadguy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "pam_unix(sudo:auth): authentication failure; logname=zbadguy uid=4001 euid=0 tty=/dev/pts/12 ruser=zbadguy rhost= user=zbadguy" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "sudo" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["ruser"] == "zbadguy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Dec 7 14:52:59" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["tty"] == "/dev/pts/12" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logname"] == "zbadguy" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["ruser"] == "zbadguy" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["uid"] == "4001" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "zbadguy" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "sudo" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "pam-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "vskub1master01p" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "pam" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "zbadguy" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "pam-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "pam_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"][4:] == "-12-07T14:52:59Z" - +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "zbadguy" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-12-07T14:52:59Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-12-07T14:52:59Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false diff --git a/.tests/paperless-ngx-bf/parser.assert b/.tests/paperless-ngx-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/paperless-ngx-bf/scenario.assert b/.tests/paperless-ngx-bf/scenario.assert index 461f53534de..f99b0d4ecb1 100644 --- a/.tests/paperless-ngx-bf/scenario.assert +++ b/.tests/paperless-ngx-bf/scenario.assert @@ -4,48 +4,48 @@ results[0].Overflow.Sources["192.168.100.100"].IP == "192.168.100.100" results[0].Overflow.Sources["192.168.100.100"].Range == "" results[0].Overflow.Sources["192.168.100.100"].GetScope() == "Ip" results[0].Overflow.Sources["192.168.100.100"].GetValue() == "192.168.100.100" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "paperless_ngx_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "paperless-ngx" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.100.100" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "testenumlegacy1" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-06-30T19:22:24.246Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "testenumlegacy1" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "paperless_ngx_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "paperless-ngx" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.100.100" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "testenumlegacy2" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-06-30T19:22:29.375Z" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "testenumlegacy2" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "paperless_ngx_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "paperless-ngx" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.100.100" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "testenumlegacy3" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-06-30T19:22:44.484Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "testenumlegacy3" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "paperless_ngx_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "paperless-ngx" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.100.100" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "testenumlegacy4" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-06-30T19:23:01.873Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "testenumlegacy4" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "paperless_ngx_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "paperless-ngx" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.100.100" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "testenumlegacy5" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-06-30T19:23:14.214Z" -results[0].Overflow.Alert.Events[4].GetMeta("username") == "testenumlegacy5" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "paperless_ngx_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "paperless-ngx" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.100.100" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "testenumlegacy6" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-06-30T19:23:21.937Z" -results[0].Overflow.Alert.Events[5].GetMeta("username") == "testenumlegacy6" results[0].Overflow.Alert.GetScenario() == "andreasbrett/paperless-ngx-bf_user-enum" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 @@ -54,48 +54,48 @@ results[1].Overflow.Sources["192.168.0.100"].IP == "192.168.0.100" results[1].Overflow.Sources["192.168.0.100"].Range == "" results[1].Overflow.Sources["192.168.0.100"].GetScope() == "Ip" results[1].Overflow.Sources["192.168.0.100"].GetValue() == "192.168.0.100" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "paperless_ngx_failed_auth" results[1].Overflow.Alert.Events[0].GetMeta("service") == "paperless-ngx" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.100" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "testenum1" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-06-30T19:22:24.246Z" -results[1].Overflow.Alert.Events[0].GetMeta("username") == "testenum1" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "paperless_ngx_failed_auth" results[1].Overflow.Alert.Events[1].GetMeta("service") == "paperless-ngx" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.0.100" +results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "testenum2" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-06-30T19:22:29.375Z" -results[1].Overflow.Alert.Events[1].GetMeta("username") == "testenum2" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "paperless_ngx_failed_auth" results[1].Overflow.Alert.Events[2].GetMeta("service") == "paperless-ngx" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.0.100" +results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "testenum3" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-06-30T19:22:44.484Z" -results[1].Overflow.Alert.Events[2].GetMeta("username") == "testenum3" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "paperless_ngx_failed_auth" results[1].Overflow.Alert.Events[3].GetMeta("service") == "paperless-ngx" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.0.100" +results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "testenum4" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-06-30T19:23:01.873Z" -results[1].Overflow.Alert.Events[3].GetMeta("username") == "testenum4" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "paperless_ngx_failed_auth" results[1].Overflow.Alert.Events[4].GetMeta("service") == "paperless-ngx" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.0.100" +results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "testenum5" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-06-30T19:23:14.214Z" -results[1].Overflow.Alert.Events[4].GetMeta("username") == "testenum5" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "paperless_ngx_failed_auth" results[1].Overflow.Alert.Events[5].GetMeta("service") == "paperless-ngx" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.0.100" +results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "testenum6" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-06-30T19:23:21.937Z" -results[1].Overflow.Alert.Events[5].GetMeta("username") == "testenum6" results[1].Overflow.Alert.GetScenario() == "andreasbrett/paperless-ngx-bf_user-enum" results[1].Overflow.Alert.Remediation == true results[1].Overflow.Alert.GetEventsCount() == 6 @@ -104,48 +104,48 @@ results[2].Overflow.Sources["2001:db8::b6d3:95d7:1425:766d"].IP == "2001:db8::b6 results[2].Overflow.Sources["2001:db8::b6d3:95d7:1425:766d"].Range == "" results[2].Overflow.Sources["2001:db8::b6d3:95d7:1425:766d"].GetScope() == "Ip" results[2].Overflow.Sources["2001:db8::b6d3:95d7:1425:766d"].GetValue() == "2001:db8::b6d3:95d7:1425:766d" -results[2].Overflow.Alert.Events[0].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[2].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[0].GetMeta("log_type") == "paperless_ngx_failed_auth" results[2].Overflow.Alert.Events[0].GetMeta("service") == "paperless-ngx" results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "2001:db8::b6d3:95d7:1425:766d" +results[2].Overflow.Alert.Events[0].GetMeta("target_user") == "test6priv" results[2].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-06-30T15:17:36.332Z" -results[2].Overflow.Alert.Events[0].GetMeta("username") == "test6priv" -results[2].Overflow.Alert.Events[1].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[2].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[2].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[1].GetMeta("log_type") == "paperless_ngx_failed_auth" results[2].Overflow.Alert.Events[1].GetMeta("service") == "paperless-ngx" results[2].Overflow.Alert.Events[1].GetMeta("source_ip") == "2001:db8::b6d3:95d7:1425:766d" +results[2].Overflow.Alert.Events[1].GetMeta("target_user") == "test6priv" results[2].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-06-30T15:17:38.121Z" -results[2].Overflow.Alert.Events[1].GetMeta("username") == "test6priv" -results[2].Overflow.Alert.Events[2].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[2].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[2].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[2].GetMeta("log_type") == "paperless_ngx_failed_auth" results[2].Overflow.Alert.Events[2].GetMeta("service") == "paperless-ngx" results[2].Overflow.Alert.Events[2].GetMeta("source_ip") == "2001:db8::b6d3:95d7:1425:766d" +results[2].Overflow.Alert.Events[2].GetMeta("target_user") == "test6priv" results[2].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-06-30T15:17:45.544Z" -results[2].Overflow.Alert.Events[2].GetMeta("username") == "test6priv" -results[2].Overflow.Alert.Events[3].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[2].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[2].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[3].GetMeta("log_type") == "paperless_ngx_failed_auth" results[2].Overflow.Alert.Events[3].GetMeta("service") == "paperless-ngx" results[2].Overflow.Alert.Events[3].GetMeta("source_ip") == "2001:db8::b6d3:95d7:1425:766d" +results[2].Overflow.Alert.Events[3].GetMeta("target_user") == "test6priv" results[2].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-06-30T15:18:02.745Z" -results[2].Overflow.Alert.Events[3].GetMeta("username") == "test6priv" -results[2].Overflow.Alert.Events[4].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[2].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[2].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[4].GetMeta("log_type") == "paperless_ngx_failed_auth" results[2].Overflow.Alert.Events[4].GetMeta("service") == "paperless-ngx" results[2].Overflow.Alert.Events[4].GetMeta("source_ip") == "2001:db8::b6d3:95d7:1425:766d" +results[2].Overflow.Alert.Events[4].GetMeta("target_user") == "test6priv" results[2].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-06-30T15:18:10.1Z" -results[2].Overflow.Alert.Events[4].GetMeta("username") == "test6priv" -results[2].Overflow.Alert.Events[5].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[2].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[2].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[5].GetMeta("log_type") == "paperless_ngx_failed_auth" results[2].Overflow.Alert.Events[5].GetMeta("service") == "paperless-ngx" results[2].Overflow.Alert.Events[5].GetMeta("source_ip") == "2001:db8::b6d3:95d7:1425:766d" +results[2].Overflow.Alert.Events[5].GetMeta("target_user") == "test6priv" results[2].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-06-30T15:18:30.478Z" -results[2].Overflow.Alert.Events[5].GetMeta("username") == "test6priv" results[2].Overflow.Alert.GetScenario() == "andreasbrett/paperless-ngx-bf" results[2].Overflow.Alert.Remediation == true results[2].Overflow.Alert.GetEventsCount() == 6 @@ -154,48 +154,48 @@ results[3].Overflow.Sources["192.168.100.100"].IP == "192.168.100.100" results[3].Overflow.Sources["192.168.100.100"].Range == "" results[3].Overflow.Sources["192.168.100.100"].GetScope() == "Ip" results[3].Overflow.Sources["192.168.100.100"].GetValue() == "192.168.100.100" -results[3].Overflow.Alert.Events[0].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[3].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[3].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[0].GetMeta("log_type") == "paperless_ngx_failed_auth" results[3].Overflow.Alert.Events[0].GetMeta("service") == "paperless-ngx" results[3].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.100.100" +results[3].Overflow.Alert.Events[0].GetMeta("target_user") == "testenumlegacy1" results[3].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-06-30T19:22:24.246Z" -results[3].Overflow.Alert.Events[0].GetMeta("username") == "testenumlegacy1" -results[3].Overflow.Alert.Events[1].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[3].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[3].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[1].GetMeta("log_type") == "paperless_ngx_failed_auth" results[3].Overflow.Alert.Events[1].GetMeta("service") == "paperless-ngx" results[3].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.100.100" +results[3].Overflow.Alert.Events[1].GetMeta("target_user") == "testenumlegacy2" results[3].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-06-30T19:22:29.375Z" -results[3].Overflow.Alert.Events[1].GetMeta("username") == "testenumlegacy2" -results[3].Overflow.Alert.Events[2].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[3].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[3].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[2].GetMeta("log_type") == "paperless_ngx_failed_auth" results[3].Overflow.Alert.Events[2].GetMeta("service") == "paperless-ngx" results[3].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.100.100" +results[3].Overflow.Alert.Events[2].GetMeta("target_user") == "testenumlegacy3" results[3].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-06-30T19:22:44.484Z" -results[3].Overflow.Alert.Events[2].GetMeta("username") == "testenumlegacy3" -results[3].Overflow.Alert.Events[3].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[3].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[3].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[3].GetMeta("log_type") == "paperless_ngx_failed_auth" results[3].Overflow.Alert.Events[3].GetMeta("service") == "paperless-ngx" results[3].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.100.100" +results[3].Overflow.Alert.Events[3].GetMeta("target_user") == "testenumlegacy4" results[3].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-06-30T19:23:01.873Z" -results[3].Overflow.Alert.Events[3].GetMeta("username") == "testenumlegacy4" -results[3].Overflow.Alert.Events[4].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[3].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[3].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[4].GetMeta("log_type") == "paperless_ngx_failed_auth" results[3].Overflow.Alert.Events[4].GetMeta("service") == "paperless-ngx" results[3].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.100.100" +results[3].Overflow.Alert.Events[4].GetMeta("target_user") == "testenumlegacy5" results[3].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-06-30T19:23:14.214Z" -results[3].Overflow.Alert.Events[4].GetMeta("username") == "testenumlegacy5" -results[3].Overflow.Alert.Events[5].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[3].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[3].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[5].GetMeta("log_type") == "paperless_ngx_failed_auth" results[3].Overflow.Alert.Events[5].GetMeta("service") == "paperless-ngx" results[3].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.100.100" +results[3].Overflow.Alert.Events[5].GetMeta("target_user") == "testenumlegacy6" results[3].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-06-30T19:23:21.937Z" -results[3].Overflow.Alert.Events[5].GetMeta("username") == "testenumlegacy6" results[3].Overflow.Alert.GetScenario() == "andreasbrett/paperless-ngx-bf" results[3].Overflow.Alert.Remediation == true results[3].Overflow.Alert.GetEventsCount() == 6 @@ -204,48 +204,48 @@ results[4].Overflow.Sources["192.168.0.100"].IP == "192.168.0.100" results[4].Overflow.Sources["192.168.0.100"].Range == "" results[4].Overflow.Sources["192.168.0.100"].GetScope() == "Ip" results[4].Overflow.Sources["192.168.0.100"].GetValue() == "192.168.0.100" -results[4].Overflow.Alert.Events[0].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[4].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[4].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[0].GetMeta("log_type") == "paperless_ngx_failed_auth" results[4].Overflow.Alert.Events[0].GetMeta("service") == "paperless-ngx" results[4].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.100" +results[4].Overflow.Alert.Events[0].GetMeta("target_user") == "test4priv" results[4].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-06-30T16:22:46.816Z" -results[4].Overflow.Alert.Events[0].GetMeta("username") == "test4priv" -results[4].Overflow.Alert.Events[1].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[4].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[4].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[1].GetMeta("log_type") == "paperless_ngx_failed_auth" results[4].Overflow.Alert.Events[1].GetMeta("service") == "paperless-ngx" results[4].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.0.100" +results[4].Overflow.Alert.Events[1].GetMeta("target_user") == "test4priv" results[4].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-06-30T16:22:52.124Z" -results[4].Overflow.Alert.Events[1].GetMeta("username") == "test4priv" -results[4].Overflow.Alert.Events[2].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[4].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[4].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[2].GetMeta("log_type") == "paperless_ngx_failed_auth" results[4].Overflow.Alert.Events[2].GetMeta("service") == "paperless-ngx" results[4].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.0.100" +results[4].Overflow.Alert.Events[2].GetMeta("target_user") == "test4priv" results[4].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-06-30T16:23:06.744Z" -results[4].Overflow.Alert.Events[2].GetMeta("username") == "test4priv" -results[4].Overflow.Alert.Events[3].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[4].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[4].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[3].GetMeta("log_type") == "paperless_ngx_failed_auth" results[4].Overflow.Alert.Events[3].GetMeta("service") == "paperless-ngx" results[4].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.0.100" +results[4].Overflow.Alert.Events[3].GetMeta("target_user") == "test4priv" results[4].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-06-30T16:23:12.236Z" -results[4].Overflow.Alert.Events[3].GetMeta("username") == "test4priv" -results[4].Overflow.Alert.Events[4].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[4].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[4].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[4].GetMeta("log_type") == "paperless_ngx_failed_auth" results[4].Overflow.Alert.Events[4].GetMeta("service") == "paperless-ngx" results[4].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.0.100" +results[4].Overflow.Alert.Events[4].GetMeta("target_user") == "test4priv" results[4].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-06-30T16:23:21.826Z" -results[4].Overflow.Alert.Events[4].GetMeta("username") == "test4priv" -results[4].Overflow.Alert.Events[5].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[4].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[4].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[4].Overflow.Alert.Events[5].GetMeta("log_type") == "paperless_ngx_failed_auth" results[4].Overflow.Alert.Events[5].GetMeta("service") == "paperless-ngx" results[4].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.0.100" +results[4].Overflow.Alert.Events[5].GetMeta("target_user") == "test4priv" results[4].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-06-30T16:23:38.139Z" -results[4].Overflow.Alert.Events[5].GetMeta("username") == "test4priv" results[4].Overflow.Alert.GetScenario() == "andreasbrett/paperless-ngx-bf" results[4].Overflow.Alert.Remediation == true results[4].Overflow.Alert.GetEventsCount() == 6 @@ -254,48 +254,48 @@ results[5].Overflow.Sources["192.168.0.100"].IP == "192.168.0.100" results[5].Overflow.Sources["192.168.0.100"].Range == "" results[5].Overflow.Sources["192.168.0.100"].GetScope() == "Ip" results[5].Overflow.Sources["192.168.0.100"].GetValue() == "192.168.0.100" -results[5].Overflow.Alert.Events[0].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[5].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[5].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[5].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[5].Overflow.Alert.Events[0].GetMeta("log_type") == "paperless_ngx_failed_auth" results[5].Overflow.Alert.Events[0].GetMeta("service") == "paperless-ngx" results[5].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.100" +results[5].Overflow.Alert.Events[0].GetMeta("target_user") == "test4pub" results[5].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-06-30T18:03:14.266Z" -results[5].Overflow.Alert.Events[0].GetMeta("username") == "test4pub" -results[5].Overflow.Alert.Events[1].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[5].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[5].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[5].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[5].Overflow.Alert.Events[1].GetMeta("log_type") == "paperless_ngx_failed_auth" results[5].Overflow.Alert.Events[1].GetMeta("service") == "paperless-ngx" results[5].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.0.100" +results[5].Overflow.Alert.Events[1].GetMeta("target_user") == "test4pub" results[5].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-06-30T18:03:19.224Z" -results[5].Overflow.Alert.Events[1].GetMeta("username") == "test4pub" -results[5].Overflow.Alert.Events[2].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[5].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[5].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[5].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[5].Overflow.Alert.Events[2].GetMeta("log_type") == "paperless_ngx_failed_auth" results[5].Overflow.Alert.Events[2].GetMeta("service") == "paperless-ngx" results[5].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.0.100" +results[5].Overflow.Alert.Events[2].GetMeta("target_user") == "test4pub" results[5].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-06-30T18:03:28.437Z" -results[5].Overflow.Alert.Events[2].GetMeta("username") == "test4pub" -results[5].Overflow.Alert.Events[3].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[5].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[5].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[5].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[5].Overflow.Alert.Events[3].GetMeta("log_type") == "paperless_ngx_failed_auth" results[5].Overflow.Alert.Events[3].GetMeta("service") == "paperless-ngx" results[5].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.0.100" +results[5].Overflow.Alert.Events[3].GetMeta("target_user") == "test4pub" results[5].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-06-30T18:03:38.622Z" -results[5].Overflow.Alert.Events[3].GetMeta("username") == "test4pub" -results[5].Overflow.Alert.Events[4].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[5].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[5].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[5].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[5].Overflow.Alert.Events[4].GetMeta("log_type") == "paperless_ngx_failed_auth" results[5].Overflow.Alert.Events[4].GetMeta("service") == "paperless-ngx" results[5].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.0.100" +results[5].Overflow.Alert.Events[4].GetMeta("target_user") == "test4pub" results[5].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-06-30T18:04:02.264Z" -results[5].Overflow.Alert.Events[4].GetMeta("username") == "test4pub" -results[5].Overflow.Alert.Events[5].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[5].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[5].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[5].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[5].Overflow.Alert.Events[5].GetMeta("log_type") == "paperless_ngx_failed_auth" results[5].Overflow.Alert.Events[5].GetMeta("service") == "paperless-ngx" results[5].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.0.100" +results[5].Overflow.Alert.Events[5].GetMeta("target_user") == "test4pub" results[5].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-06-30T18:04:10.831Z" -results[5].Overflow.Alert.Events[5].GetMeta("username") == "test4pub" results[5].Overflow.Alert.GetScenario() == "andreasbrett/paperless-ngx-bf" results[5].Overflow.Alert.Remediation == true results[5].Overflow.Alert.GetEventsCount() == 6 @@ -304,48 +304,48 @@ results[6].Overflow.Sources["192.168.0.100"].IP == "192.168.0.100" results[6].Overflow.Sources["192.168.0.100"].Range == "" results[6].Overflow.Sources["192.168.0.100"].GetScope() == "Ip" results[6].Overflow.Sources["192.168.0.100"].GetValue() == "192.168.0.100" -results[6].Overflow.Alert.Events[0].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[6].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[6].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[6].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[6].Overflow.Alert.Events[0].GetMeta("log_type") == "paperless_ngx_failed_auth" results[6].Overflow.Alert.Events[0].GetMeta("service") == "paperless-ngx" results[6].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.100" +results[6].Overflow.Alert.Events[0].GetMeta("target_user") == "testenum1" results[6].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-06-30T19:22:24.246Z" -results[6].Overflow.Alert.Events[0].GetMeta("username") == "testenum1" -results[6].Overflow.Alert.Events[1].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[6].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[6].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[6].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[6].Overflow.Alert.Events[1].GetMeta("log_type") == "paperless_ngx_failed_auth" results[6].Overflow.Alert.Events[1].GetMeta("service") == "paperless-ngx" results[6].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.0.100" +results[6].Overflow.Alert.Events[1].GetMeta("target_user") == "testenum2" results[6].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-06-30T19:22:29.375Z" -results[6].Overflow.Alert.Events[1].GetMeta("username") == "testenum2" -results[6].Overflow.Alert.Events[2].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[6].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[6].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[6].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[6].Overflow.Alert.Events[2].GetMeta("log_type") == "paperless_ngx_failed_auth" results[6].Overflow.Alert.Events[2].GetMeta("service") == "paperless-ngx" results[6].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.0.100" +results[6].Overflow.Alert.Events[2].GetMeta("target_user") == "testenum3" results[6].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-06-30T19:22:44.484Z" -results[6].Overflow.Alert.Events[2].GetMeta("username") == "testenum3" -results[6].Overflow.Alert.Events[3].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[6].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[6].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[6].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[6].Overflow.Alert.Events[3].GetMeta("log_type") == "paperless_ngx_failed_auth" results[6].Overflow.Alert.Events[3].GetMeta("service") == "paperless-ngx" results[6].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.0.100" +results[6].Overflow.Alert.Events[3].GetMeta("target_user") == "testenum4" results[6].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-06-30T19:23:01.873Z" -results[6].Overflow.Alert.Events[3].GetMeta("username") == "testenum4" -results[6].Overflow.Alert.Events[4].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[6].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[6].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[6].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[6].Overflow.Alert.Events[4].GetMeta("log_type") == "paperless_ngx_failed_auth" results[6].Overflow.Alert.Events[4].GetMeta("service") == "paperless-ngx" results[6].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.0.100" +results[6].Overflow.Alert.Events[4].GetMeta("target_user") == "testenum5" results[6].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-06-30T19:23:14.214Z" -results[6].Overflow.Alert.Events[4].GetMeta("username") == "testenum5" -results[6].Overflow.Alert.Events[5].GetMeta("datasource_path") == "paperless-ngx-bf.log" +results[6].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[6].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "paperless-ngx-bf.log" results[6].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[6].Overflow.Alert.Events[5].GetMeta("log_type") == "paperless_ngx_failed_auth" results[6].Overflow.Alert.Events[5].GetMeta("service") == "paperless-ngx" results[6].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.0.100" +results[6].Overflow.Alert.Events[5].GetMeta("target_user") == "testenum6" results[6].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-06-30T19:23:21.937Z" -results[6].Overflow.Alert.Events[5].GetMeta("username") == "testenum6" results[6].Overflow.Alert.GetScenario() == "andreasbrett/paperless-ngx-bf" results[6].Overflow.Alert.Remediation == true results[6].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/paperless-ngx-logs/paperless-ngx-logs.log b/.tests/paperless-ngx-logs/paperless-ngx-logs.log index 247b2dd0626..d07c3ed1963 100644 --- a/.tests/paperless-ngx-logs/paperless-ngx-logs.log +++ b/.tests/paperless-ngx-logs/paperless-ngx-logs.log @@ -29,3 +29,4 @@ [2023-06-30 18:06:22,264] [INFO] [paperless.auth] Login failed for user `test4publegacy` from IP `192.168.0.100.` [2023-06-30 18:06:47,831] [INFO] [paperless.auth] Login failed for user `test4publegacy` from IP `192.168.0.100.` [2023-06-30 18:06:47,831] [INFO] [paperless.auth] Login failed for user `test@example.com` from IP `192.168.0.100.` +[2023-06-30 18:07:00,000] [INFO] [paperless.auth] Login failed for user `crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl` from IP `192.168.0.100.` diff --git a/.tests/paperless-ngx-logs/parser.assert b/.tests/paperless-ngx-logs/parser.assert index ea6dcf78a0e..73b9156c0e0 100644 --- a/.tests/paperless-ngx-logs/parser.assert +++ b/.tests/paperless-ngx-logs/parser.assert @@ -1,192 +1,198 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 31 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 32 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "[2023-06-30 15:17:36,332] [INFO] [paperless.auth] Login failed for user `test6priv` from private IP `2001:db8::b6d3:95d7:1425:766d`." results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "[2023-06-30 15:17:38,121] [INFO] [paperless.auth] Login failed for user `test6priv` from private IP `2001:db8::b6d3:95d7:1425:766d`." results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "[2023-06-30 15:17:45,544] [INFO] [paperless.auth] Login failed for user `test6priv` from private IP `2001:db8::b6d3:95d7:1425:766d`." results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "[2023-06-30 15:18:12,745] [INFO] [paperless.auth] Login failed for user `test6priv` from private IP `2001:db8::b6d3:95d7:1425:766d`." results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "[2023-06-30 15:18:56,100] [INFO] [paperless.auth] Login failed for user `test6priv` from private IP `2001:db8::b6d3:95d7:1425:766d`." results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "[2023-06-30 15:19:12,478] [INFO] [paperless.auth] Login failed for user `test6priv` from private IP `2001:db8::b6d3:95d7:1425:766d`." results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][6].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["message"] == "[2023-06-30 16:22:36,816] [INFO] [paperless.auth] Login failed for user `test4priv` from private IP `192.168.0.100`." results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][7].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["message"] == "[2023-06-30 16:22:42,124] [INFO] [paperless.auth] Login failed for user `test4priv` from private IP `192.168.0.100`." results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][8].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["message"] == "[2023-06-30 16:23:06,744] [INFO] [paperless.auth] Login failed for user `test4priv` from private IP `192.168.0.100`." results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][9].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["message"] == "[2023-06-30 16:25:10,236] [INFO] [paperless.auth] Login failed for user `test4priv` from private IP `192.168.0.100`." results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][10].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Parsed["message"] == "[2023-06-30 16:26:32,826] [INFO] [paperless.auth] Login failed for user `test4priv` from private IP `192.168.0.100`." results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][11].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Parsed["message"] == "[2023-06-30 16:26:55,139] [INFO] [paperless.auth] Login failed for user `test4priv` from private IP `192.168.0.100`." results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][12].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Parsed["message"] == "[2023-06-30 17:44:54,874] [INFO] [paperless.auth] Login failed for user `test6pub` from IP `2001:db8::b6d3:95d7:1425:766d`." results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][13].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Parsed["message"] == "[2023-06-30 17:44:59,236] [INFO] [paperless.auth] Login failed for user `test6pub` from IP `2001:db8::b6d3:95d7:1425:766d`." results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][14].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Parsed["message"] == "[2023-06-30 17:45:33,568] [INFO] [paperless.auth] Login failed for user `test6pub` from IP `2001:db8::b6d3:95d7:1425:766d`." results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][15].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Parsed["message"] == "[2023-06-30 17:47:12,974] [INFO] [paperless.auth] Login failed for user `test6pub` from IP `2001:db8::b6d3:95d7:1425:766d`." results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][16].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Parsed["message"] == "[2023-06-30 17:47:22,122] [INFO] [paperless.auth] Login failed for user `test6pub` from IP `2001:db8::b6d3:95d7:1425:766d`." results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][17].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][17].Evt.Parsed["message"] == "[2023-06-30 17:48:47,531] [INFO] [paperless.auth] Login failed for user `test6pub` from IP `2001:db8::b6d3:95d7:1425:766d`." results["s00-raw"]["crowdsecurity/non-syslog"][17].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][17].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][17].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][17].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][17].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][18].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][18].Evt.Parsed["message"] == "[2023-06-30 18:03:14,266] [INFO] [paperless.auth] Login failed for user `test4pub` from IP `192.168.0.100`." results["s00-raw"]["crowdsecurity/non-syslog"][18].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][18].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][18].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][18].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][18].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][19].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][19].Evt.Parsed["message"] == "[2023-06-30 18:03:29,224] [INFO] [paperless.auth] Login failed for user `test4pub` from IP `192.168.0.100`." results["s00-raw"]["crowdsecurity/non-syslog"][19].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][19].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][19].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][19].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][19].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][20].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][20].Evt.Parsed["message"] == "[2023-06-30 18:05:11,437] [INFO] [paperless.auth] Login failed for user `test4pub` from IP `192.168.0.100`." results["s00-raw"]["crowdsecurity/non-syslog"][20].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][20].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][20].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][20].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][20].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][21].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][21].Evt.Parsed["message"] == "[2023-06-30 18:05:38,622] [INFO] [paperless.auth] Login failed for user `test4pub` from IP `192.168.0.100`." results["s00-raw"]["crowdsecurity/non-syslog"][21].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][21].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][21].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][21].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][21].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][22].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][22].Evt.Parsed["message"] == "[2023-06-30 18:06:22,264] [INFO] [paperless.auth] Login failed for user `test4pub` from IP `192.168.0.100`." results["s00-raw"]["crowdsecurity/non-syslog"][22].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][22].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][22].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][22].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][22].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][23].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][23].Evt.Parsed["message"] == "[2023-06-30 18:06:47,831] [INFO] [paperless.auth] Login failed for user `test4pub` from IP `192.168.0.100`." results["s00-raw"]["crowdsecurity/non-syslog"][23].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][23].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][23].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][23].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][23].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][24].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][24].Evt.Parsed["message"] == "[2023-06-30 18:03:14,266] [INFO] [paperless.auth] Login failed for user `test4pub` from IP `192.168.0.100.`" results["s00-raw"]["crowdsecurity/non-syslog"][24].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][24].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][24].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][24].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][24].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][25].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][25].Evt.Parsed["message"] == "[2023-06-30 18:03:29,224] [INFO] [paperless.auth] Login failed for user `test4publegacy` from IP `192.168.0.100.`" results["s00-raw"]["crowdsecurity/non-syslog"][25].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][25].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][25].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][25].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][25].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][26].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][26].Evt.Parsed["message"] == "[2023-06-30 18:05:11,437] [INFO] [paperless.auth] Login failed for user `test4publegacy` from IP `192.168.0.100.`" results["s00-raw"]["crowdsecurity/non-syslog"][26].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][26].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][26].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][26].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][26].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][27].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][27].Evt.Parsed["message"] == "[2023-06-30 18:05:38,622] [INFO] [paperless.auth] Login failed for user `test4publegacy` from IP `192.168.0.100.`" results["s00-raw"]["crowdsecurity/non-syslog"][27].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][27].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][27].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][27].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][27].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][28].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][28].Evt.Parsed["message"] == "[2023-06-30 18:06:22,264] [INFO] [paperless.auth] Login failed for user `test4publegacy` from IP `192.168.0.100.`" results["s00-raw"]["crowdsecurity/non-syslog"][28].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][28].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][28].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][28].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][28].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][29].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][29].Evt.Parsed["message"] == "[2023-06-30 18:06:47,831] [INFO] [paperless.auth] Login failed for user `test4publegacy` from IP `192.168.0.100.`" results["s00-raw"]["crowdsecurity/non-syslog"][29].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][29].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][29].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][29].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][29].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][30].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][30].Evt.Parsed["message"] == "[2023-06-30 18:06:47,831] [INFO] [paperless.auth] Login failed for user `test@example.com` from IP `192.168.0.100.`" results["s00-raw"]["crowdsecurity/non-syslog"][30].Evt.Parsed["program"] == "Paperless-ngx" -results["s00-raw"]["crowdsecurity/non-syslog"][30].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][30].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][30].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][30].Evt.Whitelisted == false -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 31 +results["s00-raw"]["crowdsecurity/non-syslog"][31].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][31].Evt.Parsed["message"] == "[2023-06-30 18:07:00,000] [INFO] [paperless.auth] Login failed for user `crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl` from IP `192.168.0.100.`" +results["s00-raw"]["crowdsecurity/non-syslog"][31].Evt.Parsed["program"] == "Paperless-ngx" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][31].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][31].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][31].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 32 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false @@ -218,7 +224,8 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][27].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][28].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][29].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][30].Success == false -len(results["s01-parse"]["andreasbrett/paperless-ngx-logs"]) == 31 +results["s00-raw"]["crowdsecurity/syslog-logs"][31].Success == false +len(results["s01-parse"]["andreasbrett/paperless-ngx-logs"]) == 32 results["s01-parse"]["andreasbrett/paperless-ngx-logs"][0].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][0].Evt.Parsed["date"] == "2023-06-30" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][0].Evt.Parsed["day"] == "30" @@ -229,12 +236,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][0].Evt.Parsed["source_ip results["s01-parse"]["andreasbrett/paperless-ngx-logs"][0].Evt.Parsed["time"] == "15:17:36,332" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][0].Evt.Parsed["username"] == "test6priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][0].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][0].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][0].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][0].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][0].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][0].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][0].Evt.Meta["username"] == "test6priv" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][0].Evt.Meta["target_user"] == "test6priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][0].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][1].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][1].Evt.Parsed["date"] == "2023-06-30" @@ -246,12 +253,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][1].Evt.Parsed["source_ip results["s01-parse"]["andreasbrett/paperless-ngx-logs"][1].Evt.Parsed["time"] == "15:17:38,121" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][1].Evt.Parsed["username"] == "test6priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][1].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][1].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][1].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][1].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][1].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][1].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][1].Evt.Meta["username"] == "test6priv" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][1].Evt.Meta["target_user"] == "test6priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][1].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][2].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][2].Evt.Parsed["date"] == "2023-06-30" @@ -263,12 +270,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][2].Evt.Parsed["source_ip results["s01-parse"]["andreasbrett/paperless-ngx-logs"][2].Evt.Parsed["time"] == "15:17:45,544" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][2].Evt.Parsed["username"] == "test6priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][2].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][2].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][2].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][2].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][2].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][2].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][2].Evt.Meta["username"] == "test6priv" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][2].Evt.Meta["target_user"] == "test6priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][2].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][3].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][3].Evt.Parsed["date"] == "2023-06-30" @@ -280,12 +287,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][3].Evt.Parsed["source_ip results["s01-parse"]["andreasbrett/paperless-ngx-logs"][3].Evt.Parsed["time"] == "15:18:12,745" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][3].Evt.Parsed["username"] == "test6priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][3].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][3].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][3].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][3].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][3].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][3].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][3].Evt.Meta["username"] == "test6priv" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][3].Evt.Meta["target_user"] == "test6priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][3].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][4].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][4].Evt.Parsed["date"] == "2023-06-30" @@ -297,12 +304,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][4].Evt.Parsed["source_ip results["s01-parse"]["andreasbrett/paperless-ngx-logs"][4].Evt.Parsed["time"] == "15:18:56,100" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][4].Evt.Parsed["username"] == "test6priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][4].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][4].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][4].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][4].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][4].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][4].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][4].Evt.Meta["username"] == "test6priv" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][4].Evt.Meta["target_user"] == "test6priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][4].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][5].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][5].Evt.Parsed["date"] == "2023-06-30" @@ -314,12 +321,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][5].Evt.Parsed["source_ip results["s01-parse"]["andreasbrett/paperless-ngx-logs"][5].Evt.Parsed["time"] == "15:19:12,478" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][5].Evt.Parsed["username"] == "test6priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][5].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][5].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][5].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][5].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][5].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][5].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][5].Evt.Meta["username"] == "test6priv" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][5].Evt.Meta["target_user"] == "test6priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][5].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][6].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][6].Evt.Parsed["date"] == "2023-06-30" @@ -331,12 +338,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][6].Evt.Parsed["source_ip results["s01-parse"]["andreasbrett/paperless-ngx-logs"][6].Evt.Parsed["time"] == "16:22:36,816" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][6].Evt.Parsed["username"] == "test4priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][6].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][6].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][6].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][6].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][6].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][6].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][6].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][6].Evt.Meta["username"] == "test4priv" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][6].Evt.Meta["target_user"] == "test4priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][6].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][7].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][7].Evt.Parsed["date"] == "2023-06-30" @@ -348,12 +355,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][7].Evt.Parsed["source_ip results["s01-parse"]["andreasbrett/paperless-ngx-logs"][7].Evt.Parsed["time"] == "16:22:42,124" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][7].Evt.Parsed["username"] == "test4priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][7].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][7].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][7].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][7].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][7].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][7].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][7].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][7].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][7].Evt.Meta["username"] == "test4priv" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][7].Evt.Meta["target_user"] == "test4priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][7].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][8].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][8].Evt.Parsed["date"] == "2023-06-30" @@ -365,12 +372,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][8].Evt.Parsed["source_ip results["s01-parse"]["andreasbrett/paperless-ngx-logs"][8].Evt.Parsed["time"] == "16:23:06,744" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][8].Evt.Parsed["username"] == "test4priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][8].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][8].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][8].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][8].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][8].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][8].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][8].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][8].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][8].Evt.Meta["username"] == "test4priv" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][8].Evt.Meta["target_user"] == "test4priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][8].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][9].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][9].Evt.Parsed["date"] == "2023-06-30" @@ -382,12 +389,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][9].Evt.Parsed["source_ip results["s01-parse"]["andreasbrett/paperless-ngx-logs"][9].Evt.Parsed["time"] == "16:25:10,236" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][9].Evt.Parsed["username"] == "test4priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][9].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][9].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][9].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][9].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][9].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][9].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][9].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][9].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][9].Evt.Meta["username"] == "test4priv" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][9].Evt.Meta["target_user"] == "test4priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][9].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][10].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][10].Evt.Parsed["date"] == "2023-06-30" @@ -399,12 +406,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][10].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][10].Evt.Parsed["time"] == "16:26:32,826" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][10].Evt.Parsed["username"] == "test4priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][10].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][10].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][10].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][10].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][10].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][10].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][10].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][10].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][10].Evt.Meta["username"] == "test4priv" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][10].Evt.Meta["target_user"] == "test4priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][10].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][11].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][11].Evt.Parsed["date"] == "2023-06-30" @@ -416,12 +423,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][11].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][11].Evt.Parsed["time"] == "16:26:55,139" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][11].Evt.Parsed["username"] == "test4priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][11].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][11].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][11].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][11].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][11].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][11].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][11].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][11].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][11].Evt.Meta["username"] == "test4priv" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][11].Evt.Meta["target_user"] == "test4priv" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][11].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][12].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][12].Evt.Parsed["date"] == "2023-06-30" @@ -433,12 +440,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][12].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][12].Evt.Parsed["time"] == "17:44:54,874" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][12].Evt.Parsed["username"] == "test6pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][12].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][12].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][12].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][12].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][12].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][12].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][12].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][12].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][12].Evt.Meta["username"] == "test6pub" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][12].Evt.Meta["target_user"] == "test6pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][12].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][13].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][13].Evt.Parsed["date"] == "2023-06-30" @@ -450,12 +457,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][13].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][13].Evt.Parsed["time"] == "17:44:59,236" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][13].Evt.Parsed["username"] == "test6pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][13].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][13].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][13].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][13].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][13].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][13].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][13].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][13].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][13].Evt.Meta["username"] == "test6pub" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][13].Evt.Meta["target_user"] == "test6pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][13].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][14].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][14].Evt.Parsed["date"] == "2023-06-30" @@ -467,12 +474,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][14].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][14].Evt.Parsed["time"] == "17:45:33,568" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][14].Evt.Parsed["username"] == "test6pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][14].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][14].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][14].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][14].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][14].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][14].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][14].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][14].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][14].Evt.Meta["username"] == "test6pub" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][14].Evt.Meta["target_user"] == "test6pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][14].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][15].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][15].Evt.Parsed["date"] == "2023-06-30" @@ -484,12 +491,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][15].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][15].Evt.Parsed["time"] == "17:47:12,974" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][15].Evt.Parsed["username"] == "test6pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][15].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][15].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][15].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][15].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][15].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][15].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][15].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][15].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][15].Evt.Meta["username"] == "test6pub" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][15].Evt.Meta["target_user"] == "test6pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][15].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][16].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][16].Evt.Parsed["date"] == "2023-06-30" @@ -501,12 +508,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][16].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][16].Evt.Parsed["time"] == "17:47:22,122" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][16].Evt.Parsed["username"] == "test6pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][16].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][16].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][16].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][16].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][16].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][16].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][16].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][16].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][16].Evt.Meta["username"] == "test6pub" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][16].Evt.Meta["target_user"] == "test6pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][16].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][17].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][17].Evt.Parsed["date"] == "2023-06-30" @@ -518,12 +525,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][17].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][17].Evt.Parsed["time"] == "17:48:47,531" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][17].Evt.Parsed["username"] == "test6pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][17].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][17].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][17].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][17].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][17].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][17].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][17].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][17].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][17].Evt.Meta["username"] == "test6pub" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][17].Evt.Meta["target_user"] == "test6pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][17].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][18].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][18].Evt.Parsed["date"] == "2023-06-30" @@ -535,12 +542,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][18].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][18].Evt.Parsed["time"] == "18:03:14,266" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][18].Evt.Parsed["username"] == "test4pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][18].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][18].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][18].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][18].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][18].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][18].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][18].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][18].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][18].Evt.Meta["username"] == "test4pub" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][18].Evt.Meta["target_user"] == "test4pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][18].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][19].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][19].Evt.Parsed["date"] == "2023-06-30" @@ -552,12 +559,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][19].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][19].Evt.Parsed["time"] == "18:03:29,224" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][19].Evt.Parsed["username"] == "test4pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][19].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][19].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][19].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][19].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][19].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][19].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][19].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][19].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][19].Evt.Meta["username"] == "test4pub" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][19].Evt.Meta["target_user"] == "test4pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][19].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][20].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][20].Evt.Parsed["date"] == "2023-06-30" @@ -569,12 +576,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][20].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][20].Evt.Parsed["time"] == "18:05:11,437" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][20].Evt.Parsed["username"] == "test4pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][20].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][20].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][20].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][20].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][20].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][20].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][20].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][20].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][20].Evt.Meta["username"] == "test4pub" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][20].Evt.Meta["target_user"] == "test4pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][20].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][21].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][21].Evt.Parsed["date"] == "2023-06-30" @@ -586,12 +593,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][21].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][21].Evt.Parsed["time"] == "18:05:38,622" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][21].Evt.Parsed["username"] == "test4pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][21].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][21].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][21].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][21].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][21].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][21].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][21].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][21].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][21].Evt.Meta["username"] == "test4pub" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][21].Evt.Meta["target_user"] == "test4pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][21].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][22].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][22].Evt.Parsed["date"] == "2023-06-30" @@ -603,12 +610,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][22].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][22].Evt.Parsed["time"] == "18:06:22,264" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][22].Evt.Parsed["username"] == "test4pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][22].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][22].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][22].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][22].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][22].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][22].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][22].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][22].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][22].Evt.Meta["username"] == "test4pub" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][22].Evt.Meta["target_user"] == "test4pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][22].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][23].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][23].Evt.Parsed["date"] == "2023-06-30" @@ -620,12 +627,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][23].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][23].Evt.Parsed["time"] == "18:06:47,831" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][23].Evt.Parsed["username"] == "test4pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][23].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][23].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][23].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][23].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][23].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][23].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][23].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][23].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][23].Evt.Meta["username"] == "test4pub" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][23].Evt.Meta["target_user"] == "test4pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][23].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][24].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][24].Evt.Parsed["date"] == "2023-06-30" @@ -637,12 +644,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][24].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][24].Evt.Parsed["time"] == "18:03:14,266" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][24].Evt.Parsed["username"] == "test4pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][24].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][24].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][24].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][24].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][24].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][24].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][24].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][24].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][24].Evt.Meta["username"] == "test4pub" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][24].Evt.Meta["target_user"] == "test4pub" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][24].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][25].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][25].Evt.Parsed["date"] == "2023-06-30" @@ -654,12 +661,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][25].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][25].Evt.Parsed["time"] == "18:03:29,224" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][25].Evt.Parsed["username"] == "test4publegacy" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][25].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][25].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][25].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][25].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][25].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][25].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][25].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][25].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][25].Evt.Meta["username"] == "test4publegacy" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][25].Evt.Meta["target_user"] == "test4publegacy" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][25].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][26].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][26].Evt.Parsed["date"] == "2023-06-30" @@ -671,12 +678,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][26].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][26].Evt.Parsed["time"] == "18:05:11,437" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][26].Evt.Parsed["username"] == "test4publegacy" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][26].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][26].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][26].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][26].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][26].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][26].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][26].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][26].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][26].Evt.Meta["username"] == "test4publegacy" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][26].Evt.Meta["target_user"] == "test4publegacy" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][26].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][27].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][27].Evt.Parsed["date"] == "2023-06-30" @@ -688,12 +695,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][27].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][27].Evt.Parsed["time"] == "18:05:38,622" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][27].Evt.Parsed["username"] == "test4publegacy" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][27].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][27].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][27].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][27].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][27].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][27].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][27].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][27].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][27].Evt.Meta["username"] == "test4publegacy" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][27].Evt.Meta["target_user"] == "test4publegacy" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][27].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][28].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][28].Evt.Parsed["date"] == "2023-06-30" @@ -705,12 +712,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][28].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][28].Evt.Parsed["time"] == "18:06:22,264" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][28].Evt.Parsed["username"] == "test4publegacy" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][28].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][28].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][28].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][28].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][28].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][28].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][28].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][28].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][28].Evt.Meta["username"] == "test4publegacy" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][28].Evt.Meta["target_user"] == "test4publegacy" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][28].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][29].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][29].Evt.Parsed["date"] == "2023-06-30" @@ -722,12 +729,12 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][29].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][29].Evt.Parsed["time"] == "18:06:47,831" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][29].Evt.Parsed["username"] == "test4publegacy" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][29].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][29].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][29].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][29].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][29].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][29].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][29].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][29].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][29].Evt.Meta["username"] == "test4publegacy" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][29].Evt.Meta["target_user"] == "test4publegacy" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][29].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/paperless-ngx-logs"][30].Success == true results["s01-parse"]["andreasbrett/paperless-ngx-logs"][30].Evt.Parsed["date"] == "2023-06-30" @@ -739,14 +746,31 @@ results["s01-parse"]["andreasbrett/paperless-ngx-logs"][30].Evt.Parsed["source_i results["s01-parse"]["andreasbrett/paperless-ngx-logs"][30].Evt.Parsed["time"] == "18:06:47,831" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][30].Evt.Parsed["username"] == "test@example.com" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][30].Evt.Parsed["year"] == "2023" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][30].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][30].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][30].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][30].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][30].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][30].Evt.Meta["service"] == "paperless-ngx" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][30].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/paperless-ngx-logs"][30].Evt.Meta["username"] == "test@example.com" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][30].Evt.Meta["target_user"] == "test@example.com" results["s01-parse"]["andreasbrett/paperless-ngx-logs"][30].Evt.Whitelisted == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 31 +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][31].Success == true +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][31].Evt.Parsed["date"] == "2023-06-30" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][31].Evt.Parsed["day"] == "30" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][31].Evt.Parsed["message"] == "[2023-06-30 18:07:00,000] [INFO] [paperless.auth] Login failed for user `crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl` from IP `192.168.0.100.`" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][31].Evt.Parsed["month"] == "06" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][31].Evt.Parsed["program"] == "Paperless-ngx" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][31].Evt.Parsed["source_ip"] == "192.168.0.100" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][31].Evt.Parsed["time"] == "18:07:00,000" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][31].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][31].Evt.Parsed["year"] == "2023" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][31].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/paperless-ngx-logs"][31].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][31].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][31].Evt.Meta["service"] == "paperless-ngx" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][31].Evt.Meta["source_ip"] == "192.168.0.100" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][31].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["andreasbrett/paperless-ngx-logs"][31].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 32 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["date"] == "2023-06-30" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["day"] == "30" @@ -757,13 +781,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time"] == "15:17:36,332" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "test6priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "test6priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-06-30T15:17:36.332Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "test6priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-06-30T15:17:36.332Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true @@ -776,13 +800,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["time"] == "15:17:38,121" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "test6priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "test6priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-06-30T15:17:38.121Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "test6priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-06-30T15:17:38.121Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true @@ -795,13 +819,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["time"] == "15:17:45,544" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "test6priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "test6priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-06-30T15:17:45.544Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["username"] == "test6priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2023-06-30T15:17:45.544Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true @@ -814,13 +838,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["time"] == "15:18:12,745" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "test6priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "test6priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2023-06-30T15:18:12.745Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["username"] == "test6priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2023-06-30T15:18:12.745Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true @@ -833,13 +857,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["time"] == "15:18:56,100" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username"] == "test6priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_user"] == "test6priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2023-06-30T15:18:56.1Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["username"] == "test6priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2023-06-30T15:18:56.1Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true @@ -852,13 +876,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["time"] == "15:19:12,478" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["username"] == "test6priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_user"] == "test6priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2023-06-30T15:19:12.478Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["username"] == "test6priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2023-06-30T15:19:12.478Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true @@ -871,13 +895,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["time"] == "16:22:36,816" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["username"] == "test4priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["target_user"] == "test4priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2023-06-30T16:22:36.816Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["username"] == "test4priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2023-06-30T16:22:36.816Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true @@ -890,13 +914,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["time"] == "16:22:42,124" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["username"] == "test4priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["target_user"] == "test4priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2023-06-30T16:22:42.124Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["username"] == "test4priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2023-06-30T16:22:42.124Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Success == true @@ -909,13 +933,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["time"] == "16:23:06,744" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["username"] == "test4priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["target_user"] == "test4priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2023-06-30T16:23:06.744Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["username"] == "test4priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Enriched["MarshaledTime"] == "2023-06-30T16:23:06.744Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Success == true @@ -928,13 +952,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["time"] == "16:25:10,236" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["username"] == "test4priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["target_user"] == "test4priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2023-06-30T16:25:10.236Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["username"] == "test4priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Enriched["MarshaledTime"] == "2023-06-30T16:25:10.236Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Success == true @@ -947,13 +971,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["time"] == "16:26:32,826" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["username"] == "test4priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["target_user"] == "test4priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["timestamp"] == "2023-06-30T16:26:32.826Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["username"] == "test4priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Enriched["MarshaledTime"] == "2023-06-30T16:26:32.826Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Success == true @@ -966,13 +990,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["time"] == "16:26:55,139" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["username"] == "test4priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["target_user"] == "test4priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["timestamp"] == "2023-06-30T16:26:55.139Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["username"] == "test4priv" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Enriched["MarshaledTime"] == "2023-06-30T16:26:55.139Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Success == true @@ -985,13 +1009,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["time"] == "17:44:54,874" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["username"] == "test6pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["target_user"] == "test6pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["timestamp"] == "2023-06-30T17:44:54.874Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["username"] == "test6pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Enriched["MarshaledTime"] == "2023-06-30T17:44:54.874Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Success == true @@ -1004,13 +1028,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["time"] == "17:44:59,236" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["username"] == "test6pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["target_user"] == "test6pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["timestamp"] == "2023-06-30T17:44:59.236Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["username"] == "test6pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Enriched["MarshaledTime"] == "2023-06-30T17:44:59.236Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Success == true @@ -1023,13 +1047,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["time"] == "17:45:33,568" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["username"] == "test6pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["target_user"] == "test6pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["timestamp"] == "2023-06-30T17:45:33.568Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["username"] == "test6pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Enriched["MarshaledTime"] == "2023-06-30T17:45:33.568Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Success == true @@ -1042,13 +1066,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["time"] == "17:47:12,974" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["username"] == "test6pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["target_user"] == "test6pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["timestamp"] == "2023-06-30T17:47:12.974Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["username"] == "test6pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Enriched["MarshaledTime"] == "2023-06-30T17:47:12.974Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Success == true @@ -1061,13 +1085,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["time"] == "17:47:22,122" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["username"] == "test6pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["target_user"] == "test6pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["timestamp"] == "2023-06-30T17:47:22.122Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["username"] == "test6pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Enriched["MarshaledTime"] == "2023-06-30T17:47:22.122Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Success == true @@ -1080,13 +1104,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["time"] == "17:48:47,531" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["username"] == "test6pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["source_ip"] == "2001:db8::b6d3:95d7:1425:766d" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["target_user"] == "test6pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["timestamp"] == "2023-06-30T17:48:47.531Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["username"] == "test6pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Enriched["MarshaledTime"] == "2023-06-30T17:48:47.531Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Success == true @@ -1099,13 +1123,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["time"] == "18:03:14,266" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["username"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["target_user"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["timestamp"] == "2023-06-30T18:03:14.266Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["username"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Enriched["MarshaledTime"] == "2023-06-30T18:03:14.266Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Success == true @@ -1118,13 +1142,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["time"] == "18:03:29,224" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["username"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["target_user"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["timestamp"] == "2023-06-30T18:03:29.224Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["username"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Enriched["MarshaledTime"] == "2023-06-30T18:03:29.224Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Success == true @@ -1137,13 +1161,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["time"] == "18:05:11,437" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["username"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["target_user"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["timestamp"] == "2023-06-30T18:05:11.437Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["username"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Enriched["MarshaledTime"] == "2023-06-30T18:05:11.437Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Success == true @@ -1156,13 +1180,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["time"] == "18:05:38,622" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["username"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["target_user"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["timestamp"] == "2023-06-30T18:05:38.622Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["username"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Enriched["MarshaledTime"] == "2023-06-30T18:05:38.622Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Success == true @@ -1175,13 +1199,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["time"] == "18:06:22,264" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["username"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["target_user"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["timestamp"] == "2023-06-30T18:06:22.264Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["username"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Enriched["MarshaledTime"] == "2023-06-30T18:06:22.264Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Success == true @@ -1194,13 +1218,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["time"] == "18:06:47,831" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["username"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["target_user"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["timestamp"] == "2023-06-30T18:06:47.831Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["username"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Enriched["MarshaledTime"] == "2023-06-30T18:06:47.831Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Success == true @@ -1213,13 +1237,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Parsed["time"] == "18:03:14,266" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Parsed["username"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["target_user"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["timestamp"] == "2023-06-30T18:03:14.266Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["username"] == "test4pub" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Enriched["MarshaledTime"] == "2023-06-30T18:03:14.266Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Success == true @@ -1232,13 +1256,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Parsed["time"] == "18:03:29,224" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Parsed["username"] == "test4publegacy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["target_user"] == "test4publegacy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["timestamp"] == "2023-06-30T18:03:29.224Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["username"] == "test4publegacy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Enriched["MarshaledTime"] == "2023-06-30T18:03:29.224Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Success == true @@ -1251,13 +1275,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Parsed["time"] == "18:05:11,437" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Parsed["username"] == "test4publegacy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["target_user"] == "test4publegacy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["timestamp"] == "2023-06-30T18:05:11.437Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["username"] == "test4publegacy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Enriched["MarshaledTime"] == "2023-06-30T18:05:11.437Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Success == true @@ -1270,13 +1294,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Parsed["time"] == "18:05:38,622" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Parsed["username"] == "test4publegacy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["target_user"] == "test4publegacy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["timestamp"] == "2023-06-30T18:05:38.622Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["username"] == "test4publegacy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Enriched["MarshaledTime"] == "2023-06-30T18:05:38.622Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Success == true @@ -1289,13 +1313,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["time"] == "18:06:22,264" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["username"] == "test4publegacy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["target_user"] == "test4publegacy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["timestamp"] == "2023-06-30T18:06:22.264Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["username"] == "test4publegacy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Enriched["MarshaledTime"] == "2023-06-30T18:06:22.264Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Success == true @@ -1308,13 +1332,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Parsed["time"] == "18:06:47,831" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Parsed["username"] == "test4publegacy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["target_user"] == "test4publegacy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["timestamp"] == "2023-06-30T18:06:47.831Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["username"] == "test4publegacy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Enriched["MarshaledTime"] == "2023-06-30T18:06:47.831Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Success == true @@ -1327,13 +1351,32 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["time"] == "18:06:47,831" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["username"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["year"] == "2023" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["datasource_path"] == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["log_type"] == "paperless_ngx_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["service"] == "paperless-ngx" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["target_user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["timestamp"] == "2023-06-30T18:06:47.831Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["username"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Enriched["MarshaledTime"] == "2023-06-30T18:06:47.831Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["date"] == "2023-06-30" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["day"] == "30" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["message"] == "[2023-06-30 18:07:00,000] [INFO] [paperless.auth] Login failed for user `crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl` from IP `192.168.0.100.`" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["month"] == "06" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["program"] == "Paperless-ngx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["time"] == "18:07:00,000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["year"] == "2023" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["datasource_path"]) == "paperless-ngx-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["service"] == "paperless-ngx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["timestamp"] == "2023-06-30T18:07:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Enriched["MarshaledTime"] == "2023-06-30T18:07:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/pf-scan-multi-port/parser.assert b/.tests/pf-scan-multi-port/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/pfsense-gui-auth/config.yaml b/.tests/pfsense-gui-auth/config.yaml index 1f61708eeeb..b89c5eb61c6 100644 --- a/.tests/pfsense-gui-auth/config.yaml +++ b/.tests/pfsense-gui-auth/config.yaml @@ -9,4 +9,4 @@ postoverflows: log_file: pfsense-gui-auth.log log_type: syslog labels: {} -ignore_parsers: false +ignore_parsers: true diff --git a/.tests/pfsense-gui-auth/parser.assert b/.tests/pfsense-gui-auth/parser.assert deleted file mode 100644 index e90363e37ca..00000000000 --- a/.tests/pfsense-gui-auth/parser.assert +++ /dev/null @@ -1,402 +0,0 @@ - -len(results) == 4 -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 9 -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "374" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "php-fpm" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Oct 26 14:50:21" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "pfSense" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "374" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "php-fpm" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Oct 26 14:50:23" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "pfSense" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "374" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "php-fpm" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Oct 26 14:50:25" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "pfSense" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "374" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "php-fpm" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Oct 26 14:50:27" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "pfSense" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "374" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "php-fpm" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Oct 26 14:50:29" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "pfSense" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["pid"] == "374" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "php-fpm" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Oct 26 14:50:30" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "pfSense" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["pid"] == "374" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["program"] == "php-fpm" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["timestamp"] == "Oct 26 14:50:32" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["machine"] == "pfSense" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Whitelisted == false -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["pid"] == "374" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["program"] == "php-fpm" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["timestamp"] == "Oct 26 14:50:34" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["machine"] == "pfSense" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Whitelisted == false -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["pid"] == "374" -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["program"] == "php-fpm" -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["timestamp"] == "Oct 26 14:50:36" -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["machine"] == "pfSense" -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Whitelisted == false -len(results["s01-parse"]["crowdsecurity/pfsense-gui-logs"]) == 9 -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][0].Success == true -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][0].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][0].Evt.Parsed["pid"] == "374" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][0].Evt.Parsed["program"] == "php-fpm" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][0].Evt.Parsed["source_ip"] == "10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][0].Evt.Parsed["timestamp"] == "Oct 26 14:50:21" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][0].Evt.Parsed["username"] == "toto" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][0].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][0].Evt.Meta["log_type"] == "pfsense-gui-failed-auth" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][0].Evt.Meta["machine"] == "pfSense" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][0].Evt.Meta["service"] == "pfsense-gui" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][0].Evt.Meta["source_ip"] == "10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][0].Evt.Meta["username"] == "toto" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][0].Evt.Whitelisted == false -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][1].Success == true -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][1].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][1].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][1].Evt.Parsed["pid"] == "374" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][1].Evt.Parsed["program"] == "php-fpm" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][1].Evt.Parsed["source_ip"] == "10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][1].Evt.Parsed["timestamp"] == "Oct 26 14:50:23" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][1].Evt.Parsed["username"] == "toto" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][1].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][1].Evt.Meta["log_type"] == "pfsense-gui-failed-auth" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][1].Evt.Meta["machine"] == "pfSense" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][1].Evt.Meta["service"] == "pfsense-gui" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][1].Evt.Meta["source_ip"] == "10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][1].Evt.Meta["username"] == "toto" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][1].Evt.Whitelisted == false -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][2].Success == true -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][2].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][2].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][2].Evt.Parsed["pid"] == "374" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][2].Evt.Parsed["program"] == "php-fpm" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][2].Evt.Parsed["source_ip"] == "10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][2].Evt.Parsed["timestamp"] == "Oct 26 14:50:25" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][2].Evt.Parsed["username"] == "toto" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][2].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][2].Evt.Meta["log_type"] == "pfsense-gui-failed-auth" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][2].Evt.Meta["machine"] == "pfSense" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][2].Evt.Meta["service"] == "pfsense-gui" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][2].Evt.Meta["source_ip"] == "10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][2].Evt.Meta["username"] == "toto" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][2].Evt.Whitelisted == false -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][3].Success == true -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][3].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][3].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][3].Evt.Parsed["pid"] == "374" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][3].Evt.Parsed["program"] == "php-fpm" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][3].Evt.Parsed["source_ip"] == "10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][3].Evt.Parsed["timestamp"] == "Oct 26 14:50:27" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][3].Evt.Parsed["username"] == "toto" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][3].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][3].Evt.Meta["log_type"] == "pfsense-gui-failed-auth" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][3].Evt.Meta["machine"] == "pfSense" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][3].Evt.Meta["service"] == "pfsense-gui" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][3].Evt.Meta["source_ip"] == "10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][3].Evt.Meta["username"] == "toto" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][3].Evt.Whitelisted == false -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][4].Success == true -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][4].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][4].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][4].Evt.Parsed["pid"] == "374" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][4].Evt.Parsed["program"] == "php-fpm" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][4].Evt.Parsed["source_ip"] == "10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][4].Evt.Parsed["timestamp"] == "Oct 26 14:50:29" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][4].Evt.Parsed["username"] == "toto" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][4].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][4].Evt.Meta["log_type"] == "pfsense-gui-failed-auth" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][4].Evt.Meta["machine"] == "pfSense" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][4].Evt.Meta["service"] == "pfsense-gui" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][4].Evt.Meta["source_ip"] == "10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][4].Evt.Meta["username"] == "toto" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][4].Evt.Whitelisted == false -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][5].Success == true -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][5].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][5].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][5].Evt.Parsed["pid"] == "374" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][5].Evt.Parsed["program"] == "php-fpm" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][5].Evt.Parsed["source_ip"] == "10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][5].Evt.Parsed["timestamp"] == "Oct 26 14:50:30" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][5].Evt.Parsed["username"] == "toto" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][5].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][5].Evt.Meta["log_type"] == "pfsense-gui-failed-auth" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][5].Evt.Meta["machine"] == "pfSense" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][5].Evt.Meta["service"] == "pfsense-gui" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][5].Evt.Meta["source_ip"] == "10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][5].Evt.Meta["username"] == "toto" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][5].Evt.Whitelisted == false -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][6].Success == true -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][6].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][6].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][6].Evt.Parsed["pid"] == "374" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][6].Evt.Parsed["program"] == "php-fpm" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][6].Evt.Parsed["source_ip"] == "10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][6].Evt.Parsed["timestamp"] == "Oct 26 14:50:32" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][6].Evt.Parsed["username"] == "toto" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][6].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][6].Evt.Meta["log_type"] == "pfsense-gui-failed-auth" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][6].Evt.Meta["machine"] == "pfSense" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][6].Evt.Meta["service"] == "pfsense-gui" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][6].Evt.Meta["source_ip"] == "10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][6].Evt.Meta["username"] == "toto" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][6].Evt.Whitelisted == false -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][7].Success == true -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][7].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][7].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][7].Evt.Parsed["pid"] == "374" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][7].Evt.Parsed["program"] == "php-fpm" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][7].Evt.Parsed["source_ip"] == "10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][7].Evt.Parsed["timestamp"] == "Oct 26 14:50:34" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][7].Evt.Parsed["username"] == "toto" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][7].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][7].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][7].Evt.Meta["log_type"] == "pfsense-gui-failed-auth" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][7].Evt.Meta["machine"] == "pfSense" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][7].Evt.Meta["service"] == "pfsense-gui" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][7].Evt.Meta["source_ip"] == "10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][7].Evt.Meta["username"] == "toto" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][7].Evt.Whitelisted == false -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][8].Success == true -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][8].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][8].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][8].Evt.Parsed["pid"] == "374" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][8].Evt.Parsed["program"] == "php-fpm" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][8].Evt.Parsed["source_ip"] == "10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][8].Evt.Parsed["timestamp"] == "Oct 26 14:50:36" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][8].Evt.Parsed["username"] == "toto" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][8].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][8].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][8].Evt.Meta["log_type"] == "pfsense-gui-failed-auth" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][8].Evt.Meta["machine"] == "pfSense" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][8].Evt.Meta["service"] == "pfsense-gui" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][8].Evt.Meta["source_ip"] == "10.0.0.1" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][8].Evt.Meta["username"] == "toto" -results["s01-parse"]["crowdsecurity/pfsense-gui-logs"][8].Evt.Whitelisted == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 9 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "374" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "php-fpm" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Oct 26 14:50:21" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "pfsense-gui-failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "pfSense" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "pfsense-gui" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"][4:] == "-10-26T14:50:21Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"][4:] == "-10-26T14:50:21Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "374" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "php-fpm" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Oct 26 14:50:23" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "pfsense-gui-failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "pfSense" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "pfsense-gui" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"][4:] == "-10-26T14:50:23Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"][4:] == "-10-26T14:50:23Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "374" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "php-fpm" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Oct 26 14:50:25" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "pfsense-gui-failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "pfSense" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "pfsense-gui" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"][4:] == "-10-26T14:50:25Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"][4:] == "-10-26T14:50:25Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "374" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "php-fpm" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Oct 26 14:50:27" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "pfsense-gui-failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "pfSense" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "pfsense-gui" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"][4:] == "-10-26T14:50:27Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"][4:] == "-10-26T14:50:27Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pid"] == "374" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "php-fpm" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "Oct 26 14:50:29" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "pfsense-gui-failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "pfSense" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "pfsense-gui" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"][4:] == "-10-26T14:50:29Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"][4:] == "-10-26T14:50:29Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pid"] == "374" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "php-fpm" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "Oct 26 14:50:30" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "pfsense-gui-failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["machine"] == "pfSense" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "pfsense-gui" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"][4:] == "-10-26T14:50:30Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"][4:] == "-10-26T14:50:30Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["pid"] == "374" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "php-fpm" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_ip"] == "10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["timestamp"] == "Oct 26 14:50:32" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "pfsense-gui-failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["machine"] == "pfSense" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "pfsense-gui" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"][4:] == "-10-26T14:50:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"][4:] == "-10-26T14:50:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["pid"] == "374" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "php-fpm" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_ip"] == "10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["timestamp"] == "Oct 26 14:50:34" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "pfsense-gui-failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["machine"] == "pfSense" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "pfsense-gui" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"][4:] == "-10-26T14:50:34Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"][4:] == "-10-26T14:50:34Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Whitelisted == false -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["message"] == "/index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["pid"] == "374" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["program"] == "php-fpm" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["source_ip"] == "10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["timestamp"] == "Oct 26 14:50:36" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"] == "pfsense-gui-auth.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "pfsense-gui-failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["machine"] == "pfSense" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "pfsense-gui" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "10.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"][4:] == "-10-26T14:50:36Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["username"] == "toto" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Enriched["MarshaledTime"][4:] == "-10-26T14:50:36Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Whitelisted == false -len(results["success"][""]) == 0 diff --git a/.tests/pfsense-gui-auth/scenario.assert b/.tests/pfsense-gui-auth/scenario.assert index 6e12a7cda01..ee0f22fe483 100644 --- a/.tests/pfsense-gui-auth/scenario.assert +++ b/.tests/pfsense-gui-auth/scenario.assert @@ -6,52 +6,52 @@ results[0].Overflow.Sources["10.0.0.1"].GetScope() == "Ip" results[0].Overflow.Sources["10.0.0.1"].GetValue() == "10.0.0.1" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "pfsense-gui-auth.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "pfsense-gui-failed-auth" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[0].GetMeta("machine") == "pfSense" results[0].Overflow.Alert.Events[0].GetMeta("service") == "pfsense-gui" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.0.0.1" results[0].Overflow.Alert.Events[0].GetMeta("timestamp")[4:] == "-10-26T14:50:21Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "toto" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "toto" results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "pfsense-gui-auth.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "pfsense-gui-failed-auth" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[1].GetMeta("machine") == "pfSense" results[0].Overflow.Alert.Events[1].GetMeta("service") == "pfsense-gui" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "10.0.0.1" results[0].Overflow.Alert.Events[1].GetMeta("timestamp")[4:] == "-10-26T14:50:23Z" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "toto" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "toto" results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "pfsense-gui-auth.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "pfsense-gui-failed-auth" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[2].GetMeta("machine") == "pfSense" results[0].Overflow.Alert.Events[2].GetMeta("service") == "pfsense-gui" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "10.0.0.1" results[0].Overflow.Alert.Events[2].GetMeta("timestamp")[4:] == "-10-26T14:50:25Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "toto" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "toto" results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "pfsense-gui-auth.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "pfsense-gui-failed-auth" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[3].GetMeta("machine") == "pfSense" results[0].Overflow.Alert.Events[3].GetMeta("service") == "pfsense-gui" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "10.0.0.1" results[0].Overflow.Alert.Events[3].GetMeta("timestamp")[4:] == "-10-26T14:50:27Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "toto" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "toto" results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "pfsense-gui-auth.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "pfsense-gui-failed-auth" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[4].GetMeta("machine") == "pfSense" results[0].Overflow.Alert.Events[4].GetMeta("service") == "pfsense-gui" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "10.0.0.1" results[0].Overflow.Alert.Events[4].GetMeta("timestamp")[4:] == "-10-26T14:50:29Z" -results[0].Overflow.Alert.Events[4].GetMeta("username") == "toto" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "toto" results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "pfsense-gui-auth.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "pfsense-gui-failed-auth" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[5].GetMeta("machine") == "pfSense" results[0].Overflow.Alert.Events[5].GetMeta("service") == "pfsense-gui" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "10.0.0.1" results[0].Overflow.Alert.Events[5].GetMeta("timestamp")[4:] == "-10-26T14:50:30Z" -results[0].Overflow.Alert.Events[5].GetMeta("username") == "toto" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "toto" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/pfsense-gui-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/pgsql-logs/config.yaml b/.tests/pgsql-logs/config.yaml index e66bc16306d..133e782a37f 100644 --- a/.tests/pgsql-logs/config.yaml +++ b/.tests/pgsql-logs/config.yaml @@ -1,7 +1,7 @@ parsers: - crowdsecurity/syslog-logs -- crowdsecurity/dateparse-enrich - crowdsecurity/pgsql-logs +- crowdsecurity/dateparse-enrich scenarios: - crowdsecurity/pgsql-bf postoverflows: diff --git a/.tests/pgsql-logs/parser.assert b/.tests/pgsql-logs/parser.assert index 45c841ed05c..69fa3d31da5 100644 --- a/.tests/pgsql-logs/parser.assert +++ b/.tests/pgsql-logs/parser.assert @@ -1,50 +1,168 @@ -len(results["s01-parse"]["crowdsecurity/pgsql-logs"]) == 6 +len(results) == 4 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 6 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2021-09-28 09:22:18.536 UTC [147] 1.2.3.4 i_dont_exist@postgres FATAL: password authentication failed for user \"i_dont_exist\"" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "postgres" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "pgsql-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "pgsql-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2021-09-28 09:22:19.536 UTC:1.2.3.4(5432):i_dont_exist@postgres:[127]:FATAL: password authentication failed for user \"i_dont_exist\"" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "postgres" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "pgsql-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "pgsql-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "2021-09-28 09:22:20.536 UTC [147] 1.2.3.4 i_dont_exist@postgres FATAL: password authentication failed for user \"i_dont_exist\"" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "postgres" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "pgsql-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "2021-09-28 09:22:21.536 UTC [147] 1.2.3.4 i_dont_exist@postgres FATAL: password authentication failed for user \"i_dont_exist\"" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "postgres" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "pgsql-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "2021-09-28 09:22:22.536 UTC [147] 1.2.3.4 i_dont_exist@postgres FATAL: password authentication failed for user \"i_dont_exist\"" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "postgres" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"]) == "pgsql-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "2021-09-28 09:22:23.536 UTC [147] 1.2.3.4 i_dont_exist@postgres FATAL: password authentication failed for user \"i_dont_exist\"" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "postgres" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"]) == "pgsql-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 6 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == false +len(results["s01-parse"]["crowdsecurity/pgsql-logs"]) == 6 results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Success == true -results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Parsed["timestamp"] == "21-09-28 09:22:18.536" -results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Parsed["zone"] == "UTC" results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Parsed["PID"] == "147" +results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Parsed["auth_method"] == "password" +results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Parsed["message"] == "2021-09-28 09:22:18.536 UTC [147] 1.2.3.4 i_dont_exist@postgres FATAL: password authentication failed for user \"i_dont_exist\"" results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Parsed["pgsql_dbname"] == "postgres" results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Parsed["pgsql_target_user"] == "i_dont_exist" +results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Parsed["pgsql_user"] == "i_dont_exist" results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Parsed["program"] == "postgres" results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Parsed["auth_method"] == "password" -results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Parsed["message"] == "2021-09-28 09:22:18.536 UTC [147] 1.2.3.4 i_dont_exist@postgres FATAL: password authentication failed for user \"i_dont_exist\"" -results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Parsed["pgsql_user"] == "i_dont_exist" -results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Meta["log_type"] == "pgsql_failed_auth" -results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Meta["user"] == "i_dont_exist" +results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Parsed["timestamp"] == "21-09-28 09:22:18.536" +results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Parsed["zone"] == "UTC" results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Meta["auth_method"] == "password" -results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Meta["datasource_path"] == "pgsql-logs.log" +results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Meta["datasource_path"]) == "pgsql-logs.log" results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Meta["db"] == "postgres" +results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Meta["service"] == "pgsql" +results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Meta["target_user"] == "i_dont_exist" +results["s01-parse"]["crowdsecurity/pgsql-logs"][0].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Success == true -results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Parsed["pgsql_user"] == "i_dont_exist" -results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Parsed["program"] == "postgres" -results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Parsed["zone"] == "UTC" -results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Parsed["source_port"] == "5432" -results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Parsed["timestamp"] == "21-09-28 09:22:19.536" results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Parsed["auth_method"] == "password" results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Parsed["message"] == "2021-09-28 09:22:19.536 UTC:1.2.3.4(5432):i_dont_exist@postgres:[127]:FATAL: password authentication failed for user \"i_dont_exist\"" results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Parsed["pgsql_dbname"] == "postgres" results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Parsed["pgsql_target_user"] == "i_dont_exist" +results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Parsed["pgsql_user"] == "i_dont_exist" results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Parsed["pid"] == "127" +results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Parsed["program"] == "postgres" +results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Parsed["source_port"] == "5432" +results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Parsed["timestamp"] == "21-09-28 09:22:19.536" +results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Parsed["zone"] == "UTC" results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Meta["auth_method"] == "password" -results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Meta["datasource_path"] == "pgsql-logs.log" +results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Meta["datasource_path"]) == "pgsql-logs.log" results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Meta["db"] == "postgres" -results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Meta["log_type"] == "pgsql_failed_auth" +results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Meta["service"] == "pgsql" results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Meta["user"] == "i_dont_exist" \ No newline at end of file +results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Meta["target_user"] == "i_dont_exist" +results["s01-parse"]["crowdsecurity/pgsql-logs"][1].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Success == true +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Parsed["PID"] == "147" +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Parsed["auth_method"] == "password" +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Parsed["message"] == "2021-09-28 09:22:20.536 UTC [147] 1.2.3.4 i_dont_exist@postgres FATAL: password authentication failed for user \"i_dont_exist\"" +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Parsed["pgsql_dbname"] == "postgres" +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Parsed["pgsql_target_user"] == "i_dont_exist" +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Parsed["pgsql_user"] == "i_dont_exist" +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Parsed["program"] == "postgres" +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Parsed["timestamp"] == "21-09-28 09:22:20.536" +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Parsed["zone"] == "UTC" +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Meta["auth_method"] == "password" +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Meta["datasource_path"]) == "pgsql-logs.log" +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Meta["db"] == "postgres" +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Meta["service"] == "pgsql" +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Meta["target_user"] == "i_dont_exist" +results["s01-parse"]["crowdsecurity/pgsql-logs"][2].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Success == true +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Parsed["PID"] == "147" +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Parsed["auth_method"] == "password" +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Parsed["message"] == "2021-09-28 09:22:21.536 UTC [147] 1.2.3.4 i_dont_exist@postgres FATAL: password authentication failed for user \"i_dont_exist\"" +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Parsed["pgsql_dbname"] == "postgres" +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Parsed["pgsql_target_user"] == "i_dont_exist" +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Parsed["pgsql_user"] == "i_dont_exist" +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Parsed["program"] == "postgres" +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Parsed["timestamp"] == "21-09-28 09:22:21.536" +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Parsed["zone"] == "UTC" +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Meta["auth_method"] == "password" +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Meta["datasource_path"]) == "pgsql-logs.log" +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Meta["db"] == "postgres" +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Meta["service"] == "pgsql" +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Meta["target_user"] == "i_dont_exist" +results["s01-parse"]["crowdsecurity/pgsql-logs"][3].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Success == true +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Parsed["PID"] == "147" +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Parsed["auth_method"] == "password" +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Parsed["message"] == "2021-09-28 09:22:22.536 UTC [147] 1.2.3.4 i_dont_exist@postgres FATAL: password authentication failed for user \"i_dont_exist\"" +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Parsed["pgsql_dbname"] == "postgres" +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Parsed["pgsql_target_user"] == "i_dont_exist" +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Parsed["pgsql_user"] == "i_dont_exist" +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Parsed["program"] == "postgres" +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Parsed["timestamp"] == "21-09-28 09:22:22.536" +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Parsed["zone"] == "UTC" +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Meta["auth_method"] == "password" +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Meta["datasource_path"]) == "pgsql-logs.log" +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Meta["db"] == "postgres" +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Meta["service"] == "pgsql" +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Meta["target_user"] == "i_dont_exist" +results["s01-parse"]["crowdsecurity/pgsql-logs"][4].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Success == true +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Parsed["PID"] == "147" +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Parsed["auth_method"] == "password" +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Parsed["message"] == "2021-09-28 09:22:23.536 UTC [147] 1.2.3.4 i_dont_exist@postgres FATAL: password authentication failed for user \"i_dont_exist\"" +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Parsed["pgsql_dbname"] == "postgres" +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Parsed["pgsql_target_user"] == "i_dont_exist" +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Parsed["pgsql_user"] == "i_dont_exist" +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Parsed["program"] == "postgres" +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Parsed["timestamp"] == "21-09-28 09:22:23.536" +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Parsed["zone"] == "UTC" +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Meta["auth_method"] == "password" +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Meta["datasource_path"]) == "pgsql-logs.log" +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Meta["db"] == "postgres" +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Meta["service"] == "pgsql" +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Meta["target_user"] == "i_dont_exist" +results["s01-parse"]["crowdsecurity/pgsql-logs"][5].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/pgsql-logs/pgsql-logs.log b/.tests/pgsql-logs/pgsql-logs.log index 9ed27c43867..669c7427866 100644 --- a/.tests/pgsql-logs/pgsql-logs.log +++ b/.tests/pgsql-logs/pgsql-logs.log @@ -3,4 +3,4 @@ 2021-09-28 09:22:20.536 UTC [147] 1.2.3.4 i_dont_exist@postgres FATAL: password authentication failed for user "i_dont_exist" 2021-09-28 09:22:21.536 UTC [147] 1.2.3.4 i_dont_exist@postgres FATAL: password authentication failed for user "i_dont_exist" 2021-09-28 09:22:22.536 UTC [147] 1.2.3.4 i_dont_exist@postgres FATAL: password authentication failed for user "i_dont_exist" -2021-09-28 09:22:23.536 UTC [147] 1.2.3.4 i_dont_exist@postgres FATAL: password authentication failed for user "i_dont_exist" \ No newline at end of file +2021-09-28 09:22:23.536 UTC [147] 1.2.3.4 i_dont_exist@postgres FATAL: password authentication failed for user "i_dont_exist" diff --git a/.tests/pgsql-logs/scenario.assert b/.tests/pgsql-logs/scenario.assert index a4c4abdef73..8c5ce0b0da5 100644 --- a/.tests/pgsql-logs/scenario.assert +++ b/.tests/pgsql-logs/scenario.assert @@ -1,50 +1,57 @@ +len(results) == 1 "1.2.3.4" in results[0].Overflow.GetSources() results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" results[0].Overflow.Sources["1.2.3.4"].Range == "" results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" results[0].Overflow.Alert.Events[0].GetMeta("auth_method") == "password" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "pgsql-logs.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "pgsql-logs.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("db") == "postgres" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "pgsql_failed_auth" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "pgsql" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "i_dont_exist" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "i_dont_exist" results[0].Overflow.Alert.Events[1].GetMeta("auth_method") == "password" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "pgsql-logs.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "pgsql-logs.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("db") == "postgres" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "pgsql_failed_auth" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "pgsql" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "i_dont_exist" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "i_dont_exist" results[0].Overflow.Alert.Events[2].GetMeta("auth_method") == "password" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "pgsql-logs.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "pgsql-logs.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("db") == "postgres" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "pgsql_failed_auth" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "pgsql" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "i_dont_exist" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "i_dont_exist" results[0].Overflow.Alert.Events[3].GetMeta("auth_method") == "password" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "pgsql-logs.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "pgsql-logs.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("db") == "postgres" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "pgsql_failed_auth" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "pgsql" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "i_dont_exist" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "i_dont_exist" results[0].Overflow.Alert.Events[4].GetMeta("auth_method") == "password" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "pgsql-logs.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "pgsql-logs.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[4].GetMeta("db") == "postgres" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "pgsql_failed_auth" +results[0].Overflow.Alert.Events[4].GetMeta("service") == "pgsql" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "i_dont_exist" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "i_dont_exist" results[0].Overflow.Alert.Events[5].GetMeta("auth_method") == "password" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "pgsql-logs.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "pgsql-logs.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[5].GetMeta("db") == "postgres" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "pgsql_failed_auth" +results[0].Overflow.Alert.Events[5].GetMeta("service") == "pgsql" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "i_dont_exist" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "i_dont_exist" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/pgsql-bf" results[0].Overflow.Alert.Remediation == true -results[0].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/pgsql-user-enum/config.yaml b/.tests/pgsql-user-enum/config.yaml index 42778eb6bee..205bebd98f9 100644 --- a/.tests/pgsql-user-enum/config.yaml +++ b/.tests/pgsql-user-enum/config.yaml @@ -9,5 +9,5 @@ postoverflows: log_file: pgsql-user-enum.log log_type: postgres labels: {} -ignore_parsers: false +ignore_parsers: true override_statics: [] diff --git a/.tests/pgsql-user-enum/parser.assert b/.tests/pgsql-user-enum/parser.assert deleted file mode 100644 index 06ba7107d3d..00000000000 --- a/.tests/pgsql-user-enum/parser.assert +++ /dev/null @@ -1,270 +0,0 @@ -len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 6 -results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.425 UTC [53962] zysk@postgres FATAL: password authentication failed for user \"zysk\"" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "postgres" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "pgsql-user-enum.log" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.411 UTC [53959] zyrian@postgres FATAL: password authentication failed for user \"zyrian\"" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "postgres" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "pgsql-user-enum.log" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.407 UTC [53941] zymotic@postgres FATAL: password authentication failed for user \"zymotic\"" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "postgres" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "pgsql-user-enum.log" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.208 UTC [53897] zymometer@postgres FATAL: password authentication failed for user \"zymometer\"" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "postgres" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "pgsql-user-enum.log" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.152 UTC [53872] zymolysis@postgres FATAL: password authentication failed for user \"zymolysis\"" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "postgres" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "pgsql-user-enum.log" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "postgres" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.109 UTC [53863] zymogenic@postgres FATAL: password authentication failed for user \"zymogenic\"" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"] == "pgsql-user-enum.log" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 6 -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == false -len(results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"]) == 6 -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Success == true -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["source_ip"] == "65.2.129.7" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["timestamp"] == "2023-03-12 11:17:28.425" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["zone"] == "UTC" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["auth_method"] == "password" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.425 UTC [53962] zysk@postgres FATAL: password authentication failed for user \"zysk\"" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["program"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["pgsql_user"] == "zysk" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["PID"] == "53962" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["pgsql_dbname"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["pgsql_target_user"] == "zysk" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["log_type"] == "pgsql_failed_auth" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["source_ip"] == "65.2.129.7" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["user"] == "zysk" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["auth_method"] == "password" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["datasource_path"] == "pgsql-user-enum.log" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["db"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Success == true -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["pgsql_dbname"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["pgsql_user"] == "zyrian" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["program"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["timestamp"] == "2023-03-12 11:17:28.411" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["auth_method"] == "password" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.411 UTC [53959] zyrian@postgres FATAL: password authentication failed for user \"zyrian\"" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["source_ip"] == "65.2.129.7" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["zone"] == "UTC" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["PID"] == "53959" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["pgsql_target_user"] == "zyrian" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Meta["db"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Meta["log_type"] == "pgsql_failed_auth" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Meta["source_ip"] == "65.2.129.7" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Meta["user"] == "zyrian" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Meta["auth_method"] == "password" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Meta["datasource_path"] == "pgsql-user-enum.log" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Success == true -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["auth_method"] == "password" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["pgsql_dbname"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["pgsql_user"] == "zymotic" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["program"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["PID"] == "53941" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["pgsql_target_user"] == "zymotic" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["source_ip"] == "65.2.129.7" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["timestamp"] == "2023-03-12 11:17:28.407" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["zone"] == "UTC" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.407 UTC [53941] zymotic@postgres FATAL: password authentication failed for user \"zymotic\"" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["auth_method"] == "password" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["datasource_path"] == "pgsql-user-enum.log" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["db"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["log_type"] == "pgsql_failed_auth" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["source_ip"] == "65.2.129.7" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["user"] == "zymotic" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][3].Success == true -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][3].Evt.Parsed["auth_method"] == "password" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][3].Evt.Parsed["pgsql_user"] == "zymometer" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][3].Evt.Parsed["program"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][3].Evt.Parsed["zone"] == "UTC" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][3].Evt.Parsed["PID"] == "53897" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][3].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.208 UTC [53897] zymometer@postgres FATAL: password authentication failed for user \"zymometer\"" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][3].Evt.Parsed["pgsql_dbname"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][3].Evt.Parsed["pgsql_target_user"] == "zymometer" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][3].Evt.Parsed["source_ip"] == "65.2.129.7" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][3].Evt.Parsed["timestamp"] == "2023-03-12 11:17:28.208" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][3].Evt.Meta["auth_method"] == "password" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][3].Evt.Meta["datasource_path"] == "pgsql-user-enum.log" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][3].Evt.Meta["db"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][3].Evt.Meta["log_type"] == "pgsql_failed_auth" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][3].Evt.Meta["source_ip"] == "65.2.129.7" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][3].Evt.Meta["user"] == "zymometer" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][4].Success == true -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][4].Evt.Parsed["source_ip"] == "65.2.129.7" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][4].Evt.Parsed["zone"] == "UTC" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][4].Evt.Parsed["PID"] == "53872" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][4].Evt.Parsed["auth_method"] == "password" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][4].Evt.Parsed["pgsql_target_user"] == "zymolysis" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][4].Evt.Parsed["program"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][4].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.152 UTC [53872] zymolysis@postgres FATAL: password authentication failed for user \"zymolysis\"" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][4].Evt.Parsed["pgsql_dbname"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][4].Evt.Parsed["pgsql_user"] == "zymolysis" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][4].Evt.Parsed["timestamp"] == "2023-03-12 11:17:28.152" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][4].Evt.Meta["log_type"] == "pgsql_failed_auth" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][4].Evt.Meta["source_ip"] == "65.2.129.7" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][4].Evt.Meta["user"] == "zymolysis" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][4].Evt.Meta["auth_method"] == "password" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][4].Evt.Meta["datasource_path"] == "pgsql-user-enum.log" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][4].Evt.Meta["db"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][5].Success == true -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][5].Evt.Parsed["auth_method"] == "password" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][5].Evt.Parsed["pgsql_dbname"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][5].Evt.Parsed["pgsql_target_user"] == "zymogenic" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][5].Evt.Parsed["zone"] == "UTC" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][5].Evt.Parsed["PID"] == "53863" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][5].Evt.Parsed["pgsql_user"] == "zymogenic" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][5].Evt.Parsed["program"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][5].Evt.Parsed["source_ip"] == "65.2.129.7" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][5].Evt.Parsed["timestamp"] == "2023-03-12 11:17:28.109" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][5].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.109 UTC [53863] zymogenic@postgres FATAL: password authentication failed for user \"zymogenic\"" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][5].Evt.Meta["auth_method"] == "password" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][5].Evt.Meta["datasource_path"] == "pgsql-user-enum.log" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][5].Evt.Meta["db"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][5].Evt.Meta["log_type"] == "pgsql_failed_auth" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][5].Evt.Meta["source_ip"] == "65.2.129.7" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][5].Evt.Meta["user"] == "zymogenic" -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "65.2.129.7" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["PID"] == "53962" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.425 UTC [53962] zysk@postgres FATAL: password authentication failed for user \"zysk\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pgsql_target_user"] == "zysk" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2023-03-12 11:17:28.425" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["zone"] == "UTC" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["auth_method"] == "password" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pgsql_dbname"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pgsql_user"] == "zysk" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-03-12T11:17:28.425Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "zysk" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_method"] == "password" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "pgsql-user-enum.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["db"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "pgsql_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "65.2.129.7" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-03-12T11:17:28.425Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.411 UTC [53959] zyrian@postgres FATAL: password authentication failed for user \"zyrian\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pgsql_target_user"] == "zyrian" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "65.2.129.7" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2023-03-12 11:17:28.411" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["PID"] == "53959" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["auth_method"] == "password" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["zone"] == "UTC" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pgsql_dbname"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pgsql_user"] == "zyrian" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-03-12T11:17:28.411Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "zyrian" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_method"] == "password" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "pgsql-user-enum.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["db"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "pgsql_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "65.2.129.7" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-03-12T11:17:28.411Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["PID"] == "53941" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.407 UTC [53941] zymotic@postgres FATAL: password authentication failed for user \"zymotic\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pgsql_dbname"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "65.2.129.7" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["zone"] == "UTC" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["auth_method"] == "password" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pgsql_target_user"] == "zymotic" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pgsql_user"] == "zymotic" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "2023-03-12 11:17:28.407" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "pgsql_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "65.2.129.7" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-03-12T11:17:28.407Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["user"] == "zymotic" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_method"] == "password" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "pgsql-user-enum.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["db"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2023-03-12T11:17:28.407Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pgsql_target_user"] == "zymometer" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "2023-03-12 11:17:28.208" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["auth_method"] == "password" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pgsql_dbname"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pgsql_user"] == "zymometer" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "65.2.129.7" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["zone"] == "UTC" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["PID"] == "53897" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.208 UTC [53897] zymometer@postgres FATAL: password authentication failed for user \"zymometer\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_method"] == "password" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "pgsql-user-enum.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["db"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "pgsql_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "65.2.129.7" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2023-03-12T11:17:28.208Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["user"] == "zymometer" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2023-03-12T11:17:28.208Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pgsql_target_user"] == "zymolysis" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "65.2.129.7" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "2023-03-12 11:17:28.152" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.152 UTC [53872] zymolysis@postgres FATAL: password authentication failed for user \"zymolysis\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pgsql_dbname"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pgsql_user"] == "zymolysis" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["zone"] == "UTC" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["PID"] == "53872" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["auth_method"] == "password" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_method"] == "password" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "pgsql-user-enum.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["db"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "pgsql_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "65.2.129.7" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2023-03-12T11:17:28.152Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["user"] == "zymolysis" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2023-03-12T11:17:28.152Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.109 UTC [53863] zymogenic@postgres FATAL: password authentication failed for user \"zymogenic\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pgsql_target_user"] == "zymogenic" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "65.2.129.7" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["PID"] == "53863" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pgsql_dbname"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pgsql_user"] == "zymogenic" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "2023-03-12 11:17:28.109" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["zone"] == "UTC" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["auth_method"] == "password" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "pgsql_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "65.2.129.7" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2023-03-12T11:17:28.109Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["user"] == "zymogenic" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_method"] == "password" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "pgsql-user-enum.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["db"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2023-03-12T11:17:28.109Z" -len(results["success"][""]) == 0 \ No newline at end of file diff --git a/.tests/pgsql-user-enum/scenario.assert b/.tests/pgsql-user-enum/scenario.assert index 44705e79461..3488fb37ed1 100644 --- a/.tests/pgsql-user-enum/scenario.assert +++ b/.tests/pgsql-user-enum/scenario.assert @@ -5,53 +5,59 @@ results[0].Overflow.Sources["65.2.129.7"].Range == "" results[0].Overflow.Sources["65.2.129.7"].GetScope() == "Ip" results[0].Overflow.Sources["65.2.129.7"].GetValue() == "65.2.129.7" results[0].Overflow.Alert.Events[0].GetMeta("auth_method") == "password" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "pgsql-user-enum.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "pgsql-user-enum.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("db") == "postgres" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "pgsql_failed_auth" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "pgsql" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "65.2.129.7" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "zysk" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-03-12T11:17:28.425Z" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "zysk" results[0].Overflow.Alert.Events[1].GetMeta("auth_method") == "password" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "pgsql-user-enum.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "pgsql-user-enum.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("db") == "postgres" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "pgsql_failed_auth" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "pgsql" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "65.2.129.7" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "zyrian" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-03-12T11:17:28.411Z" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "zyrian" results[0].Overflow.Alert.Events[2].GetMeta("auth_method") == "password" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "pgsql-user-enum.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "pgsql-user-enum.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("db") == "postgres" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "pgsql_failed_auth" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "pgsql" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "65.2.129.7" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "zymotic" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-03-12T11:17:28.407Z" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "zymotic" results[0].Overflow.Alert.Events[3].GetMeta("auth_method") == "password" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "pgsql-user-enum.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "pgsql-user-enum.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("db") == "postgres" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "pgsql_failed_auth" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "pgsql" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "65.2.129.7" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "zymometer" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-03-12T11:17:28.208Z" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "zymometer" results[0].Overflow.Alert.Events[4].GetMeta("auth_method") == "password" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "pgsql-user-enum.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "pgsql-user-enum.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[4].GetMeta("db") == "postgres" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "pgsql_failed_auth" +results[0].Overflow.Alert.Events[4].GetMeta("service") == "pgsql" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "65.2.129.7" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "zymolysis" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-03-12T11:17:28.152Z" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "zymolysis" results[0].Overflow.Alert.Events[5].GetMeta("auth_method") == "password" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "pgsql-user-enum.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "pgsql-user-enum.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[5].GetMeta("db") == "postgres" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "pgsql_failed_auth" +results[0].Overflow.Alert.Events[5].GetMeta("service") == "pgsql" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "65.2.129.7" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "zymogenic" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-03-12T11:17:28.109Z" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "zymogenic" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/pgsql-user-enum" results[0].Overflow.Alert.Remediation == true -results[0].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/postfix-helo/parser.assert b/.tests/postfix-helo/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/postfix-non-smtp/parser.assert b/.tests/postfix-non-smtp/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/postfix-relay/parser.assert b/.tests/postfix-relay/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/postfix-spam/parser.assert b/.tests/postfix-spam/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/proftpd-bf/parser.assert b/.tests/proftpd-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/proftpd-bf/scenario.assert b/.tests/proftpd-bf/scenario.assert index 0f6687102fd..e1bc16d4402 100644 --- a/.tests/proftpd-bf/scenario.assert +++ b/.tests/proftpd-bf/scenario.assert @@ -4,36 +4,48 @@ results[0].Overflow.Sources["192.168.1.142"].IP == "192.168.1.142" results[0].Overflow.Sources["192.168.1.142"].Range == "" results[0].Overflow.Sources["192.168.1.142"].GetScope() == "Ip" results[0].Overflow.Sources["192.168.1.142"].GetValue() == "192.168.1.142" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "proftpd-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "proftpd-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ftp_failed_auth" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "proftpd" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.142" results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "seb" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "proftpd-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2021-05-28T18:08:34.399Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "proftpd-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "ftp_failed_auth" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "proftpd" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.142" results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "seb" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "proftpd-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2021-05-28T18:08:35.399Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "proftpd-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "ftp_failed_auth" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "proftpd" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.142" results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "seb" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "proftpd-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2021-05-28T18:08:36.399Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "proftpd-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "ftp_failed_auth" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "proftpd" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.142" results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "seb" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "proftpd-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2021-05-28T18:08:36.399Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "proftpd-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "ftp_failed_auth" +results[0].Overflow.Alert.Events[4].GetMeta("service") == "proftpd" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.142" results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "seb" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "proftpd-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2021-05-28T18:08:37.399Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "proftpd-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "ftp_failed_auth" +results[0].Overflow.Alert.Events[5].GetMeta("service") == "proftpd" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.142" results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "seb" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2021-05-28T18:08:37.399Z" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/proftpd-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/proftpd-logs/parser.assert b/.tests/proftpd-logs/parser.assert index 2c326d32600..b7452bedfda 100644 --- a/.tests/proftpd-logs/parser.assert +++ b/.tests/proftpd-logs/parser.assert @@ -41,7 +41,7 @@ results["s01-parse"]["proftpd-logs"][0].Evt.Parsed["hostname"] == "mantis" results["s01-parse"]["proftpd-logs"][0].Evt.Parsed["message"] == "2021-05-28 18:08:01,124 mantis proftpd[498625] mantis (192.168.1.142[192.168.1.142]): USER asd: no such user found from 192.168.1.142 [192.168.1.142] to ::ffff:192.168.1.23:21" results["s01-parse"]["proftpd-logs"][0].Evt.Meta["datasource_path"] == "proftpd-logs.log" results["s01-parse"]["proftpd-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["proftpd-logs"][0].Evt.Meta["log_type"] == "ftp_failed_auth" +results["s01-parse"]["proftpd-logs"][0].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["proftpd-logs"][0].Evt.Meta["source_ip"] == "192.168.1.142" results["s01-parse"]["proftpd-logs"][0].Evt.Meta["target_user"] == "asd" results["s01-parse"]["proftpd-logs"][1].Success == true @@ -55,7 +55,7 @@ results["s01-parse"]["proftpd-logs"][1].Evt.Meta["source_ip"] == "192.168.1.142" results["s01-parse"]["proftpd-logs"][1].Evt.Meta["target_user"] == "seb" results["s01-parse"]["proftpd-logs"][1].Evt.Meta["datasource_path"] == "proftpd-logs.log" results["s01-parse"]["proftpd-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["proftpd-logs"][1].Evt.Meta["log_type"] == "ftp_failed_auth" +results["s01-parse"]["proftpd-logs"][1].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["proftpd-logs"][2].Success == true results["s01-parse"]["proftpd-logs"][2].Evt.Parsed["hostname"] == "172.31.39.97" results["s01-parse"]["proftpd-logs"][2].Evt.Parsed["message"] == "Jan 7 18:26:02 amazing-ishizaka proftpd[80283]: 172.31.39.97 (1.1.1.1[1.1.1.1]) - USER sdf: no such user found from 1.1.1.1 [1.1.1.1] to 172.31.39.97:21" @@ -63,7 +63,7 @@ results["s01-parse"]["proftpd-logs"][2].Evt.Parsed["program"] == "proftpd" results["s01-parse"]["proftpd-logs"][2].Evt.Parsed["source_ip"] == "1.1.1.1" results["s01-parse"]["proftpd-logs"][2].Evt.Parsed["timestamp"] == "Jan 7 18:26:02" results["s01-parse"]["proftpd-logs"][2].Evt.Parsed["username"] == "sdf" -results["s01-parse"]["proftpd-logs"][2].Evt.Meta["log_type"] == "ftp_failed_auth" +results["s01-parse"]["proftpd-logs"][2].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["proftpd-logs"][2].Evt.Meta["source_ip"] == "1.1.1.1" results["s01-parse"]["proftpd-logs"][2].Evt.Meta["target_user"] == "sdf" results["s01-parse"]["proftpd-logs"][2].Evt.Meta["datasource_path"] == "proftpd-logs.log" @@ -79,7 +79,7 @@ results["s01-parse"]["proftpd-logs"][3].Evt.Meta["source_ip"] == "1.1.1.1" results["s01-parse"]["proftpd-logs"][3].Evt.Meta["target_user"] == "unruffled-feynman" results["s01-parse"]["proftpd-logs"][3].Evt.Meta["datasource_path"] == "proftpd-logs.log" results["s01-parse"]["proftpd-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["proftpd-logs"][3].Evt.Meta["log_type"] == "ftp_failed_auth" +results["s01-parse"]["proftpd-logs"][3].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["proftpd-logs"][4].Success == true results["s01-parse"]["proftpd-logs"][4].Evt.Parsed["program"] == "proftpd" results["s01-parse"]["proftpd-logs"][4].Evt.Parsed["source_ip"] == "2a02:8070:e186:16e1:1111:222:3333:b173" @@ -89,7 +89,7 @@ results["s01-parse"]["proftpd-logs"][4].Evt.Parsed["hostname"] == "localhost" results["s01-parse"]["proftpd-logs"][4].Evt.Parsed["message"] == "2023-09-05 19:07:03,851 server03 proftpd[127258] localhost (2a02:8070:e186:16e1:1111:222:3333:b173[2a02:8070:e186:16e1:1111:222:3333:b173]): USER ccvv_ftp1 (Login failed): No such user found" results["s01-parse"]["proftpd-logs"][4].Evt.Meta["datasource_path"] == "proftpd-logs.log" results["s01-parse"]["proftpd-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["proftpd-logs"][4].Evt.Meta["log_type"] == "ftp_failed_auth" +results["s01-parse"]["proftpd-logs"][4].Evt.Meta["auth_status"] == "failed" results["s01-parse"]["proftpd-logs"][4].Evt.Meta["source_ip"] == "2a02:8070:e186:16e1:1111:222:3333:b173" results["s01-parse"]["proftpd-logs"][4].Evt.Meta["target_user"] == "ccvv_ftp1" len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 5 @@ -102,7 +102,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2021-05-28 18:08:01,124" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "proftpd-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "ftp_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.1.142" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "asd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2021-05-28T18:08:01.124Z" @@ -117,7 +117,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2021-05-28T18:08:34.399Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "proftpd-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "ftp_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.1.142" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "seb" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2021-05-28T18:08:34.399Z" @@ -133,7 +133,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"][4:] == "-01-07T18:26:02Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "proftpd-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "ftp_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"][4:] == "-01-07T18:26:02Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Jan 7 18:26:52" @@ -142,7 +142,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["hostname" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "Jan 7 18:26:52 amazing-ishizaka proftpd[80686]: 172.31.39.97 (1.1.1.1[1.1.1.1]) - USER unruffled-feynman (Login failed): Incorrect password" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "proftpd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "1.1.1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "ftp_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "1.1.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "unruffled-feynman" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"][4:] == "-01-07T18:26:52Z" @@ -158,7 +158,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["hostname" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "2023-09-05 19:07:03,851 server03 proftpd[127258] localhost (2a02:8070:e186:16e1:1111:222:3333:b173[2a02:8070:e186:16e1:1111:222:3333:b173]): USER ccvv_ftp1 (Login failed): No such user found" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "proftpd-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "ftp_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "2a02:8070:e186:16e1:1111:222:3333:b173" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_user"] == "ccvv_ftp1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2023-09-05T19:07:03.851Z" diff --git a/.tests/proftpd-user-enum/parser.assert b/.tests/proftpd-user-enum/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/proftpd-user-enum/scenario.assert b/.tests/proftpd-user-enum/scenario.assert index 4be3b7fc854..a9576675de6 100644 --- a/.tests/proftpd-user-enum/scenario.assert +++ b/.tests/proftpd-user-enum/scenario.assert @@ -6,32 +6,32 @@ results[0].Overflow.Sources["192.168.1.142"].GetScope() == "Ip" results[0].Overflow.Sources["192.168.1.142"].GetValue() == "192.168.1.142" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "proftpd-user-enum.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ftp_failed_auth" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.142" results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "asd" results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "proftpd-user-enum.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "ftp_failed_auth" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.142" results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "foo" results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "proftpd-user-enum.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "ftp_failed_auth" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.142" results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "bar" results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "proftpd-user-enum.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "ftp_failed_auth" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.142" results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "foobar" results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "proftpd-user-enum.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "ftp_failed_auth" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.142" results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "root" results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "proftpd-user-enum.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "ftp_failed_auth" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.142" results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "admin" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/proftpd-bf_user-enum" diff --git a/.tests/prowlarr-bf/parser.assert b/.tests/prowlarr-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/prowlarr-bf/scenario.assert b/.tests/prowlarr-bf/scenario.assert index c6707c6af89..7d0e9f8bb5d 100644 --- a/.tests/prowlarr-bf/scenario.assert +++ b/.tests/prowlarr-bf/scenario.assert @@ -1,57 +1,56 @@ -len(results) == 1 -"1.2.3.4" in results[0].Overflow.GetSources() results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" results[0].Overflow.Sources["1.2.3.4"].Range == "" results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "prowlarr-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "prowlarr-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "prowlarr_failed_authentication" results[0].Overflow.Alert.Events[0].GetMeta("machine") == "prowlarr" results[0].Overflow.Alert.Events[0].GetMeta("service") == "prowlarr" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[0].GetMeta("timestamp")[4:] == "-10-10T11:17:51Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "'test'" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "prowlarr-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "'test'" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-10-10T11:17:51Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "prowlarr-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "prowlarr_failed_authentication" results[0].Overflow.Alert.Events[1].GetMeta("machine") == "prowlarr" results[0].Overflow.Alert.Events[1].GetMeta("service") == "prowlarr" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[1].GetMeta("timestamp")[4:] == "-10-10T11:17:52Z" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "'test'" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "prowlarr-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "'test'" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-10-10T11:17:52Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "prowlarr-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "prowlarr_failed_authentication" results[0].Overflow.Alert.Events[2].GetMeta("machine") == "prowlarr" results[0].Overflow.Alert.Events[2].GetMeta("service") == "prowlarr" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[2].GetMeta("timestamp")[4:] == "-10-10T11:17:53Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "'test'" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "prowlarr-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "'test'" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-10-10T11:17:53Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "prowlarr-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "prowlarr_failed_authentication" results[0].Overflow.Alert.Events[3].GetMeta("machine") == "prowlarr" results[0].Overflow.Alert.Events[3].GetMeta("service") == "prowlarr" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[3].GetMeta("timestamp")[4:] == "-10-10T11:17:54Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "'test'" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "prowlarr-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "'test'" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-10-10T11:17:54Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "prowlarr-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "prowlarr_failed_authentication" results[0].Overflow.Alert.Events[4].GetMeta("machine") == "prowlarr" results[0].Overflow.Alert.Events[4].GetMeta("service") == "prowlarr" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[4].GetMeta("timestamp")[4:] == "-10-10T11:17:55Z" -results[0].Overflow.Alert.Events[4].GetMeta("username") == "'test'" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "prowlarr-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "'test'" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-10-10T11:17:55Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "prowlarr-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "prowlarr_failed_authentication" results[0].Overflow.Alert.Events[5].GetMeta("machine") == "prowlarr" results[0].Overflow.Alert.Events[5].GetMeta("service") == "prowlarr" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[5].GetMeta("timestamp")[4:] == "-10-10T11:17:56Z" -results[0].Overflow.Alert.Events[5].GetMeta("username") == "'test'" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "'test'" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-10-10T11:17:56Z" results[0].Overflow.Alert.GetScenario() == "schiz0phr3ne/prowlarr-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 + diff --git a/.tests/prowlarr-logs/parser.assert b/.tests/prowlarr-logs/parser.assert index 4943621da22..71dca48db20 100644 --- a/.tests/prowlarr-logs/parser.assert +++ b/.tests/prowlarr-logs/parser.assert @@ -1,158 +1,197 @@ len(results) == 3 -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 7 +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 8 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Oct 10 11:17:51" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "8213" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "Prowlarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Oct 10 11:17:51" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "prowlarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "prowlarr" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"] == "prowlarr-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Oct 10 11:17:52" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "8213" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "Prowlarr" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"] == "prowlarr-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Oct 10 11:17:52" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "prowlarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "prowlarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "8213" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "Prowlarr" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Oct 10 11:17:53" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"] == "prowlarr-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "prowlarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "prowlarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Oct 10 11:17:54" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "8213" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "Prowlarr" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"] == "prowlarr-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Oct 10 11:17:54" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "prowlarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "prowlarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "Prowlarr" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Oct 10 11:17:55" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "8213" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"] == "prowlarr-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "Prowlarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Oct 10 11:17:55" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"]) == "prowlarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "prowlarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["pid"] == "8213" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "Prowlarr" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Oct 10 11:17:56" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "prowlarr" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"] == "prowlarr-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"]) == "prowlarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "prowlarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["message"] == "[Info] Auth: Auth-Success ip 1.2.3.5 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["pid"] == "8213" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["program"] == "Prowlarr" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["timestamp"] == "Oct 10 11:17:57" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["message"] == "[Info] Auth: Auth-Success ip 1.2.3.5 username 'test'" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"] == "prowlarr-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"]) == "prowlarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["machine"] == "prowlarr" -len(results["s01-parse"]["schiz0phr3ne/prowlarr-logs"]) == 7 +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl'" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["pid"] == "8213" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["program"] == "Prowlarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["timestamp"] == "Oct 10 11:18:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_path"]) == "prowlarr-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["machine"] == "prowlarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Whitelisted == false +len(results["s01-parse"]["schiz0phr3ne/prowlarr-logs"]) == 8 results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Success == true results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["username"] == "'test'" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["pid"] == "8213" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["program"] == "Prowlarr" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["timestamp"] == "Oct 10 11:17:51" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["datasource_path"] == "prowlarr-logs.log" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["username"] == "'test'" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["datasource_path"]) == "prowlarr-logs.log" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["log_type"] == "prowlarr_failed_authentication" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["machine"] == "prowlarr" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["service"] == "prowlarr" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["username"] == "'test'" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["target_user"] == "'test'" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Success == true -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["program"] == "Prowlarr" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["pid"] == "8213" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["program"] == "Prowlarr" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["timestamp"] == "Oct 10 11:17:52" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["service"] == "prowlarr" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["datasource_path"] == "prowlarr-logs.log" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["datasource_path"]) == "prowlarr-logs.log" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["log_type"] == "prowlarr_failed_authentication" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["machine"] == "prowlarr" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["service"] == "prowlarr" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["target_user"] == "'test'" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Success == true results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Parsed["pid"] == "8213" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Parsed["timestamp"] == "Oct 10 11:17:53" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Parsed["pid"] == "8213" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Parsed["program"] == "Prowlarr" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Parsed["timestamp"] == "Oct 10 11:17:53" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Parsed["username"] == "'test'" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Meta["datasource_path"]) == "prowlarr-logs.log" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Meta["machine"] == "prowlarr" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Meta["service"] == "prowlarr" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Meta["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Meta["datasource_path"] == "prowlarr-logs.log" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Meta["log_type"] == "prowlarr_failed_authentication" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Meta["target_user"] == "'test'" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][2].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Success == true -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Parsed["username"] == "'test'" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Parsed["pid"] == "8213" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Parsed["program"] == "Prowlarr" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Parsed["timestamp"] == "Oct 10 11:17:54" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Meta["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Meta["datasource_path"] == "prowlarr-logs.log" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Parsed["username"] == "'test'" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Meta["datasource_path"]) == "prowlarr-logs.log" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Meta["log_type"] == "prowlarr_failed_authentication" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Meta["machine"] == "prowlarr" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Meta["service"] == "prowlarr" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Meta["target_user"] == "'test'" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][3].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Success == true -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Parsed["pid"] == "8213" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Parsed["username"] == "'test'" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Parsed["pid"] == "8213" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Parsed["program"] == "Prowlarr" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Parsed["timestamp"] == "Oct 10 11:17:55" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Meta["log_type"] == "prowlarr_failed_authentication" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Parsed["username"] == "'test'" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Meta["datasource_path"]) == "prowlarr-logs.log" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Meta["machine"] == "prowlarr" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Meta["service"] == "prowlarr" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Meta["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Meta["datasource_path"] == "prowlarr-logs.log" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Meta["target_user"] == "'test'" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][4].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Success == true -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Parsed["username"] == "'test'" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Parsed["program"] == "Prowlarr" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Parsed["timestamp"] == "Oct 10 11:17:56" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Parsed["pid"] == "8213" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Parsed["program"] == "Prowlarr" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Parsed["timestamp"] == "Oct 10 11:17:56" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Parsed["username"] == "'test'" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Meta["datasource_path"]) == "prowlarr-logs.log" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Meta["machine"] == "prowlarr" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Meta["service"] == "prowlarr" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Meta["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Meta["datasource_path"] == "prowlarr-logs.log" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Meta["log_type"] == "prowlarr_failed_authentication" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Meta["target_user"] == "'test'" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][5].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][6].Success == false +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][7].Success == true +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][7].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][7].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl'" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][7].Evt.Parsed["pid"] == "8213" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][7].Evt.Parsed["program"] == "Prowlarr" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][7].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][7].Evt.Parsed["timestamp"] == "Oct 10 11:18:00" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][7].Evt.Parsed["username"] == "'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl'" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][7].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][7].Evt.Meta["datasource_path"]) == "prowlarr-logs.log" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][7].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][7].Evt.Meta["machine"] == "prowlarr" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][7].Evt.Meta["service"] == "prowlarr" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][7].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][7].Evt.Meta["target_user"] == "'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl'" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][7].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/prowlarr-logs/prowlarr-logs.log b/.tests/prowlarr-logs/prowlarr-logs.log index 4d3777f5bca..8fc2f689ca7 100644 --- a/.tests/prowlarr-logs/prowlarr-logs.log +++ b/.tests/prowlarr-logs/prowlarr-logs.log @@ -5,3 +5,4 @@ Oct 10 11:17:54 prowlarr Prowlarr[8213]: [Warn] Auth: Auth-Failure ip 1.2.3.4 us Oct 10 11:17:55 prowlarr Prowlarr[8213]: [Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test' Oct 10 11:17:56 prowlarr Prowlarr[8213]: [Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test' Oct 10 11:17:57 prowlarr Prowlarr[8213]: [Info] Auth: Auth-Success ip 1.2.3.5 username 'test' +Oct 10 11:18:00 prowlarr Prowlarr[8213]: [Warn] Auth: Auth-Failure ip 1.2.3.4 username 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl' diff --git a/.tests/prowlarr-nonsyslog-logs/parser.assert b/.tests/prowlarr-nonsyslog-logs/parser.assert index 8586e853e3f..9bfb61a47d8 100644 --- a/.tests/prowlarr-nonsyslog-logs/parser.assert +++ b/.tests/prowlarr-nonsyslog-logs/parser.assert @@ -3,92 +3,98 @@ len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 2 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2022-12-17 22:04:36.2|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'testing'" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "Prowlarr" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "prowlarr-nonsyslog-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "prowlarr-nonsyslog-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2022-12-17 22:04:41.7|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'testing2'" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "Prowlarr" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "prowlarr-nonsyslog-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "prowlarr-nonsyslog-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false len(results["s01-parse"]["schiz0phr3ne/prowlarr-logs"]) == 2 results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Success == true +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["date"] == "2022-12-17" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["day"] == "17" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["log_level"] == "Warn" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["message"] == "2022-12-17 22:04:36.2|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'testing'" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["month"] == "12" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["timestamp"] == "2022-12-17 22:04:36.2" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["year"] == "2022" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["date"] == "2022-12-17" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["day"] == "17" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["program"] == "Prowlarr" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["time"] == "22:04:36.2" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["timestamp"] == "2022-12-17 22:04:36.2" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["username"] == "testing" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["datasource_path"] == "prowlarr-nonsyslog-logs.log" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Parsed["year"] == "2022" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["datasource_path"]) == "prowlarr-nonsyslog-logs.log" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["log_type"] == "prowlarr_failed_authentication" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["service"] == "prowlarr" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["username"] == "testing" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Meta["target_user"] == "testing" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][0].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Success == true +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["date"] == "2022-12-17" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["day"] == "17" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["log_level"] == "Warn" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["message"] == "2022-12-17 22:04:41.7|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'testing2'" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["month"] == "12" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["time"] == "22:04:41.7" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["date"] == "2022-12-17" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["log_level"] == "Warn" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["program"] == "Prowlarr" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["time"] == "22:04:41.7" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["timestamp"] == "2022-12-17 22:04:41.7" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["username"] == "testing2" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Parsed["year"] == "2022" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["datasource_path"]) == "prowlarr-nonsyslog-logs.log" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["service"] == "prowlarr" results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["username"] == "testing2" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["datasource_path"] == "prowlarr-nonsyslog-logs.log" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["log_type"] == "prowlarr_failed_authentication" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Meta["target_user"] == "testing2" +results["s01-parse"]["schiz0phr3ne/prowlarr-logs"][1].Evt.Whitelisted == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["date"] == "2022-12-17" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time"] == "22:04:36.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2022-12-17 22:04:36.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "testing" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["year"] == "2022" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["day"] == "17" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["log_level"] == "Warn" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2022-12-17 22:04:36.2|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'testing'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["month"] == "12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "Prowlarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time"] == "22:04:36.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2022-12-17 22:04:36.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "testing" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["year"] == "2022" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "prowlarr-nonsyslog-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "prowlarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "testing" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-12-17T22:04:36.2Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "testing" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "prowlarr-nonsyslog-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "prowlarr_failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-12-17T22:04:36.2Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["date"] == "2022-12-17" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["day"] == "17" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["month"] == "12" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["time"] == "22:04:41.7" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["log_level"] == "Warn" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "2022-12-17 22:04:41.7|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'testing2'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["month"] == "12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "Prowlarr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["time"] == "22:04:41.7" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2022-12-17 22:04:41.7" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "testing2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["year"] == "2022" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "prowlarr-nonsyslog-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "prowlarr-nonsyslog-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "prowlarr_failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "prowlarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "testing2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-12-17T22:04:41.7Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "testing2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-12-17T22:04:41.7Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/proxmox-bf/scenario.assert b/.tests/proxmox-bf/scenario.assert index 4190f3054fe..43ce6d22caa 100644 --- a/.tests/proxmox-bf/scenario.assert +++ b/.tests/proxmox-bf/scenario.assert @@ -6,51 +6,51 @@ results[0].Overflow.Sources["::ffff:172.21.10.2"].GetScope() == "Ip" results[0].Overflow.Sources["::ffff:172.21.10.2"].GetValue() == "::ffff:172.21.10.2" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "proxmox-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "pve_failed-auth" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[0].GetMeta("machine") == "hypervisor" -results[0].Overflow.Alert.Events[0].GetMeta("service") == "pvedaemon" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "proxmox" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "::ffff:172.21.10.2" -results[0].Overflow.Alert.Events[0].GetMeta("source_user") == "toor" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "toor" results[0].Overflow.Alert.Events[0].GetMeta("timestamp")[4:] == "-01-04T17:34:01Z" results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "proxmox-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "pve_failed-auth" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[1].GetMeta("machine") == "hypervisor" -results[0].Overflow.Alert.Events[1].GetMeta("service") == "pvedaemon" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "proxmox" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "::ffff:172.21.10.2" -results[0].Overflow.Alert.Events[1].GetMeta("source_user") == "root" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "root" results[0].Overflow.Alert.Events[1].GetMeta("timestamp")[4:] == "-01-04T17:34:02Z" results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "proxmox-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "pve_failed-auth" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[2].GetMeta("machine") == "hypervisor" -results[0].Overflow.Alert.Events[2].GetMeta("service") == "pvedaemon" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "proxmox" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "::ffff:172.21.10.2" -results[0].Overflow.Alert.Events[2].GetMeta("source_user") == "toor" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "toor" results[0].Overflow.Alert.Events[2].GetMeta("timestamp")[4:] == "-01-04T17:34:01Z" results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "proxmox-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "pve_failed-auth" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[3].GetMeta("machine") == "hypervisor" -results[0].Overflow.Alert.Events[3].GetMeta("service") == "pvedaemon" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "proxmox" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "::ffff:172.21.10.2" -results[0].Overflow.Alert.Events[3].GetMeta("source_user") == "root" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "root" results[0].Overflow.Alert.Events[3].GetMeta("timestamp")[4:] == "-01-04T17:34:02Z" results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "proxmox-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "pve_failed-auth" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[4].GetMeta("machine") == "hypervisor" -results[0].Overflow.Alert.Events[4].GetMeta("service") == "pvedaemon" +results[0].Overflow.Alert.Events[4].GetMeta("service") == "proxmox" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "::ffff:172.21.10.2" -results[0].Overflow.Alert.Events[4].GetMeta("source_user") == "toor" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "toor" results[0].Overflow.Alert.Events[4].GetMeta("timestamp")[4:] == "-01-04T17:34:01Z" results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "proxmox-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "pve_failed-auth" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" results[0].Overflow.Alert.Events[5].GetMeta("machine") == "hypervisor" -results[0].Overflow.Alert.Events[5].GetMeta("service") == "pvedaemon" +results[0].Overflow.Alert.Events[5].GetMeta("service") == "proxmox" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "::ffff:172.21.10.2" -results[0].Overflow.Alert.Events[5].GetMeta("source_user") == "root" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "root" results[0].Overflow.Alert.Events[5].GetMeta("timestamp")[4:] == "-01-04T17:34:02Z" results[0].Overflow.Alert.GetScenario() == "fulljackz/proxmox-bf" results[0].Overflow.Alert.Remediation == true @@ -62,51 +62,51 @@ results[1].Overflow.Sources["2001:abcd:1234:abcd::1"].GetScope() == "Ip" results[1].Overflow.Sources["2001:abcd:1234:abcd::1"].GetValue() == "2001:abcd:1234:abcd::1" results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "proxmox-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "pve_failed-auth" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" results[1].Overflow.Alert.Events[0].GetMeta("machine") == "hypervsior" -results[1].Overflow.Alert.Events[0].GetMeta("service") == "pvedaemon" +results[1].Overflow.Alert.Events[0].GetMeta("service") == "proxmox" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "2001:abcd:1234:abcd::1" -results[1].Overflow.Alert.Events[0].GetMeta("source_user") == "a" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "a" results[1].Overflow.Alert.Events[0].GetMeta("timestamp")[4:] == "-01-10T17:34:02Z" results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "proxmox-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "pve_failed-auth" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" results[1].Overflow.Alert.Events[1].GetMeta("machine") == "hypervisor" -results[1].Overflow.Alert.Events[1].GetMeta("service") == "pvedaemon" +results[1].Overflow.Alert.Events[1].GetMeta("service") == "proxmox" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "2001:abcd:1234:abcd::1" -results[1].Overflow.Alert.Events[1].GetMeta("source_user") == "b" +results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "b" results[1].Overflow.Alert.Events[1].GetMeta("timestamp")[4:] == "-01-10T17:34:03Z" results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "proxmox-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "pve_failed-auth" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" results[1].Overflow.Alert.Events[2].GetMeta("machine") == "hypervisor" -results[1].Overflow.Alert.Events[2].GetMeta("service") == "pvedaemon" +results[1].Overflow.Alert.Events[2].GetMeta("service") == "proxmox" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "2001:abcd:1234:abcd::1" -results[1].Overflow.Alert.Events[2].GetMeta("source_user") == "c" +results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "c" results[1].Overflow.Alert.Events[2].GetMeta("timestamp")[4:] == "-01-10T17:34:03Z" results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "proxmox-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "pve_failed-auth" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" results[1].Overflow.Alert.Events[3].GetMeta("machine") == "hypervisor" -results[1].Overflow.Alert.Events[3].GetMeta("service") == "pvedaemon" +results[1].Overflow.Alert.Events[3].GetMeta("service") == "proxmox" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "2001:abcd:1234:abcd::1" -results[1].Overflow.Alert.Events[3].GetMeta("source_user") == "d" +results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "d" results[1].Overflow.Alert.Events[3].GetMeta("timestamp")[4:] == "-01-10T17:34:03Z" results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "proxmox-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "pve_failed-auth" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" results[1].Overflow.Alert.Events[4].GetMeta("machine") == "hypervisor" -results[1].Overflow.Alert.Events[4].GetMeta("service") == "pvedaemon" +results[1].Overflow.Alert.Events[4].GetMeta("service") == "proxmox" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "2001:abcd:1234:abcd::1" -results[1].Overflow.Alert.Events[4].GetMeta("source_user") == "e" +results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "e" results[1].Overflow.Alert.Events[4].GetMeta("timestamp")[4:] == "-01-10T17:34:03Z" results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "proxmox-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "pve_failed-auth" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" results[1].Overflow.Alert.Events[5].GetMeta("machine") == "hypervisor" -results[1].Overflow.Alert.Events[5].GetMeta("service") == "pvedaemon" +results[1].Overflow.Alert.Events[5].GetMeta("service") == "proxmox" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "2001:abcd:1234:abcd::1" -results[1].Overflow.Alert.Events[5].GetMeta("source_user") == "f" +results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "f" results[1].Overflow.Alert.Events[5].GetMeta("timestamp")[4:] == "-01-10T17:34:03Z" results[1].Overflow.Alert.GetScenario() == "fulljackz/proxmox-bf" results[1].Overflow.Alert.Remediation == true @@ -118,51 +118,51 @@ results[2].Overflow.Sources["2001:abcd:1234:abcd::1"].GetScope() == "Ip" results[2].Overflow.Sources["2001:abcd:1234:abcd::1"].GetValue() == "2001:abcd:1234:abcd::1" results[2].Overflow.Alert.Events[0].GetMeta("datasource_path") == "proxmox-bf.log" results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[0].GetMeta("log_type") == "pve_failed-auth" +results[2].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" results[2].Overflow.Alert.Events[0].GetMeta("machine") == "hypervsior" -results[2].Overflow.Alert.Events[0].GetMeta("service") == "pvedaemon" +results[2].Overflow.Alert.Events[0].GetMeta("service") == "proxmox" results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "2001:abcd:1234:abcd::1" -results[2].Overflow.Alert.Events[0].GetMeta("source_user") == "a" +results[2].Overflow.Alert.Events[0].GetMeta("target_user") == "a" results[2].Overflow.Alert.Events[0].GetMeta("timestamp")[4:] == "-01-10T17:34:02Z" results[2].Overflow.Alert.Events[1].GetMeta("datasource_path") == "proxmox-bf.log" results[2].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[1].GetMeta("log_type") == "pve_failed-auth" +results[2].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" results[2].Overflow.Alert.Events[1].GetMeta("machine") == "hypervisor" -results[2].Overflow.Alert.Events[1].GetMeta("service") == "pvedaemon" +results[2].Overflow.Alert.Events[1].GetMeta("service") == "proxmox" results[2].Overflow.Alert.Events[1].GetMeta("source_ip") == "2001:abcd:1234:abcd::1" -results[2].Overflow.Alert.Events[1].GetMeta("source_user") == "b" +results[2].Overflow.Alert.Events[1].GetMeta("target_user") == "b" results[2].Overflow.Alert.Events[1].GetMeta("timestamp")[4:] == "-01-10T17:34:03Z" results[2].Overflow.Alert.Events[2].GetMeta("datasource_path") == "proxmox-bf.log" results[2].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[2].GetMeta("log_type") == "pve_failed-auth" +results[2].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" results[2].Overflow.Alert.Events[2].GetMeta("machine") == "hypervisor" -results[2].Overflow.Alert.Events[2].GetMeta("service") == "pvedaemon" +results[2].Overflow.Alert.Events[2].GetMeta("service") == "proxmox" results[2].Overflow.Alert.Events[2].GetMeta("source_ip") == "2001:abcd:1234:abcd::1" -results[2].Overflow.Alert.Events[2].GetMeta("source_user") == "c" +results[2].Overflow.Alert.Events[2].GetMeta("target_user") == "c" results[2].Overflow.Alert.Events[2].GetMeta("timestamp")[4:] == "-01-10T17:34:03Z" results[2].Overflow.Alert.Events[3].GetMeta("datasource_path") == "proxmox-bf.log" results[2].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[3].GetMeta("log_type") == "pve_failed-auth" +results[2].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" results[2].Overflow.Alert.Events[3].GetMeta("machine") == "hypervisor" -results[2].Overflow.Alert.Events[3].GetMeta("service") == "pvedaemon" +results[2].Overflow.Alert.Events[3].GetMeta("service") == "proxmox" results[2].Overflow.Alert.Events[3].GetMeta("source_ip") == "2001:abcd:1234:abcd::1" -results[2].Overflow.Alert.Events[3].GetMeta("source_user") == "d" +results[2].Overflow.Alert.Events[3].GetMeta("target_user") == "d" results[2].Overflow.Alert.Events[3].GetMeta("timestamp")[4:] == "-01-10T17:34:03Z" results[2].Overflow.Alert.Events[4].GetMeta("datasource_path") == "proxmox-bf.log" results[2].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[4].GetMeta("log_type") == "pve_failed-auth" +results[2].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" results[2].Overflow.Alert.Events[4].GetMeta("machine") == "hypervisor" -results[2].Overflow.Alert.Events[4].GetMeta("service") == "pvedaemon" +results[2].Overflow.Alert.Events[4].GetMeta("service") == "proxmox" results[2].Overflow.Alert.Events[4].GetMeta("source_ip") == "2001:abcd:1234:abcd::1" -results[2].Overflow.Alert.Events[4].GetMeta("source_user") == "e" +results[2].Overflow.Alert.Events[4].GetMeta("target_user") == "e" results[2].Overflow.Alert.Events[4].GetMeta("timestamp")[4:] == "-01-10T17:34:03Z" results[2].Overflow.Alert.Events[5].GetMeta("datasource_path") == "proxmox-bf.log" results[2].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[5].GetMeta("log_type") == "pve_failed-auth" +results[2].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" results[2].Overflow.Alert.Events[5].GetMeta("machine") == "hypervisor" -results[2].Overflow.Alert.Events[5].GetMeta("service") == "pvedaemon" +results[2].Overflow.Alert.Events[5].GetMeta("service") == "proxmox" results[2].Overflow.Alert.Events[5].GetMeta("source_ip") == "2001:abcd:1234:abcd::1" -results[2].Overflow.Alert.Events[5].GetMeta("source_user") == "f" +results[2].Overflow.Alert.Events[5].GetMeta("target_user") == "f" results[2].Overflow.Alert.Events[5].GetMeta("timestamp")[4:] == "-01-10T17:34:03Z" results[2].Overflow.Alert.GetScenario() == "fulljackz/proxmox-bf-user-enum" results[2].Overflow.Alert.Remediation == true diff --git a/.tests/proxmox-logs/parser.assert b/.tests/proxmox-logs/parser.assert index 5297e85bd25..43c3cff619c 100644 --- a/.tests/proxmox-logs/parser.assert +++ b/.tests/proxmox-logs/parser.assert @@ -1,469 +1,507 @@ len(results) == 3 len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 21 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "pvedaemon" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jan 4 17:34:01" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "authentication failure; rhost=2001:bc8:628:1811::1 user=toor@pam msg=no such user ('toor@pam')" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "3663339" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "hypervisor" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "pvedaemon" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jan 4 17:34:01" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "hypervisor" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Jan 4 17:34:02" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "authentication failure; rhost=2001:bc8:628:1811::1 user=root@pam msg=Authentication failure" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "3483744" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "pvedaemon" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Jan 4 17:34:02" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "hypervisor" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jan 4 17:34:02" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "authentication failure; rhost=2001:bc8:628:1811::1 user=root@pam msg=Authentication failure" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "3483744" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "pvedaemon" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "hypervsior" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jan 4 17:34:02" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "hypervsior" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "pvedaemon" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Jan 4 17:34:03" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "authentication failure; rhost=2001:bc8:628:1811::1 user=root@pam msg=Authentication failure" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "3483744" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "pvedaemon" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Jan 4 17:34:03" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "hypervisor" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == " successful auth for user 'root@pam'" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "2891825" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "pvedaemon" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Jan 4 17:34:03" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == " successful auth for user 'root@pam'" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "hypervisor" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"] == "proxmox-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "hypervisor" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "pvedaemon" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Jan 4 17:34:03" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "authentication failure; rhost=2001:bc8:628:1811::1 user=root@pam msg=Authentication failure" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["pid"] == "3483744" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "pvedaemon" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Jan 4 17:34:03" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "hypervisor" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["message"] == "authentication failure; rhost=2001:bc8:628:1811::1 user=root@pam msg=Authentication failure" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["pid"] == "3483744" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["program"] == "pvedaemon" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["timestamp"] == "Jan 4 17:34:03" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"] == "proxmox-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["machine"] == "hypervisor" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["message"] == "authentication failure; rhost=1.1.1.1 user=toor@pam msg=no such user ('toor@pam')" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["pid"] == "3663339" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["program"] == "pvedaemon" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["timestamp"] == "Jan 4 17:34:04" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["message"] == "authentication failure; rhost=1.1.1.1 user=toor@pam msg=no such user ('toor@pam')" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["machine"] == "hypervisor" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][8].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["message"] == "authentication failure; rhost=::ffff:172.21.10.2 user=root@pam msg=Authentication failure" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["pid"] == "3483744" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["program"] == "pvedaemon" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["timestamp"] == "Jan 4 17:34:07" -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_path"] == "proxmox-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["machine"] == "hypervisor" +results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][9].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["message"] == "authentication failure; rhost=1.1.1.1 user=toor@pam msg=no such user ('a@pam')" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["pid"] == "3663339" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["program"] == "pvedaemon" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["timestamp"] == "Jan 4 17:34:04" -results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["datasource_path"] == "proxmox-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["machine"] == "hypervisor" +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][10].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["program"] == "pvedaemon" -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["timestamp"] == "Jan 4 17:34:04" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["message"] == "authentication failure; rhost=1.1.1.1 user=toor@pam msg=no such user ('b@pam')" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["pid"] == "3663339" -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["program"] == "pvedaemon" +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["timestamp"] == "Jan 4 17:34:04" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["machine"] == "hypervisor" +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][11].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["message"] == "authentication failure; rhost=1.1.1.1 user=toor@pam msg=no such user ('c@pam')" results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["pid"] == "3663339" results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["program"] == "pvedaemon" results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["timestamp"] == "Jan 4 17:34:04" -results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["datasource_path"] == "proxmox-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["machine"] == "hypervisor" +results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][12].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["message"] == "authentication failure; rhost=1.1.1.1 user=toor@pam msg=no such user ('d@pam')" results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["pid"] == "3663339" results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["program"] == "pvedaemon" results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["timestamp"] == "Jan 4 17:34:04" -results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Meta["datasource_path"] == "proxmox-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Meta["machine"] == "hypervisor" +results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][13].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["message"] == "authentication failure; rhost=1.1.1.1 user=toor@pam msg=no such user ('e@pam')" results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["pid"] == "3663339" results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["program"] == "pvedaemon" results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["timestamp"] == "Jan 4 17:34:04" -results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Meta["datasource_path"] == "proxmox-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Meta["machine"] == "hypervisor" +results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][14].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["program"] == "pvedaemon" -results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["timestamp"] == "Jan 4 17:34:08" results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["message"] == " successful auth for user 'root@pam'" results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["pid"] == "2891825" -results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["program"] == "pvedaemon" +results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["timestamp"] == "Jan 4 17:34:08" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Meta["machine"] == "hypervisor" +results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][15].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["message"] == "authentication failure; rhost=::ffff:172.21.10.2 user=toor@pam msg=no such user ('toor@pam')" results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["pid"] == "3663339" results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["program"] == "pvedaemon" results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["timestamp"] == "Jan 4 17:34:08" -results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Meta["datasource_path"] == "proxmox-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Meta["machine"] == "hypervisor" +results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][16].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Parsed["timestamp"] == "Jan 4 17:34:09" results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Parsed["message"] == "authentication failure; rhost=::ffff:172.21.10.2 user=root@pam msg=Authentication failure" results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Parsed["pid"] == "3483744" results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Parsed["program"] == "pvedaemon" -results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Meta["machine"] == "hypervisor" -results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Parsed["timestamp"] == "Jan 4 17:34:09" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Meta["machine"] == "hypervisor" +results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][17].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Parsed["program"] == "pvedaemon" -results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Parsed["timestamp"] == "Jan 4 17:34:11" results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Parsed["message"] == " successful auth for user 'root@pam'" results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Parsed["pid"] == "2891825" +results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Parsed["program"] == "pvedaemon" +results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Parsed["timestamp"] == "Jan 4 17:34:11" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Meta["machine"] == "hypervisor" -results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][18].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Parsed["message"] == "authentication failure; rhost=::ffff:172.21.10.2 user=toor@pam msg=no such user ('toor@pam')" results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Parsed["pid"] == "3663339" results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Parsed["program"] == "pvedaemon" results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Parsed["timestamp"] == "Jan 4 17:34:08" -results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Meta["datasource_path"] == "proxmox-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Meta["machine"] == "hypervisor" +results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][19].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Parsed["message"] == "authentication failure; rhost=::ffff:172.21.10.2 user=root@pam msg=Authentication failure" results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Parsed["pid"] == "3483744" results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Parsed["program"] == "pvedaemon" results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Parsed["timestamp"] == "Jan 4 17:34:12" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Meta["machine"] == "hypervisor" -results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][20].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Parsed["program"] == "pvedaemon" -results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Parsed["timestamp"] == "Jan 4 17:34:13" results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Parsed["message"] == " successful auth for user 'root@pam'" results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Parsed["pid"] == "2891825" -results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Parsed["program"] == "pvedaemon" +results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Parsed["timestamp"] == "Jan 4 17:34:13" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Meta["machine"] == "hypervisor" +results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Whitelisted == false len(results["s01-parse"]["fulljackz/proxmox-logs"]) == 21 results["s01-parse"]["fulljackz/proxmox-logs"][0].Success == true -results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Parsed["message"] == "authentication failure; rhost=2001:bc8:628:1811::1 user=toor@pam msg=no such user ('toor@pam')" -results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Parsed["realm"] == "pam" results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Parsed["client_ip"] == "2001:bc8:628:1811::1" +results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Parsed["message"] == "authentication failure; rhost=2001:bc8:628:1811::1 user=toor@pam msg=no such user ('toor@pam')" +results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Parsed["pid"] == "3663339" results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Parsed["program"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Parsed["realm"] == "pam" results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Parsed["source_user"] == "toor" results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Parsed["timestamp"] == "Jan 4 17:34:01" -results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Parsed["pid"] == "3663339" -results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Meta["log_type"] == "pve_failed-auth" results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Meta["machine"] == "hypervisor" -results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Meta["service"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Meta["service"] == "proxmox" results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Meta["source_ip"] == "2001:bc8:628:1811::1" -results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Meta["source_user"] == "toor" +results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Meta["target_user"] == "toor" +results["s01-parse"]["fulljackz/proxmox-logs"][0].Evt.Whitelisted == false results["s01-parse"]["fulljackz/proxmox-logs"][1].Success == true -results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Parsed["program"] == "pvedaemon" -results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Parsed["realm"] == "pam" -results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Parsed["timestamp"] == "Jan 4 17:34:02" +results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Parsed["client_ip"] == "2001:bc8:628:1811::1" results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Parsed["message"] == "authentication failure; rhost=2001:bc8:628:1811::1 user=root@pam msg=Authentication failure" results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Parsed["pid"] == "3483744" -results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Parsed["client_ip"] == "2001:bc8:628:1811::1" +results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Parsed["program"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Parsed["realm"] == "pam" results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Parsed["source_user"] == "root" -results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Meta["log_type"] == "pve_failed-auth" +results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Parsed["timestamp"] == "Jan 4 17:34:02" +results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Meta["datasource_path"]) == "proxmox-logs.log" +results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Meta["machine"] == "hypervisor" -results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Meta["service"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Meta["service"] == "proxmox" results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Meta["source_ip"] == "2001:bc8:628:1811::1" -results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Meta["datasource_path"] == "proxmox-logs.log" -results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/proxmox-logs"][1].Evt.Whitelisted == false results["s01-parse"]["fulljackz/proxmox-logs"][2].Success == true -results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Parsed["message"] == "authentication failure; rhost=2001:bc8:628:1811::1 user=root@pam msg=Authentication failure" -results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Parsed["source_user"] == "root" -results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Parsed["timestamp"] == "Jan 4 17:34:02" results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Parsed["client_ip"] == "2001:bc8:628:1811::1" results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Parsed["message"] == "authentication failure; rhost=2001:bc8:628:1811::1 user=root@pam msg=Authentication failure" results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Parsed["pid"] == "3483744" results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Parsed["program"] == "pvedaemon" results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Parsed["realm"] == "pam" -results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Parsed["source_user"] == "root" +results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Parsed["timestamp"] == "Jan 4 17:34:02" +results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Meta["log_type"] == "pve_failed-auth" results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Meta["machine"] == "hypervsior" -results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Meta["service"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Meta["service"] == "proxmox" results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Meta["source_ip"] == "2001:bc8:628:1811::1" -results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Meta["source_user"] == "root" +results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/proxmox-logs"][2].Evt.Whitelisted == false results["s01-parse"]["fulljackz/proxmox-logs"][3].Success == true -results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Parsed["source_user"] == "root" +results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Parsed["client_ip"] == "2001:bc8:628:1811::1" results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Parsed["message"] == "authentication failure; rhost=2001:bc8:628:1811::1 user=root@pam msg=Authentication failure" results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Parsed["pid"] == "3483744" results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Parsed["program"] == "pvedaemon" results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Parsed["realm"] == "pam" -results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Parsed["client_ip"] == "2001:bc8:628:1811::1" +results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Parsed["source_user"] == "root" results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Parsed["timestamp"] == "Jan 4 17:34:03" -results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Meta["log_type"] == "pve_failed-auth" results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Meta["machine"] == "hypervisor" -results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Meta["service"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Meta["service"] == "proxmox" results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Meta["source_ip"] == "2001:bc8:628:1811::1" -results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Meta["source_user"] == "root" +results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/proxmox-logs"][3].Evt.Whitelisted == false results["s01-parse"]["fulljackz/proxmox-logs"][4].Success == false results["s01-parse"]["fulljackz/proxmox-logs"][5].Success == true results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Parsed["client_ip"] == "2001:bc8:628:1811::1" -results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Parsed["timestamp"] == "Jan 4 17:34:03" +results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Parsed["message"] == "authentication failure; rhost=2001:bc8:628:1811::1 user=root@pam msg=Authentication failure" results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Parsed["pid"] == "3483744" results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Parsed["program"] == "pvedaemon" results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Parsed["realm"] == "pam" results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Parsed["source_user"] == "root" -results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Parsed["message"] == "authentication failure; rhost=2001:bc8:628:1811::1 user=root@pam msg=Authentication failure" +results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Parsed["timestamp"] == "Jan 4 17:34:03" +results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Meta["datasource_path"]) == "proxmox-logs.log" +results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Meta["machine"] == "hypervisor" -results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Meta["service"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Meta["service"] == "proxmox" results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Meta["source_ip"] == "2001:bc8:628:1811::1" -results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Meta["datasource_path"] == "proxmox-logs.log" -results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Meta["log_type"] == "pve_failed-auth" +results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/proxmox-logs"][5].Evt.Whitelisted == false results["s01-parse"]["fulljackz/proxmox-logs"][6].Success == true -results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Parsed["pid"] == "3483744" -results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Parsed["program"] == "pvedaemon" -results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Parsed["realm"] == "pam" results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Parsed["client_ip"] == "2001:bc8:628:1811::1" results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Parsed["message"] == "authentication failure; rhost=2001:bc8:628:1811::1 user=root@pam msg=Authentication failure" +results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Parsed["pid"] == "3483744" +results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Parsed["program"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Parsed["realm"] == "pam" results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Parsed["source_user"] == "root" results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Parsed["timestamp"] == "Jan 4 17:34:03" +results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Meta["datasource_path"]) == "proxmox-logs.log" +results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Meta["machine"] == "hypervisor" -results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Meta["service"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Meta["service"] == "proxmox" results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Meta["source_ip"] == "2001:bc8:628:1811::1" -results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Meta["datasource_path"] == "proxmox-logs.log" -results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Meta["log_type"] == "pve_failed-auth" +results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/proxmox-logs"][6].Evt.Whitelisted == false results["s01-parse"]["fulljackz/proxmox-logs"][7].Success == true results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Parsed["client_ip"] == "1.1.1.1" +results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Parsed["message"] == "authentication failure; rhost=1.1.1.1 user=toor@pam msg=no such user ('toor@pam')" results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Parsed["pid"] == "3663339" -results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Parsed["realm"] == "pam" -results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Parsed["timestamp"] == "Jan 4 17:34:04" -results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Parsed["program"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Parsed["realm"] == "pam" results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Parsed["source_user"] == "toor" -results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Meta["service"] == "pvedaemon" -results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Meta["source_user"] == "toor" -results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Parsed["timestamp"] == "Jan 4 17:34:04" +results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Meta["log_type"] == "pve_failed-auth" results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Meta["machine"] == "hypervisor" +results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Meta["service"] == "proxmox" +results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Meta["source_ip"] == "1.1.1.1" +results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Meta["target_user"] == "toor" +results["s01-parse"]["fulljackz/proxmox-logs"][7].Evt.Whitelisted == false results["s01-parse"]["fulljackz/proxmox-logs"][8].Success == true +results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Parsed["client_ip"] == "::ffff:172.21.10.2" results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Parsed["message"] == "authentication failure; rhost=::ffff:172.21.10.2 user=root@pam msg=Authentication failure" results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Parsed["pid"] == "3483744" results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Parsed["program"] == "pvedaemon" results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Parsed["realm"] == "pam" results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Parsed["source_user"] == "root" -results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Parsed["client_ip"] == "::ffff:172.21.10.2" results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Parsed["timestamp"] == "Jan 4 17:34:07" +results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Meta["log_type"] == "pve_failed-auth" results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Meta["machine"] == "hypervisor" -results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Meta["service"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Meta["service"] == "proxmox" results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Meta["source_ip"] == "::ffff:172.21.10.2" -results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/proxmox-logs"][8].Evt.Whitelisted == false results["s01-parse"]["fulljackz/proxmox-logs"][9].Success == true results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Parsed["client_ip"] == "1.1.1.1" -results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Parsed["pid"] == "3663339" -results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Parsed["realm"] == "pam" -results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Parsed["timestamp"] == "Jan 4 17:34:04" results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Parsed["message"] == "authentication failure; rhost=1.1.1.1 user=toor@pam msg=no such user ('a@pam')" +results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Parsed["pid"] == "3663339" results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Parsed["program"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Parsed["realm"] == "pam" results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Parsed["source_user"] == "toor" -results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Meta["log_type"] == "pve_failed-auth" +results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Parsed["timestamp"] == "Jan 4 17:34:04" +results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Meta["datasource_path"]) == "proxmox-logs.log" +results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Meta["machine"] == "hypervisor" -results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Meta["service"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Meta["service"] == "proxmox" results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Meta["source_user"] == "toor" -results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Meta["datasource_path"] == "proxmox-logs.log" -results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Meta["target_user"] == "toor" +results["s01-parse"]["fulljackz/proxmox-logs"][9].Evt.Whitelisted == false results["s01-parse"]["fulljackz/proxmox-logs"][10].Success == true +results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Parsed["client_ip"] == "1.1.1.1" +results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Parsed["message"] == "authentication failure; rhost=1.1.1.1 user=toor@pam msg=no such user ('b@pam')" results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Parsed["pid"] == "3663339" -results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Parsed["realm"] == "pam" results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Parsed["program"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Parsed["realm"] == "pam" results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Parsed["source_user"] == "toor" results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Parsed["timestamp"] == "Jan 4 17:34:04" -results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Parsed["client_ip"] == "1.1.1.1" -results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Parsed["message"] == "authentication failure; rhost=1.1.1.1 user=toor@pam msg=no such user ('b@pam')" -results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Meta["source_user"] == "toor" -results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Meta["log_type"] == "pve_failed-auth" results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Meta["machine"] == "hypervisor" -results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Meta["service"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Meta["service"] == "proxmox" +results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Meta["source_ip"] == "1.1.1.1" +results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Meta["target_user"] == "toor" +results["s01-parse"]["fulljackz/proxmox-logs"][10].Evt.Whitelisted == false results["s01-parse"]["fulljackz/proxmox-logs"][11].Success == true -results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Parsed["program"] == "pvedaemon" -results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Parsed["source_user"] == "toor" -results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Parsed["timestamp"] == "Jan 4 17:34:04" results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Parsed["client_ip"] == "1.1.1.1" +results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Parsed["message"] == "authentication failure; rhost=1.1.1.1 user=toor@pam msg=no such user ('c@pam')" results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Parsed["pid"] == "3663339" +results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Parsed["program"] == "pvedaemon" results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Parsed["realm"] == "pam" +results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Parsed["source_user"] == "toor" +results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Parsed["timestamp"] == "Jan 4 17:34:04" +results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Meta["datasource_path"]) == "proxmox-logs.log" +results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Meta["machine"] == "hypervisor" -results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Meta["service"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Meta["service"] == "proxmox" results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Meta["source_user"] == "toor" -results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Meta["datasource_path"] == "proxmox-logs.log" -results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Meta["log_type"] == "pve_failed-auth" +results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Meta["target_user"] == "toor" +results["s01-parse"]["fulljackz/proxmox-logs"][11].Evt.Whitelisted == false results["s01-parse"]["fulljackz/proxmox-logs"][12].Success == true -results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Parsed["realm"] == "pam" -results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Parsed["timestamp"] == "Jan 4 17:34:04" +results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Parsed["client_ip"] == "1.1.1.1" +results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Parsed["message"] == "authentication failure; rhost=1.1.1.1 user=toor@pam msg=no such user ('d@pam')" results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Parsed["pid"] == "3663339" -results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Parsed["program"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Parsed["realm"] == "pam" results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Parsed["source_user"] == "toor" -results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Parsed["client_ip"] == "1.1.1.1" -results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Meta["source_user"] == "toor" -results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Parsed["timestamp"] == "Jan 4 17:34:04" +results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Meta["log_type"] == "pve_failed-auth" results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Meta["machine"] == "hypervisor" -results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Meta["service"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Meta["service"] == "proxmox" +results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Meta["source_ip"] == "1.1.1.1" +results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Meta["target_user"] == "toor" +results["s01-parse"]["fulljackz/proxmox-logs"][12].Evt.Whitelisted == false results["s01-parse"]["fulljackz/proxmox-logs"][13].Success == true results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Parsed["client_ip"] == "1.1.1.1" -results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Parsed["pid"] == "3663339" -results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Parsed["source_user"] == "toor" results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Parsed["message"] == "authentication failure; rhost=1.1.1.1 user=toor@pam msg=no such user ('e@pam')" +results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Parsed["pid"] == "3663339" results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Parsed["program"] == "pvedaemon" results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Parsed["realm"] == "pam" +results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Parsed["source_user"] == "toor" results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Parsed["timestamp"] == "Jan 4 17:34:04" -results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Meta["source_user"] == "toor" -results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Meta["log_type"] == "pve_failed-auth" results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Meta["machine"] == "hypervisor" -results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Meta["service"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Meta["service"] == "proxmox" results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Meta["source_ip"] == "1.1.1.1" +results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Meta["target_user"] == "toor" +results["s01-parse"]["fulljackz/proxmox-logs"][13].Evt.Whitelisted == false results["s01-parse"]["fulljackz/proxmox-logs"][14].Success == false results["s01-parse"]["fulljackz/proxmox-logs"][15].Success == true results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Parsed["client_ip"] == "::ffff:172.21.10.2" results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Parsed["timestamp"] == "Jan 4 17:34:08" results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Parsed["message"] == "authentication failure; rhost=::ffff:172.21.10.2 user=toor@pam msg=no such user ('toor@pam')" results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Parsed["pid"] == "3663339" results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Parsed["program"] == "pvedaemon" results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Parsed["realm"] == "pam" results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Parsed["source_user"] == "toor" +results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Parsed["timestamp"] == "Jan 4 17:34:08" +results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Meta["datasource_path"]) == "proxmox-logs.log" +results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Meta["machine"] == "hypervisor" -results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Meta["service"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Meta["service"] == "proxmox" results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Meta["source_ip"] == "::ffff:172.21.10.2" -results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Meta["source_user"] == "toor" -results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Meta["datasource_path"] == "proxmox-logs.log" -results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Meta["log_type"] == "pve_failed-auth" +results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Meta["target_user"] == "toor" +results["s01-parse"]["fulljackz/proxmox-logs"][15].Evt.Whitelisted == false results["s01-parse"]["fulljackz/proxmox-logs"][16].Success == true +results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Parsed["client_ip"] == "::ffff:172.21.10.2" +results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Parsed["message"] == "authentication failure; rhost=::ffff:172.21.10.2 user=root@pam msg=Authentication failure" +results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Parsed["pid"] == "3483744" results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Parsed["program"] == "pvedaemon" results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Parsed["realm"] == "pam" -results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Parsed["timestamp"] == "Jan 4 17:34:09" -results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Parsed["pid"] == "3483744" -results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Parsed["message"] == "authentication failure; rhost=::ffff:172.21.10.2 user=root@pam msg=Authentication failure" results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Parsed["source_user"] == "root" -results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Parsed["client_ip"] == "::ffff:172.21.10.2" -results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Parsed["timestamp"] == "Jan 4 17:34:09" +results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Meta["log_type"] == "pve_failed-auth" results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Meta["machine"] == "hypervisor" -results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Meta["service"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Meta["service"] == "proxmox" results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Meta["source_ip"] == "::ffff:172.21.10.2" -results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/proxmox-logs"][16].Evt.Whitelisted == false results["s01-parse"]["fulljackz/proxmox-logs"][17].Success == false results["s01-parse"]["fulljackz/proxmox-logs"][18].Success == true -results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Parsed["program"] == "pvedaemon" -results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Parsed["realm"] == "pam" +results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Parsed["client_ip"] == "::ffff:172.21.10.2" results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Parsed["message"] == "authentication failure; rhost=::ffff:172.21.10.2 user=toor@pam msg=no such user ('toor@pam')" results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Parsed["pid"] == "3663339" +results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Parsed["program"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Parsed["realm"] == "pam" results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Parsed["source_user"] == "toor" results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Parsed["timestamp"] == "Jan 4 17:34:08" -results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Parsed["client_ip"] == "::ffff:172.21.10.2" -results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Parsed["message"] == "authentication failure; rhost=::ffff:172.21.10.2 user=toor@pam msg=no such user ('toor@pam')" -results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Meta["source_ip"] == "::ffff:172.21.10.2" -results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Meta["source_user"] == "toor" -results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Meta["log_type"] == "pve_failed-auth" results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Meta["machine"] == "hypervisor" -results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Meta["service"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Meta["service"] == "proxmox" +results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Meta["source_ip"] == "::ffff:172.21.10.2" +results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Meta["target_user"] == "toor" +results["s01-parse"]["fulljackz/proxmox-logs"][18].Evt.Whitelisted == false results["s01-parse"]["fulljackz/proxmox-logs"][19].Success == true results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Parsed["client_ip"] == "::ffff:172.21.10.2" +results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Parsed["message"] == "authentication failure; rhost=::ffff:172.21.10.2 user=root@pam msg=Authentication failure" results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Parsed["pid"] == "3483744" results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Parsed["program"] == "pvedaemon" results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Parsed["realm"] == "pam" results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Parsed["source_user"] == "root" results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Parsed["timestamp"] == "Jan 4 17:34:12" -results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Parsed["message"] == "authentication failure; rhost=::ffff:172.21.10.2 user=root@pam msg=Authentication failure" +results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Meta["datasource_path"]) == "proxmox-logs.log" results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Meta["log_type"] == "pve_failed-auth" results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Meta["machine"] == "hypervisor" -results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Meta["service"] == "pvedaemon" +results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Meta["service"] == "proxmox" results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Meta["source_ip"] == "::ffff:172.21.10.2" -results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Meta["datasource_path"] == "proxmox-logs.log" +results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/proxmox-logs"][19].Evt.Whitelisted == false results["s01-parse"]["fulljackz/proxmox-logs"][20].Success == false len(results["success"][""]) == 0 diff --git a/.tests/pterodactyl-wings-bf/parser.assert b/.tests/pterodactyl-wings-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/pulse-secure-sslvpn-cve-2019-11510/parser.assert b/.tests/pulse-secure-sslvpn-cve-2019-11510/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/pureftpd-bf/config.yaml b/.tests/pureftpd-bf/config.yaml index cd4b00dfe0a..b8ff421eaaf 100644 --- a/.tests/pureftpd-bf/config.yaml +++ b/.tests/pureftpd-bf/config.yaml @@ -9,4 +9,4 @@ postoverflows: log_file: pureftpd-bf.log log_type: syslog labels: {} -ignore_parsers: false +ignore_parsers: true diff --git a/.tests/pureftpd-bf/parser.assert b/.tests/pureftpd-bf/parser.assert deleted file mode 100644 index 4fbb1095269..00000000000 --- a/.tests/pureftpd-bf/parser.assert +++ /dev/null @@ -1,585 +0,0 @@ - -len(results) == 4 -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 16 -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jan 7 14:19:31" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "ftpcdr" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Jan 7 14:19:32" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "ftpcdr" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jan 7 14:19:33" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "ftpcdr" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Jan 7 14:19:34" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "ftpcdr" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Jan 7 14:19:35" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "ftpcdr" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Jan 7 14:19:36" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "ftpcdr" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["timestamp"] == "Jan 7 14:19:37" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["machine"] == "ftpcdr" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["timestamp"] == "Jan 7 14:19:38" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["machine"] == "ftpcdr" -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["timestamp"] == "Jan 7 14:19:39" -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["machine"] == "ftpcdr" -results["s00-raw"]["crowdsecurity/syslog-logs"][9].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["timestamp"] == "Jan 7 14:19:49" -results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["machine"] == "ftpcdr" -results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["timestamp"] == "Jan 7 14:19:59" -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["machine"] == "ftpcdr" -results["s00-raw"]["crowdsecurity/syslog-logs"][11].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["timestamp"] == "Jan 7 14:20:01" -results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["machine"] == "ftpcdr" -results["s00-raw"]["crowdsecurity/syslog-logs"][12].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["timestamp"] == "Jan 7 14:20:02" -results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Meta["machine"] == "ftpcdr" -results["s00-raw"]["crowdsecurity/syslog-logs"][13].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["timestamp"] == "Jan 7 14:20:03" -results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Meta["machine"] == "ftpcdr" -results["s00-raw"]["crowdsecurity/syslog-logs"][14].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["timestamp"] == "Jan 7 14:20:05" -results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Meta["machine"] == "ftpcdr" -results["s00-raw"]["crowdsecurity/syslog-logs"][15].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["timestamp"] == "Jan 7 14:20:06" -results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["message"] == "(?@172.21.10.2) [INFO] user@test.com is now logged in" -results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Meta["machine"] == "ftpcdr" -len(results["s01-parse"]["fulljackz/pureftpd-logs"]) == 16 -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Parsed["timestamp"] == "Jan 7 14:19:31" -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Meta["machine"] == "ftpcdr" -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Meta["service"] == "pureftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][1].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Parsed["timestamp"] == "Jan 7 14:19:32" -results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Meta["machine"] == "ftpcdr" -results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Meta["service"] == "pureftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Parsed["timestamp"] == "Jan 7 14:19:33" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["machine"] == "ftpcdr" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["service"] == "pureftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Parsed["timestamp"] == "Jan 7 14:19:34" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Meta["machine"] == "ftpcdr" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Meta["service"] == "pureftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Parsed["timestamp"] == "Jan 7 14:19:35" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Meta["machine"] == "ftpcdr" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Meta["service"] == "pureftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Parsed["timestamp"] == "Jan 7 14:19:36" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Meta["machine"] == "ftpcdr" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Meta["service"] == "pureftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Parsed["timestamp"] == "Jan 7 14:19:37" -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Meta["machine"] == "ftpcdr" -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Meta["service"] == "pureftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Parsed["timestamp"] == "Jan 7 14:19:38" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Meta["machine"] == "ftpcdr" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Meta["service"] == "pureftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][8].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Parsed["timestamp"] == "Jan 7 14:19:39" -results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Meta["machine"] == "ftpcdr" -results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Meta["service"] == "pureftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Parsed["timestamp"] == "Jan 7 14:19:49" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Meta["machine"] == "ftpcdr" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Meta["service"] == "pureftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Parsed["timestamp"] == "Jan 7 14:19:59" -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Meta["service"] == "pureftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Meta["machine"] == "ftpcdr" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Parsed["timestamp"] == "Jan 7 14:20:01" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Meta["machine"] == "ftpcdr" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Meta["service"] == "pureftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Parsed["timestamp"] == "Jan 7 14:20:02" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Meta["machine"] == "ftpcdr" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Meta["service"] == "pureftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Parsed["timestamp"] == "Jan 7 14:20:03" -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Meta["machine"] == "ftpcdr" -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Meta["service"] == "pureftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Parsed["timestamp"] == "Jan 7 14:20:05" -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Meta["machine"] == "ftpcdr" -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Meta["service"] == "pureftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][15].Success == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 15 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "pure-ftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Jan 7 14:19:31" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "ftpcdr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "pureftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"][4:] == "-01-07T14:19:31Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"][4:] == "-01-07T14:19:31Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "pure-ftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Jan 7 14:19:32" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "ftpcdr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "pureftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"][4:] == "-01-07T14:19:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"][4:] == "-01-07T14:19:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "pure-ftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Jan 7 14:19:33" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "ftpcdr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "pureftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"][4:] == "-01-07T14:19:33Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"][4:] == "-01-07T14:19:33Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "pure-ftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Jan 7 14:19:34" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "ftpcdr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "pureftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"][4:] == "-01-07T14:19:34Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"][4:] == "-01-07T14:19:34Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "pure-ftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "Jan 7 14:19:35" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"][4:] == "-01-07T14:19:35Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "ftpcdr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "pureftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"][4:] == "-01-07T14:19:35Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "pure-ftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "Jan 7 14:19:36" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["machine"] == "ftpcdr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "pureftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"][4:] == "-01-07T14:19:36Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"][4:] == "-01-07T14:19:36Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "pure-ftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["timestamp"] == "Jan 7 14:19:37" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "pureftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"][4:] == "-01-07T14:19:37Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["machine"] == "ftpcdr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"][4:] == "-01-07T14:19:37Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "pure-ftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["timestamp"] == "Jan 7 14:19:38" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["machine"] == "ftpcdr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "pureftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"][4:] == "-01-07T14:19:38Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"][4:] == "-01-07T14:19:38Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["program"] == "pure-ftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["timestamp"] == "Jan 7 14:19:39" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["machine"] == "ftpcdr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "pureftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"][4:] == "-01-07T14:19:39Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Enriched["MarshaledTime"][4:] == "-01-07T14:19:39Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["program"] == "pure-ftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["timestamp"] == "Jan 7 14:19:49" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["machine"] == "ftpcdr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "pureftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"][4:] == "-01-07T14:19:49Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Enriched["MarshaledTime"][4:] == "-01-07T14:19:49Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["program"] == "pure-ftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["timestamp"] == "Jan 7 14:19:59" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["source_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["timestamp"][4:] == "-01-07T14:19:59Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["machine"] == "ftpcdr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["service"] == "pureftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["source_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Enriched["MarshaledTime"][4:] == "-01-07T14:19:59Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["timestamp"] == "Jan 7 14:20:01" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["program"] == "pure-ftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["machine"] == "ftpcdr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["service"] == "pureftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["timestamp"][4:] == "-01-07T14:20:01Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Enriched["MarshaledTime"][4:] == "-01-07T14:20:01Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["program"] == "pure-ftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["timestamp"] == "Jan 7 14:20:02" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["machine"] == "ftpcdr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["service"] == "pureftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["source_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["source_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["timestamp"][4:] == "-01-07T14:20:02Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Enriched["MarshaledTime"][4:] == "-01-07T14:20:02Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["program"] == "pure-ftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["timestamp"] == "Jan 7 14:20:03" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["machine"] == "ftpcdr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["service"] == "pureftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["source_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["source_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["timestamp"][4:] == "-01-07T14:20:03Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Enriched["MarshaledTime"][4:] == "-01-07T14:20:03Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["program"] == "pure-ftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["timestamp"] == "Jan 7 14:20:05" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_path"] == "pureftpd-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["log_type"] == "pftpd_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["machine"] == "ftpcdr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["service"] == "pureftpd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["source_ip"] == "172.21.10.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["source_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["timestamp"][4:] == "-01-07T14:20:05Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Enriched["MarshaledTime"][4:] == "-01-07T14:20:05Z" -len(results["success"][""]) == 0 diff --git a/.tests/pureftpd-bf/scenario.assert b/.tests/pureftpd-bf/scenario.assert index 0d068b594c8..c6c9cc928df 100644 --- a/.tests/pureftpd-bf/scenario.assert +++ b/.tests/pureftpd-bf/scenario.assert @@ -4,54 +4,54 @@ results[0].Overflow.Sources["172.21.10.2"].IP == "172.21.10.2" results[0].Overflow.Sources["172.21.10.2"].Range == "" results[0].Overflow.Sources["172.21.10.2"].GetScope() == "Ip" results[0].Overflow.Sources["172.21.10.2"].GetValue() == "172.21.10.2" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "pureftpd-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "pureftpd-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "pftpd_failed-auth" results[0].Overflow.Alert.Events[0].GetMeta("machine") == "ftpcdr" results[0].Overflow.Alert.Events[0].GetMeta("service") == "pureftpd" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.21.10.2" -results[0].Overflow.Alert.Events[0].GetMeta("source_user") == "root" -results[0].Overflow.Alert.Events[0].GetMeta("timestamp")[4:] == "-01-07T14:19:31Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "pureftpd-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "root" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-01-07T14:19:31Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "pureftpd-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "pftpd_failed-auth" results[0].Overflow.Alert.Events[1].GetMeta("machine") == "ftpcdr" results[0].Overflow.Alert.Events[1].GetMeta("service") == "pureftpd" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "172.21.10.2" -results[0].Overflow.Alert.Events[1].GetMeta("source_user") == "root" -results[0].Overflow.Alert.Events[1].GetMeta("timestamp")[4:] == "-01-07T14:19:32Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "pureftpd-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "root" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-01-07T14:19:32Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "pureftpd-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "pftpd_failed-auth" results[0].Overflow.Alert.Events[2].GetMeta("machine") == "ftpcdr" results[0].Overflow.Alert.Events[2].GetMeta("service") == "pureftpd" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "172.21.10.2" -results[0].Overflow.Alert.Events[2].GetMeta("source_user") == "root" -results[0].Overflow.Alert.Events[2].GetMeta("timestamp")[4:] == "-01-07T14:19:33Z" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "pureftpd-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "root" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-01-07T14:19:33Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "pureftpd-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "pftpd_failed-auth" results[0].Overflow.Alert.Events[3].GetMeta("machine") == "ftpcdr" results[0].Overflow.Alert.Events[3].GetMeta("service") == "pureftpd" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "172.21.10.2" -results[0].Overflow.Alert.Events[3].GetMeta("source_user") == "root" -results[0].Overflow.Alert.Events[3].GetMeta("timestamp")[4:] == "-01-07T14:19:34Z" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "pureftpd-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "root" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-01-07T14:19:34Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "pureftpd-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "pftpd_failed-auth" results[0].Overflow.Alert.Events[4].GetMeta("machine") == "ftpcdr" results[0].Overflow.Alert.Events[4].GetMeta("service") == "pureftpd" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "172.21.10.2" -results[0].Overflow.Alert.Events[4].GetMeta("source_user") == "root" -results[0].Overflow.Alert.Events[4].GetMeta("timestamp")[4:] == "-01-07T14:19:35Z" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "pureftpd-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "root" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-01-07T14:19:35Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "pureftpd-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "pftpd_failed-auth" results[0].Overflow.Alert.Events[5].GetMeta("machine") == "ftpcdr" results[0].Overflow.Alert.Events[5].GetMeta("service") == "pureftpd" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "172.21.10.2" -results[0].Overflow.Alert.Events[5].GetMeta("source_user") == "root" -results[0].Overflow.Alert.Events[5].GetMeta("timestamp")[4:] == "-01-07T14:19:36Z" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "root" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-01-07T14:19:36Z" results[0].Overflow.Alert.GetScenario() == "fulljackz/pureftpd-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/pureftpd-logs/parser.assert b/.tests/pureftpd-logs/parser.assert index 3eecfb078ca..3ac07b4a7ad 100644 --- a/.tests/pureftpd-logs/parser.assert +++ b/.tests/pureftpd-logs/parser.assert @@ -5,144 +5,161 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "s results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "pure-ftpd" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jan 7 14:19:31" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "ftpcdr" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "ftpcdr" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "pure-ftpd" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Jan 7 14:19:32" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "ftpcdr" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jan 7 14:19:33" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "pure-ftpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jan 7 14:19:33" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "ftpcdr" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Jan 7 14:19:34" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "pure-ftpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Jan 7 14:19:34" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "ftpcdr" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Jan 7 14:19:35" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Jan 7 14:19:35" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "ftpcdr" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "pure-ftpd" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Jan 7 14:19:36" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "ftpcdr" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["timestamp"] == "Jan 7 14:19:37" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["timestamp"] == "Jan 7 14:19:37" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["machine"] == "ftpcdr" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["timestamp"] == "Jan 7 14:19:38" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["program"] == "pure-ftpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["timestamp"] == "Jan 7 14:19:38" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["machine"] == "ftpcdr" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][8].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["timestamp"] == "Jan 7 14:19:39" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["timestamp"] == "Jan 7 14:19:39" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["machine"] == "ftpcdr" +results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][9].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["program"] == "pure-ftpd" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["timestamp"] == "Jan 7 14:19:49" -results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["machine"] == "ftpcdr" +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][10].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["timestamp"] == "Jan 7 14:19:59" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["program"] == "pure-ftpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["timestamp"] == "Jan 7 14:19:59" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["machine"] == "ftpcdr" +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][11].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["timestamp"] == "Jan 7 14:20:01" results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["machine"] == "ftpcdr" -results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["program"] == "pure-ftpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["timestamp"] == "Jan 7 14:20:01" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["machine"] == "ftpcdr" +results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][12].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["timestamp"] == "Jan 7 14:20:02" results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["program"] == "pure-ftpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["timestamp"] == "Jan 7 14:20:02" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Meta["machine"] == "ftpcdr" +results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][13].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["timestamp"] == "Jan 7 14:20:03" results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["timestamp"] == "Jan 7 14:20:03" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Meta["machine"] == "ftpcdr" +results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][14].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["program"] == "pure-ftpd" results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["timestamp"] == "Jan 7 14:20:05" -results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Meta["machine"] == "ftpcdr" +results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][15].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["timestamp"] == "Jan 7 14:20:06" results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["message"] == "(?@172.21.10.2) [INFO] user@test.com is now logged in" results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["program"] == "pure-ftpd" -results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["timestamp"] == "Jan 7 14:20:06" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Meta["machine"] == "ftpcdr" +results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Whitelisted == false len(results["s01-parse"]["fulljackz/pureftpd-logs"]) == 16 results["s01-parse"]["fulljackz/pureftpd-logs"][0].Success == true +results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Parsed["client_ip"] == "172.21.10.2" results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Parsed["timestamp"] == "Jan 7 14:19:31" -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Parsed["client_ip"] == "172.21.10.2" results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Parsed["program"] == "pure-ftpd" +results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Parsed["timestamp"] == "Jan 7 14:19:31" results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Parsed["user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Meta["log_type"] == "pftpd_failed-auth" results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Meta["machine"] == "ftpcdr" results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Meta["service"] == "pureftpd" results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][0].Evt.Whitelisted == false results["s01-parse"]["fulljackz/pureftpd-logs"][1].Success == true results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Parsed["client_ip"] == "172.21.10.2" results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Parsed["logsource"] == "syslog" @@ -150,194 +167,208 @@ results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Parsed["message"] == "(?@ results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Parsed["program"] == "pure-ftpd" results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Parsed["timestamp"] == "Jan 7 14:19:32" results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Meta["log_type"] == "pftpd_failed-auth" results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Meta["machine"] == "ftpcdr" results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Meta["service"] == "pureftpd" results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Meta["source_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][1].Evt.Whitelisted == false results["s01-parse"]["fulljackz/pureftpd-logs"][2].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Parsed["timestamp"] == "Jan 7 14:19:33" +results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Parsed["client_ip"] == "172.21.10.2" +results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Parsed["program"] == "pure-ftpd" +results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Parsed["timestamp"] == "Jan 7 14:19:33" results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["service"] == "pureftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["log_type"] == "pftpd_failed-auth" results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["machine"] == "ftpcdr" +results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["service"] == "pureftpd" +results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["source_ip"] == "172.21.10.2" +results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][2].Evt.Whitelisted == false results["s01-parse"]["fulljackz/pureftpd-logs"][3].Success == true +results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Parsed["client_ip"] == "172.21.10.2" +results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Parsed["timestamp"] == "Jan 7 14:19:34" results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Parsed["program"] == "pure-ftpd" +results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Parsed["timestamp"] == "Jan 7 14:19:34" results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Meta["log_type"] == "pftpd_failed-auth" results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Meta["machine"] == "ftpcdr" results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Meta["service"] == "pureftpd" results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Meta["source_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][3].Evt.Whitelisted == false results["s01-parse"]["fulljackz/pureftpd-logs"][4].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Parsed["timestamp"] == "Jan 7 14:19:35" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Parsed["user"] == "root" results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Parsed["client_ip"] == "172.21.10.2" results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Parsed["program"] == "pure-ftpd" +results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Parsed["timestamp"] == "Jan 7 14:19:35" +results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Parsed["user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Meta["log_type"] == "pftpd_failed-auth" results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Meta["machine"] == "ftpcdr" results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Meta["service"] == "pureftpd" +results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Meta["source_ip"] == "172.21.10.2" +results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][4].Evt.Whitelisted == false results["s01-parse"]["fulljackz/pureftpd-logs"][5].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Parsed["timestamp"] == "Jan 7 14:19:36" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Parsed["user"] == "root" results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Parsed["client_ip"] == "172.21.10.2" results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Parsed["program"] == "pure-ftpd" +results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Parsed["timestamp"] == "Jan 7 14:19:36" +results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Parsed["user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Meta["log_type"] == "pftpd_failed-auth" results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Meta["machine"] == "ftpcdr" results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Meta["service"] == "pureftpd" +results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Meta["source_ip"] == "172.21.10.2" +results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][5].Evt.Whitelisted == false results["s01-parse"]["fulljackz/pureftpd-logs"][6].Success == true results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Parsed["client_ip"] == "172.21.10.2" results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Parsed["timestamp"] == "Jan 7 14:19:37" results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Parsed["program"] == "pure-ftpd" +results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Parsed["timestamp"] == "Jan 7 14:19:37" results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Meta["log_type"] == "pftpd_failed-auth" results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Meta["machine"] == "ftpcdr" results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Meta["service"] == "pureftpd" +results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Meta["source_ip"] == "172.21.10.2" +results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][6].Evt.Whitelisted == false results["s01-parse"]["fulljackz/pureftpd-logs"][7].Success == true results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Parsed["user"] == "root" results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Parsed["program"] == "pure-ftpd" results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Parsed["timestamp"] == "Jan 7 14:19:38" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Meta["log_type"] == "pftpd_failed-auth" +results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Parsed["user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" +results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Meta["machine"] == "ftpcdr" results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Meta["service"] == "pureftpd" results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Meta["datasource_path"] == "pureftpd-logs.log" -results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][7].Evt.Whitelisted == false results["s01-parse"]["fulljackz/pureftpd-logs"][8].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Parsed["timestamp"] == "Jan 7 14:19:39" results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Parsed["client_ip"] == "172.21.10.2" results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Parsed["program"] == "pure-ftpd" +results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Parsed["timestamp"] == "Jan 7 14:19:39" results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Meta["log_type"] == "pftpd_failed-auth" results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Meta["machine"] == "ftpcdr" results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Meta["service"] == "pureftpd" results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Meta["source_ip"] == "172.21.10.2" +results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][8].Evt.Whitelisted == false results["s01-parse"]["fulljackz/pureftpd-logs"][9].Success == true +results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Parsed["client_ip"] == "172.21.10.2" results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Parsed["timestamp"] == "Jan 7 14:19:49" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Parsed["client_ip"] == "172.21.10.2" results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Parsed["program"] == "pure-ftpd" +results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Parsed["timestamp"] == "Jan 7 14:19:49" results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Meta["log_type"] == "pftpd_failed-auth" results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Meta["machine"] == "ftpcdr" results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Meta["service"] == "pureftpd" +results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Meta["source_ip"] == "172.21.10.2" +results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][9].Evt.Whitelisted == false results["s01-parse"]["fulljackz/pureftpd-logs"][10].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Parsed["timestamp"] == "Jan 7 14:19:59" results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Parsed["client_ip"] == "172.21.10.2" +results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" +results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Parsed["program"] == "pure-ftpd" +results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Parsed["timestamp"] == "Jan 7 14:19:59" results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Meta["log_type"] == "pftpd_failed-auth" results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Meta["machine"] == "ftpcdr" results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Meta["service"] == "pureftpd" results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Meta["source_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][10].Evt.Whitelisted == false results["s01-parse"]["fulljackz/pureftpd-logs"][11].Success == true +results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Parsed["client_ip"] == "172.21.10.2" +results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Parsed["program"] == "pure-ftpd" results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Parsed["timestamp"] == "Jan 7 14:20:01" results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Meta["log_type"] == "pftpd_failed-auth" results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Meta["machine"] == "ftpcdr" results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Meta["service"] == "pureftpd" +results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Meta["source_ip"] == "172.21.10.2" +results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][11].Evt.Whitelisted == false results["s01-parse"]["fulljackz/pureftpd-logs"][12].Success == true +results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Parsed["client_ip"] == "172.21.10.2" +results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Parsed["program"] == "pure-ftpd" results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Parsed["timestamp"] == "Jan 7 14:20:02" results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Meta["log_type"] == "pftpd_failed-auth" results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Meta["machine"] == "ftpcdr" results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Meta["service"] == "pureftpd" results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Meta["source_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][12].Evt.Whitelisted == false results["s01-parse"]["fulljackz/pureftpd-logs"][13].Success == true +results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Parsed["client_ip"] == "172.21.10.2" +results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Parsed["program"] == "pure-ftpd" -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Parsed["timestamp"] == "Jan 7 14:20:03" results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Parsed["user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Parsed["client_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Meta["log_type"] == "pftpd_failed-auth" results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Meta["machine"] == "ftpcdr" results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Meta["service"] == "pureftpd" results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Meta["source_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][13].Evt.Whitelisted == false results["s01-parse"]["fulljackz/pureftpd-logs"][14].Success == true -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Parsed["timestamp"] == "Jan 7 14:20:05" -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Parsed["user"] == "root" results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Parsed["client_ip"] == "172.21.10.2" results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Parsed["message"] == "(?@172.21.10.2) [WARNING] Authentication failed for user [root]" results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Parsed["program"] == "pure-ftpd" +results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Parsed["timestamp"] == "Jan 7 14:20:05" +results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Parsed["user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Meta["datasource_path"]) == "pureftpd-logs.log" results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Meta["log_type"] == "pftpd_failed-auth" results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Meta["machine"] == "ftpcdr" results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Meta["service"] == "pureftpd" results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Meta["source_ip"] == "172.21.10.2" -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Meta["source_user"] == "root" -results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Meta["datasource_path"] == "pureftpd-logs.log" +results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Meta["target_user"] == "root" +results["s01-parse"]["fulljackz/pureftpd-logs"][14].Evt.Whitelisted == false results["s01-parse"]["fulljackz/pureftpd-logs"][15].Success == false len(results["success"][""]) == 0 diff --git a/.tests/radarr-bf/parser.assert b/.tests/radarr-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/radarr-bf/scenario.assert b/.tests/radarr-bf/scenario.assert index 5280dc61f1f..e1781bcbd5a 100644 --- a/.tests/radarr-bf/scenario.assert +++ b/.tests/radarr-bf/scenario.assert @@ -4,54 +4,54 @@ results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" results[0].Overflow.Sources["1.2.3.4"].Range == "" results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "radarr-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "radarr-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "radarr_failed_authentication" results[0].Overflow.Alert.Events[0].GetMeta("machine") == "radarr" results[0].Overflow.Alert.Events[0].GetMeta("service") == "radarr" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[0].GetMeta("timestamp")[4:] == "-10-09T19:34:12Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "'test'" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "radarr-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "'test'" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-10-09T19:34:12Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "radarr-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "radarr_failed_authentication" results[0].Overflow.Alert.Events[1].GetMeta("machine") == "radarr" results[0].Overflow.Alert.Events[1].GetMeta("service") == "radarr" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[1].GetMeta("timestamp")[4:] == "-10-09T19:34:13Z" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "'test'" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "radarr-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "'test'" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-10-09T19:34:13Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "radarr-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "radarr_failed_authentication" results[0].Overflow.Alert.Events[2].GetMeta("machine") == "radarr" results[0].Overflow.Alert.Events[2].GetMeta("service") == "radarr" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[2].GetMeta("timestamp")[4:] == "-10-09T19:34:14Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "'test'" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "radarr-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "'test'" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-10-09T19:34:14Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "radarr-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "radarr_failed_authentication" results[0].Overflow.Alert.Events[3].GetMeta("machine") == "radarr" results[0].Overflow.Alert.Events[3].GetMeta("service") == "radarr" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[3].GetMeta("timestamp")[4:] == "-10-09T19:34:15Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "'test'" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "radarr-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "'test'" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-10-09T19:34:15Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "radarr-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "radarr_failed_authentication" results[0].Overflow.Alert.Events[4].GetMeta("machine") == "radarr" results[0].Overflow.Alert.Events[4].GetMeta("service") == "radarr" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[4].GetMeta("timestamp")[4:] == "-10-09T19:34:16Z" -results[0].Overflow.Alert.Events[4].GetMeta("username") == "'test'" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "radarr-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "'test'" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-10-09T19:34:16Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "radarr-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "radarr_failed_authentication" results[0].Overflow.Alert.Events[5].GetMeta("machine") == "radarr" results[0].Overflow.Alert.Events[5].GetMeta("service") == "radarr" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[5].GetMeta("timestamp")[4:] == "-10-09T19:34:17Z" -results[0].Overflow.Alert.Events[5].GetMeta("username") == "'test'" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "'test'" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-10-09T19:34:17Z" results[0].Overflow.Alert.GetScenario() == "schiz0phr3ne/radarr-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/radarr-logs/parser.assert b/.tests/radarr-logs/parser.assert index 5d133bcaaf6..9ee10a18e0e 100644 --- a/.tests/radarr-logs/parser.assert +++ b/.tests/radarr-logs/parser.assert @@ -1,261 +1,324 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 7 +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 8 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "33523" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "Radarr" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Oct 9 19:34:12" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"] == "radarr-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "radarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "radarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "33523" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "Radarr" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Oct 9 19:34:13" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"] == "radarr-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "radarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "radarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "Radarr" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Oct 9 19:34:14" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "33523" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "radarr" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"] == "radarr-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "Radarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Oct 9 19:34:14" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "radarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "radarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "33523" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "Radarr" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Oct 9 19:34:15" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "radarr" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"] == "radarr-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "radarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "radarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "Radarr" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Oct 9 19:34:16" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "33523" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "Radarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Oct 9 19:34:16" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"]) == "radarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "radarr" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"] == "radarr-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["pid"] == "33523" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "Radarr" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Oct 9 19:34:17" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"] == "radarr-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"]) == "radarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "radarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["message"] == "[Info] Auth: Auth-Success ip 1.2.3.5 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["pid"] == "33523" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["program"] == "Radarr" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["timestamp"] == "Oct 9 19:34:18" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["machine"] == "radarr" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"] == "radarr-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"]) == "radarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_type"] == "file" -len(results["s01-parse"]["schiz0phr3ne/radarr-logs"]) == 7 +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["machine"] == "radarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl'" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["pid"] == "33523" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["program"] == "Radarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["timestamp"] == "Oct 9 19:35:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_path"]) == "radarr-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["machine"] == "radarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Whitelisted == false +len(results["s01-parse"]["schiz0phr3ne/radarr-logs"]) == 8 results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Success == true -results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["username"] == "'test'" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["pid"] == "33523" results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["program"] == "Radarr" results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["pid"] == "33523" results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["timestamp"] == "Oct 9 19:34:12" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["username"] == "'test'" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["datasource_path"]) == "radarr-logs.log" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["machine"] == "radarr" results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["service"] == "radarr" results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["datasource_path"] == "radarr-logs.log" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["log_type"] == "radarr_failed_authentication" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["target_user"] == "'test'" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Success == true -results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["username"] == "'test'" results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["program"] == "Radarr" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["pid"] == "33523" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["program"] == "Radarr" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["timestamp"] == "Oct 9 19:34:13" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["datasource_path"] == "radarr-logs.log" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["username"] == "'test'" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["datasource_path"]) == "radarr-logs.log" results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["log_type"] == "radarr_failed_authentication" results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["machine"] == "radarr" results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["service"] == "radarr" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["target_user"] == "'test'" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Success == true +results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Parsed["pid"] == "33523" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Parsed["timestamp"] == "Oct 9 19:34:14" results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Parsed["program"] == "Radarr" results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Parsed["timestamp"] == "Oct 9 19:34:14" results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Parsed["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Meta["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Meta["datasource_path"] == "radarr-logs.log" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Meta["datasource_path"]) == "radarr-logs.log" results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Meta["log_type"] == "radarr_failed_authentication" results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Meta["machine"] == "radarr" results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Meta["service"] == "radarr" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Meta["target_user"] == "'test'" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][2].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Success == true -results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Parsed["username"] == "'test'" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Parsed["pid"] == "33523" results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Parsed["program"] == "Radarr" results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Parsed["timestamp"] == "Oct 9 19:34:15" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Meta["service"] == "radarr" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Meta["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Meta["datasource_path"] == "radarr-logs.log" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Parsed["username"] == "'test'" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Meta["datasource_path"]) == "radarr-logs.log" results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Meta["log_type"] == "radarr_failed_authentication" results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Meta["machine"] == "radarr" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Meta["service"] == "radarr" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Meta["target_user"] == "'test'" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][3].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Success == true +results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Parsed["pid"] == "33523" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Parsed["program"] == "Radarr" results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Parsed["timestamp"] == "Oct 9 19:34:16" results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Parsed["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Parsed["program"] == "Radarr" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Meta["service"] == "radarr" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Meta["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Meta["datasource_path"] == "radarr-logs.log" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Meta["datasource_path"]) == "radarr-logs.log" results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Meta["log_type"] == "radarr_failed_authentication" results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Meta["machine"] == "radarr" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Meta["service"] == "radarr" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Meta["target_user"] == "'test'" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][4].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Success == true -results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Parsed["username"] == "'test'" results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Parsed["pid"] == "33523" results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Parsed["program"] == "Radarr" results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Parsed["timestamp"] == "Oct 9 19:34:17" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Meta["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Meta["datasource_path"] == "radarr-logs.log" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Parsed["username"] == "'test'" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Meta["datasource_path"]) == "radarr-logs.log" results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Meta["log_type"] == "radarr_failed_authentication" results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Meta["machine"] == "radarr" results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Meta["service"] == "radarr" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Meta["target_user"] == "'test'" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][5].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/radarr-logs"][6].Success == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6 +results["s01-parse"]["schiz0phr3ne/radarr-logs"][7].Success == true +results["s01-parse"]["schiz0phr3ne/radarr-logs"][7].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][7].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl'" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][7].Evt.Parsed["pid"] == "33523" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][7].Evt.Parsed["program"] == "Radarr" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][7].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][7].Evt.Parsed["timestamp"] == "Oct 9 19:35:00" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][7].Evt.Parsed["username"] == "'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl'" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][7].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/radarr-logs"][7].Evt.Meta["datasource_path"]) == "radarr-logs.log" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][7].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][7].Evt.Meta["machine"] == "radarr" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][7].Evt.Meta["service"] == "radarr" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][7].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][7].Evt.Meta["target_user"] == "'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl'" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][7].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 7 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "33523" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "Radarr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Oct 9 19:34:12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "'test'" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "radarr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "radarr-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "radarr_failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "radarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "radarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"][4:] == "-10-09T19:34:12Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "'test'" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"][4:] == "-10-09T19:34:12Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "'test'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-10-09T19:34:12Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-10-09T19:34:12Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Oct 9 19:34:13" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "'test'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "33523" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "Radarr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "radarr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"][4:] == "-10-09T19:34:13Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "'test'" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "radarr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Oct 9 19:34:13" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "'test'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "radarr-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "radarr_failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "radarr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"][4:] == "-10-09T19:34:13Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "radarr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "'test'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-10-09T19:34:13Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-10-09T19:34:13Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "'test'" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "33523" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "Radarr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Oct 9 19:34:14" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["username"] == "'test'" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "radarr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "'test'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "radarr-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "radarr_failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "radarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "radarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"][4:] == "-10-09T19:34:14Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"][4:] == "-10-09T19:34:14Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "'test'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-10-09T19:34:14Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2025-10-09T19:34:14Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "33523" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Oct 9 19:34:15" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "33523" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "Radarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Oct 9 19:34:15" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "'test'" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "radarr_failed_authentication" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "radarr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "radarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "radarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"][4:] == "-10-09T19:34:15Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["username"] == "'test'" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "radarr-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"][4:] == "-10-09T19:34:15Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "'test'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2025-10-09T19:34:15Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2025-10-09T19:34:15Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "Radarr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username"] == "'test'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pid"] == "33523" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "Radarr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "Oct 9 19:34:16" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"][4:] == "-10-09T19:34:16Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["username"] == "'test'" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "radarr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username"] == "'test'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "radarr-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "radarr_failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "radarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "radarr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"][4:] == "-10-09T19:34:16Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_user"] == "'test'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2025-10-09T19:34:16Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2025-10-09T19:34:16Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "Oct 9 19:34:17" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "Radarr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["username"] == "'test'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["logsource"] == "syslog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pid"] == "33523" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "Radarr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "Oct 9 19:34:17" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["username"] == "'test'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "radarr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["machine"] == "radarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "radarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"][4:] == "-10-09T19:34:17Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["username"] == "'test'" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "radarr-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "radarr_failed_authentication" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"][4:] == "-10-09T19:34:17Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_user"] == "'test'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2025-10-09T19:34:17Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2025-10-09T19:34:17Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["pid"] == "33523" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "Radarr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["timestamp"] == "Oct 9 19:35:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["username"] == "'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "radarr-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["machine"] == "radarr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "radarr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["target_user"] == "'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl'" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2025-10-09T19:35:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2025-10-09T19:35:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/radarr-logs/radarr-logs.log b/.tests/radarr-logs/radarr-logs.log index 549788709f0..d8dfbd72b17 100644 --- a/.tests/radarr-logs/radarr-logs.log +++ b/.tests/radarr-logs/radarr-logs.log @@ -5,3 +5,4 @@ Oct 9 19:34:15 radarr Radarr[33523]: [Warn] Auth: Auth-Failure ip 1.2.3.4 usern Oct 9 19:34:16 radarr Radarr[33523]: [Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test' Oct 9 19:34:17 radarr Radarr[33523]: [Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test' Oct 9 19:34:18 radarr Radarr[33523]: [Info] Auth: Auth-Success ip 1.2.3.5 username 'test' +Oct 9 19:35:00 radarr Radarr[33523]: [Warn] Auth: Auth-Failure ip 1.2.3.4 username 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl' diff --git a/.tests/radarr-nonsyslog-logs/parser.assert b/.tests/radarr-nonsyslog-logs/parser.assert index 708a12942d7..474bcc21edd 100644 --- a/.tests/radarr-nonsyslog-logs/parser.assert +++ b/.tests/radarr-nonsyslog-logs/parser.assert @@ -3,92 +3,98 @@ len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 2 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2022-12-16 13:01:07.9|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'enenenwn'" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "Radarr" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "radarr-nonsyslog-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "radarr-nonsyslog-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2022-12-16 13:01:12.2|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'enenennwnwn2'" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "Radarr" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "radarr-nonsyslog-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "radarr-nonsyslog-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false len(results["s01-parse"]["schiz0phr3ne/radarr-logs"]) == 2 results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Success == true -results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["username"] == "enenenwn" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["year"] == "2022" results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["date"] == "2022-12-16" results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["day"] == "16" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["program"] == "Radarr" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["time"] == "13:01:07.9" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["timestamp"] == "2022-12-16 13:01:07.9" results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["log_level"] == "Warn" results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["message"] == "2022-12-16 13:01:07.9|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'enenenwn'" results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["month"] == "12" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["program"] == "Radarr" results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["username"] == "enenenwn" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["datasource_path"] == "radarr-nonsyslog-logs.log" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["time"] == "13:01:07.9" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["timestamp"] == "2022-12-16 13:01:07.9" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["username"] == "enenenwn" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Parsed["year"] == "2022" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["datasource_path"]) == "radarr-nonsyslog-logs.log" results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["log_type"] == "radarr_failed_authentication" results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["service"] == "radarr" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Meta["target_user"] == "enenenwn" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][0].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Success == true -results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["time"] == "13:01:12.2" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["timestamp"] == "2022-12-16 13:01:12.2" results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["date"] == "2022-12-16" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["day"] == "16" results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["log_level"] == "Warn" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["message"] == "2022-12-16 13:01:12.2|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'enenennwnwn2'" results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["month"] == "12" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["program"] == "Radarr" results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["time"] == "13:01:12.2" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["timestamp"] == "2022-12-16 13:01:12.2" results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["username"] == "enenennwnwn2" results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["year"] == "2022" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["day"] == "16" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["message"] == "2022-12-16 13:01:12.2|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'enenennwnwn2'" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Parsed["program"] == "Radarr" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["datasource_path"] == "radarr-nonsyslog-logs.log" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["datasource_path"]) == "radarr-nonsyslog-logs.log" results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["log_type"] == "radarr_failed_authentication" results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["service"] == "radarr" results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["username"] == "enenennwnwn2" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Meta["target_user"] == "enenennwnwn2" +results["s01-parse"]["schiz0phr3ne/radarr-logs"][1].Evt.Whitelisted == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["date"] == "2022-12-16" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["day"] == "16" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["log_level"] == "Warn" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2022-12-16 13:01:07.9|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'enenenwn'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["month"] == "12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "Radarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time"] == "13:01:07.9" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["day"] == "16" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["log_level"] == "Warn" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2022-12-16 13:01:07.9" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "enenenwn" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["year"] == "2022" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-12-16T13:01:07.9Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "enenenwn" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "radarr-nonsyslog-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "radarr-nonsyslog-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "radarr_failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "radarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "enenenwn" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-12-16T13:01:07.9Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-12-16T13:01:07.9Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "enenennwnwn2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["year"] == "2022" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["date"] == "2022-12-16" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["day"] == "16" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["log_level"] == "Warn" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "2022-12-16 13:01:12.2|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'enenennwnwn2'" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2022-12-16 13:01:12.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["month"] == "12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "Radarr" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["time"] == "13:01:12.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2022-12-16 13:01:12.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "enenennwnwn2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["year"] == "2022" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "radarr-nonsyslog-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "radarr_failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "radarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "enenennwnwn2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-12-16T13:01:12.2Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "enenennwnwn2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "radarr-nonsyslog-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-12-16T13:01:12.2Z" -len(results["success"][""]) == 0 \ No newline at end of file +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/redmine-bf/parser.assert b/.tests/redmine-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/redmine-bf/scenario.assert b/.tests/redmine-bf/scenario.assert index ef32510e6c7..aac2cc8e604 100644 --- a/.tests/redmine-bf/scenario.assert +++ b/.tests/redmine-bf/scenario.assert @@ -1,89 +1,151 @@ -len(results) == 2 +len(results) == 3 "127.0.0.2" in results[0].Overflow.GetSources() results[0].Overflow.Sources["127.0.0.2"].IP == "127.0.0.2" results[0].Overflow.Sources["127.0.0.2"].Range == "" results[0].Overflow.Sources["127.0.0.2"].GetScope() == "Ip" results[0].Overflow.Sources["127.0.0.2"].GetValue() == "127.0.0.2" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "redmine-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "redmine-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "redmine_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "redmine" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.2" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "user1" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-03-13T09:27:24.245316Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "redmine-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "redmine-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "redmine_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "redmine" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.2" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "user2" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-03-13T09:27:25.245316Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "redmine-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "redmine-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "redmine_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "redmine" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.2" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "user3" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-03-13T09:27:26.245316Z" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "redmine-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "redmine-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "redmine_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "redmine" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.2" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "user4" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-03-13T09:27:27.245316Z" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "redmine-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "redmine-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "redmine_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "redmine" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.2" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "user5" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-03-13T09:27:28.245316Z" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "redmine-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "redmine-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "redmine_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "redmine" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.2" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "user6" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-03-13T09:27:29.245316Z" -results[0].Overflow.Alert.GetScenario() == "LePresidente/redmine-bf" +results[0].Overflow.Alert.GetScenario() == "LePresidente/redmine-bf_user-enum" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 -"127.0.0.1" in results[1].Overflow.GetSources() -results[1].Overflow.Sources["127.0.0.1"].IP == "127.0.0.1" -results[1].Overflow.Sources["127.0.0.1"].Range == "" -results[1].Overflow.Sources["127.0.0.1"].GetScope() == "Ip" -results[1].Overflow.Sources["127.0.0.1"].GetValue() == "127.0.0.1" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "redmine-bf.log" +"127.0.0.2" in results[1].Overflow.GetSources() +results[1].Overflow.Sources["127.0.0.2"].IP == "127.0.0.2" +results[1].Overflow.Sources["127.0.0.2"].Range == "" +results[1].Overflow.Sources["127.0.0.2"].GetScope() == "Ip" +results[1].Overflow.Sources["127.0.0.2"].GetValue() == "127.0.0.2" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "redmine-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "redmine_failed_auth" results[1].Overflow.Alert.Events[0].GetMeta("service") == "redmine" -results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1" -results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-03-13T09:25:23.245316Z" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "redmine-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "user1" +results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-03-13T09:27:24.245316Z" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "redmine-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "redmine_failed_auth" results[1].Overflow.Alert.Events[1].GetMeta("service") == "redmine" -results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.1" -results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-03-13T09:25:24.245316Z" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "redmine-bf.log" +results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "user2" +results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-03-13T09:27:25.245316Z" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "redmine-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "redmine_failed_auth" results[1].Overflow.Alert.Events[2].GetMeta("service") == "redmine" -results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.1" -results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-03-13T09:25:25.245316Z" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "redmine-bf.log" +results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "user3" +results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-03-13T09:27:26.245316Z" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "redmine-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "redmine_failed_auth" results[1].Overflow.Alert.Events[3].GetMeta("service") == "redmine" -results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.1" -results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-03-13T09:25:26.245316Z" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "redmine-bf.log" +results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "user4" +results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-03-13T09:27:27.245316Z" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "redmine-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "redmine_failed_auth" results[1].Overflow.Alert.Events[4].GetMeta("service") == "redmine" -results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.1" -results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-03-13T09:25:27.245316Z" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "redmine-bf.log" +results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "user5" +results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-03-13T09:27:28.245316Z" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "redmine-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "redmine_failed_auth" results[1].Overflow.Alert.Events[5].GetMeta("service") == "redmine" -results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.1" -results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-03-13T09:25:28.245316Z" +results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "user6" +results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-03-13T09:27:29.245316Z" results[1].Overflow.Alert.GetScenario() == "LePresidente/redmine-bf" results[1].Overflow.Alert.Remediation == true -results[1].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[1].Overflow.Alert.GetEventsCount() == 6 +"127.0.0.1" in results[2].Overflow.GetSources() +results[2].Overflow.Sources["127.0.0.1"].IP == "127.0.0.1" +results[2].Overflow.Sources["127.0.0.1"].Range == "" +results[2].Overflow.Sources["127.0.0.1"].GetScope() == "Ip" +results[2].Overflow.Sources["127.0.0.1"].GetValue() == "127.0.0.1" +results[2].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "redmine-bf.log" +results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[2].Overflow.Alert.Events[0].GetMeta("service") == "redmine" +results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1" +results[2].Overflow.Alert.Events[0].GetMeta("target_user") == "user" +results[2].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-03-13T09:25:23.245316Z" +results[2].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "redmine-bf.log" +results[2].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" +results[2].Overflow.Alert.Events[1].GetMeta("service") == "redmine" +results[2].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.1" +results[2].Overflow.Alert.Events[1].GetMeta("target_user") == "user" +results[2].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-03-13T09:25:24.245316Z" +results[2].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "redmine-bf.log" +results[2].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" +results[2].Overflow.Alert.Events[2].GetMeta("service") == "redmine" +results[2].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.1" +results[2].Overflow.Alert.Events[2].GetMeta("target_user") == "user" +results[2].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-03-13T09:25:25.245316Z" +results[2].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "redmine-bf.log" +results[2].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" +results[2].Overflow.Alert.Events[3].GetMeta("service") == "redmine" +results[2].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.1" +results[2].Overflow.Alert.Events[3].GetMeta("target_user") == "user" +results[2].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-03-13T09:25:26.245316Z" +results[2].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "redmine-bf.log" +results[2].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" +results[2].Overflow.Alert.Events[4].GetMeta("service") == "redmine" +results[2].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.1" +results[2].Overflow.Alert.Events[4].GetMeta("target_user") == "user" +results[2].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-03-13T09:25:27.245316Z" +results[2].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "redmine-bf.log" +results[2].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" +results[2].Overflow.Alert.Events[5].GetMeta("service") == "redmine" +results[2].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.1" +results[2].Overflow.Alert.Events[5].GetMeta("target_user") == "user" +results[2].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-03-13T09:25:28.245316Z" +results[2].Overflow.Alert.GetScenario() == "LePresidente/redmine-bf" +results[2].Overflow.Alert.Remediation == true +results[2].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/redmine-logs/parser.assert b/.tests/redmine-logs/parser.assert index 92104aec749..04d2d14c700 100644 --- a/.tests/redmine-logs/parser.assert +++ b/.tests/redmine-logs/parser.assert @@ -1,34 +1,60 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 2 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 3 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "redmine" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "I, [2023-03-13T09:18:03.678079 #1] INFO -- : Successful authentication for 'user' from 127.0.0.1 at 2023-03-13 09:18:03 UTC" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "redmine-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "redmine" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "redmine-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "W, [2023-03-13T09:25:23.245316 #1] WARN -- : Failed login for 'user' from 127.0.0.1 at 2023-03-13 09:25:23 UTC" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "redmine" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "redmine-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "redmine-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2 +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "W, [2023-03-13T09:26:00.000000 #1] WARN -- : Failed login for 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl' from 127.0.0.1 at 2023-03-13 09:26:00 UTC" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "redmine" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "redmine-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 3 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false -len(results["s01-parse"]["LePresidente/redmine-logs"]) == 2 +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false +len(results["s01-parse"]["LePresidente/redmine-logs"]) == 3 results["s01-parse"]["LePresidente/redmine-logs"][0].Success == false results["s01-parse"]["LePresidente/redmine-logs"][1].Success == true -results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Parsed["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Parsed["timestamp"] == "2023-03-13T09:25:23.245316" -results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Parsed["username"] == "user" results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Parsed["date"] == "2023-03-13 09:25:23 UTC" results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Parsed["loglevel"] == "WARN" results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Parsed["message"] == "W, [2023-03-13T09:25:23.245316 #1] WARN -- : Failed login for 'user' from 127.0.0.1 at 2023-03-13 09:25:23 UTC" results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Parsed["program"] == "redmine" -results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Meta["log_type"] == "redmine_failed_auth" +results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Parsed["timestamp"] == "2023-03-13T09:25:23.245316" +results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Parsed["username"] == "user" +results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Meta["datasource_path"]) == "redmine-logs.log" +results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Meta["service"] == "redmine" results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Meta["source_ip"] == "127.0.0.1" -results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Meta["datasource_path"] == "redmine-logs.log" -results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Meta["datasource_type"] == "file" -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 1 +results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Meta["target_user"] == "user" +results["s01-parse"]["LePresidente/redmine-logs"][1].Evt.Whitelisted == false +results["s01-parse"]["LePresidente/redmine-logs"][2].Success == true +results["s01-parse"]["LePresidente/redmine-logs"][2].Evt.Parsed["date"] == "2023-03-13 09:26:00 UTC" +results["s01-parse"]["LePresidente/redmine-logs"][2].Evt.Parsed["loglevel"] == "WARN" +results["s01-parse"]["LePresidente/redmine-logs"][2].Evt.Parsed["message"] == "W, [2023-03-13T09:26:00.000000 #1] WARN -- : Failed login for 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl' from 127.0.0.1 at 2023-03-13 09:26:00 UTC" +results["s01-parse"]["LePresidente/redmine-logs"][2].Evt.Parsed["program"] == "redmine" +results["s01-parse"]["LePresidente/redmine-logs"][2].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s01-parse"]["LePresidente/redmine-logs"][2].Evt.Parsed["timestamp"] == "2023-03-13T09:26:00.000000" +results["s01-parse"]["LePresidente/redmine-logs"][2].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["LePresidente/redmine-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["LePresidente/redmine-logs"][2].Evt.Meta["datasource_path"]) == "redmine-logs.log" +results["s01-parse"]["LePresidente/redmine-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["LePresidente/redmine-logs"][2].Evt.Meta["service"] == "redmine" +results["s01-parse"]["LePresidente/redmine-logs"][2].Evt.Meta["source_ip"] == "127.0.0.1" +results["s01-parse"]["LePresidente/redmine-logs"][2].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["LePresidente/redmine-logs"][2].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["date"] == "2023-03-13 09:25:23 UTC" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["loglevel"] == "WARN" @@ -37,11 +63,30 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2023-03-13T09:25:23.245316" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "user" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "redmine-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "redmine-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "redmine_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "redmine" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "user" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-03-13T09:25:23.245316Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-03-13T09:25:23.245316Z" -len(results["success"][""]) == 0 \ No newline at end of file +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["date"] == "2023-03-13 09:26:00 UTC" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["loglevel"] == "WARN" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "W, [2023-03-13T09:26:00.000000 #1] WARN -- : Failed login for 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl' from 127.0.0.1 at 2023-03-13 09:26:00 UTC" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "redmine" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2023-03-13T09:26:00.000000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "redmine-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "redmine" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-03-13T09:26:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-03-13T09:26:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/redmine-logs/redmine-logs.log b/.tests/redmine-logs/redmine-logs.log index 44812cb7939..5b1366d60ea 100644 --- a/.tests/redmine-logs/redmine-logs.log +++ b/.tests/redmine-logs/redmine-logs.log @@ -1,2 +1,3 @@ I, [2023-03-13T09:18:03.678079 #1] INFO -- : Successful authentication for 'user' from 127.0.0.1 at 2023-03-13 09:18:03 UTC -W, [2023-03-13T09:25:23.245316 #1] WARN -- : Failed login for 'user' from 127.0.0.1 at 2023-03-13 09:25:23 UTC \ No newline at end of file +W, [2023-03-13T09:25:23.245316 #1] WARN -- : Failed login for 'user' from 127.0.0.1 at 2023-03-13 09:25:23 UTC +W, [2023-03-13T09:26:00.000000 #1] WARN -- : Failed login for 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl' from 127.0.0.1 at 2023-03-13 09:26:00 UTC \ No newline at end of file diff --git a/.tests/sabnzbd-bf/parser.assert b/.tests/sabnzbd-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/sabnzbd-bf/scenario.assert b/.tests/sabnzbd-bf/scenario.assert index 9c1b174af58..2b5e9c1204d 100644 --- a/.tests/sabnzbd-bf/scenario.assert +++ b/.tests/sabnzbd-bf/scenario.assert @@ -4,69 +4,69 @@ results[0].Overflow.Sources["192.168.10.1"].IP == "192.168.10.1" results[0].Overflow.Sources["192.168.10.1"].Range == "" results[0].Overflow.Sources["192.168.10.1"].GetScope() == "Ip" results[0].Overflow.Sources["192.168.10.1"].GetValue() == "192.168.10.1" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "sabnzbd-logs.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "sabnzbd-logs.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "sabnzbd_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "sabnzbd" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.10.1" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-07-20T12:30:20.034Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "sabnzbd-logs.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "sabnzbd-logs.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "sabnzbd_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "sabnzbd" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.10.1" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-07-20T12:30:40.034Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "sabnzbd-logs.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "sabnzbd-logs.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "sabnzbd_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "sabnzbd" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.10.1" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-07-20T12:31:00.034Z" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "sabnzbd-logs.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "sabnzbd-logs.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "sabnzbd_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "sabnzbd" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.10.1" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-07-20T12:31:20.034Z" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "sabnzbd-logs.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "sabnzbd-logs.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "sabnzbd_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "sabnzbd" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.10.1" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2024-07-20T12:31:40.034Z" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "sabnzbd-logs.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "sabnzbd-logs.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "sabnzbd_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "sabnzbd" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.10.1" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2024-07-20T12:32:00.034Z" -results[0].Overflow.Alert.Events[6].GetMeta("datasource_path") == "sabnzbd-logs.log" +results[0].Overflow.Alert.Events[6].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[6].GetMeta("datasource_path")) == "sabnzbd-logs.log" results[0].Overflow.Alert.Events[6].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[6].GetMeta("log_type") == "sabnzbd_failed_auth" results[0].Overflow.Alert.Events[6].GetMeta("service") == "sabnzbd" results[0].Overflow.Alert.Events[6].GetMeta("source_ip") == "192.168.10.1" results[0].Overflow.Alert.Events[6].GetMeta("timestamp") == "2024-07-20T12:32:20.034Z" -results[0].Overflow.Alert.Events[7].GetMeta("datasource_path") == "sabnzbd-logs.log" +results[0].Overflow.Alert.Events[7].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[7].GetMeta("datasource_path")) == "sabnzbd-logs.log" results[0].Overflow.Alert.Events[7].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[7].GetMeta("log_type") == "sabnzbd_failed_auth" results[0].Overflow.Alert.Events[7].GetMeta("service") == "sabnzbd" results[0].Overflow.Alert.Events[7].GetMeta("source_ip") == "192.168.10.1" results[0].Overflow.Alert.Events[7].GetMeta("timestamp") == "2024-07-20T12:32:40.034Z" -results[0].Overflow.Alert.Events[8].GetMeta("datasource_path") == "sabnzbd-logs.log" +results[0].Overflow.Alert.Events[8].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[8].GetMeta("datasource_path")) == "sabnzbd-logs.log" results[0].Overflow.Alert.Events[8].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[8].GetMeta("log_type") == "sabnzbd_failed_auth" results[0].Overflow.Alert.Events[8].GetMeta("service") == "sabnzbd" results[0].Overflow.Alert.Events[8].GetMeta("source_ip") == "192.168.10.1" results[0].Overflow.Alert.Events[8].GetMeta("timestamp") == "2024-07-20T12:33:00.034Z" -results[0].Overflow.Alert.Events[9].GetMeta("datasource_path") == "sabnzbd-logs.log" +results[0].Overflow.Alert.Events[9].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[9].GetMeta("datasource_path")) == "sabnzbd-logs.log" results[0].Overflow.Alert.Events[9].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[9].GetMeta("log_type") == "sabnzbd_failed_auth" results[0].Overflow.Alert.Events[9].GetMeta("service") == "sabnzbd" results[0].Overflow.Alert.Events[9].GetMeta("source_ip") == "192.168.10.1" results[0].Overflow.Alert.Events[9].GetMeta("timestamp") == "2024-07-20T12:33:20.034Z" -results[0].Overflow.Alert.Events[10].GetMeta("datasource_path") == "sabnzbd-logs.log" +results[0].Overflow.Alert.Events[10].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[10].GetMeta("datasource_path")) == "sabnzbd-logs.log" results[0].Overflow.Alert.Events[10].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[10].GetMeta("log_type") == "sabnzbd_failed_auth" results[0].Overflow.Alert.Events[10].GetMeta("service") == "sabnzbd" results[0].Overflow.Alert.Events[10].GetMeta("source_ip") == "192.168.10.1" results[0].Overflow.Alert.Events[10].GetMeta("timestamp") == "2024-07-20T12:33:40.034Z" @@ -78,27 +78,27 @@ results[1].Overflow.Sources["192.168.1.2"].IP == "192.168.1.2" results[1].Overflow.Sources["192.168.1.2"].Range == "" results[1].Overflow.Sources["192.168.1.2"].GetScope() == "Ip" results[1].Overflow.Sources["192.168.1.2"].GetValue() == "192.168.1.2" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "sabnzbd-logs.log" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "sabnzbd-logs.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "sabnzbd_failed_auth" results[1].Overflow.Alert.Events[0].GetMeta("service") == "sabnzbd" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.2" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-07-20T12:27:52.797Z" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "sabnzbd-logs.log" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "sabnzbd-logs.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "sabnzbd_failed_auth" results[1].Overflow.Alert.Events[1].GetMeta("service") == "sabnzbd" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.2" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-07-20T12:27:53.797Z" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "sabnzbd-logs.log" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "sabnzbd-logs.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "sabnzbd_failed_auth" results[1].Overflow.Alert.Events[2].GetMeta("service") == "sabnzbd" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.2" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-07-20T12:27:54.797Z" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "sabnzbd-logs.log" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "sabnzbd-logs.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "sabnzbd_failed_auth" results[1].Overflow.Alert.Events[3].GetMeta("service") == "sabnzbd" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.2" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-07-20T12:27:55.797Z" diff --git a/.tests/sabnzbd-logs/parser.assert b/.tests/sabnzbd-logs/parser.assert index d022a036ad0..f02a4210f63 100644 --- a/.tests/sabnzbd-logs/parser.assert +++ b/.tests/sabnzbd-logs/parser.assert @@ -3,31 +3,31 @@ len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 5 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2024-07-20 12:27:52,797::WARNING::[interface:657] Unsuccessful login attempt from 192.168.10.1 (X-Forwarded-For: 192.168.1.2, 192.168.1.3) [Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0]" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "sabnzbd" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "sabnzbd-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "sabnzbd-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2024-07-20 12:27:55,267::WARNING::[interface:657] Fehlerhafter Login Versuch von 192.168.10.1 (X-Forwarded-For: 192.168.1.2) [Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0]" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "sabnzbd" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "sabnzbd-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "sabnzbd-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "2024-07-20 12:27:57,593::WARNING::[interface:657] Echec de la tentative de connexion de 192.168.10.1 [Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0]" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "sabnzbd" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "sabnzbd-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "sabnzbd-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "2024-07-20 12:28:00,034::WARNING::[interface:657] Mislukte login poging van 192.168.10.1 [Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0]" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "sabnzbd" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "sabnzbd-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "sabnzbd-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "2024-07-22 11:11:16,301::WARNING::[interface:657] Unsuccessful login attempt from ::ffff:172.18.0.1 (X-Forwarded-For: ::1) [Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36]" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "sabnzbd" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "sabnzbd-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"]) == "sabnzbd-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 5 @@ -47,9 +47,9 @@ results["s01-parse"]["crowdsecurity/sabnzbd-logs"][0].Evt.Parsed["program"] == " results["s01-parse"]["crowdsecurity/sabnzbd-logs"][0].Evt.Parsed["sabnzbd_message"] == "Unsuccessful login attempt from 192.168.10.1 (X-Forwarded-For: 192.168.1.2, 192.168.1.3) [Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0]" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][0].Evt.Parsed["timestamp"] == "2024-07-20 12:27:52,797" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][0].Evt.Parsed["user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" -results["s01-parse"]["crowdsecurity/sabnzbd-logs"][0].Evt.Meta["datasource_path"] == "sabnzbd-logs.log" +results["s01-parse"]["crowdsecurity/sabnzbd-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/sabnzbd-logs"][0].Evt.Meta["datasource_path"]) == "sabnzbd-logs.log" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sabnzbd-logs"][0].Evt.Meta["log_type"] == "sabnzbd_failed_auth" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][0].Evt.Meta["service"] == "sabnzbd" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][0].Evt.Meta["source_ip"] == "192.168.1.2" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][0].Evt.Whitelisted == false @@ -63,9 +63,9 @@ results["s01-parse"]["crowdsecurity/sabnzbd-logs"][1].Evt.Parsed["program"] == " results["s01-parse"]["crowdsecurity/sabnzbd-logs"][1].Evt.Parsed["sabnzbd_message"] == "Fehlerhafter Login Versuch von 192.168.10.1 (X-Forwarded-For: 192.168.1.2) [Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0]" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][1].Evt.Parsed["timestamp"] == "2024-07-20 12:27:55,267" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][1].Evt.Parsed["user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" -results["s01-parse"]["crowdsecurity/sabnzbd-logs"][1].Evt.Meta["datasource_path"] == "sabnzbd-logs.log" +results["s01-parse"]["crowdsecurity/sabnzbd-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/sabnzbd-logs"][1].Evt.Meta["datasource_path"]) == "sabnzbd-logs.log" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sabnzbd-logs"][1].Evt.Meta["log_type"] == "sabnzbd_failed_auth" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][1].Evt.Meta["service"] == "sabnzbd" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][1].Evt.Meta["source_ip"] == "192.168.1.2" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][1].Evt.Whitelisted == false @@ -78,9 +78,9 @@ results["s01-parse"]["crowdsecurity/sabnzbd-logs"][2].Evt.Parsed["program"] == " results["s01-parse"]["crowdsecurity/sabnzbd-logs"][2].Evt.Parsed["sabnzbd_message"] == "Echec de la tentative de connexion de 192.168.10.1 [Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0]" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][2].Evt.Parsed["timestamp"] == "2024-07-20 12:27:57,593" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][2].Evt.Parsed["user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" -results["s01-parse"]["crowdsecurity/sabnzbd-logs"][2].Evt.Meta["datasource_path"] == "sabnzbd-logs.log" +results["s01-parse"]["crowdsecurity/sabnzbd-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/sabnzbd-logs"][2].Evt.Meta["datasource_path"]) == "sabnzbd-logs.log" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sabnzbd-logs"][2].Evt.Meta["log_type"] == "sabnzbd_failed_auth" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][2].Evt.Meta["service"] == "sabnzbd" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][2].Evt.Meta["source_ip"] == "192.168.10.1" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][2].Evt.Whitelisted == false @@ -93,9 +93,9 @@ results["s01-parse"]["crowdsecurity/sabnzbd-logs"][3].Evt.Parsed["program"] == " results["s01-parse"]["crowdsecurity/sabnzbd-logs"][3].Evt.Parsed["sabnzbd_message"] == "Mislukte login poging van 192.168.10.1 [Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0]" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][3].Evt.Parsed["timestamp"] == "2024-07-20 12:28:00,034" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][3].Evt.Parsed["user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" -results["s01-parse"]["crowdsecurity/sabnzbd-logs"][3].Evt.Meta["datasource_path"] == "sabnzbd-logs.log" +results["s01-parse"]["crowdsecurity/sabnzbd-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/sabnzbd-logs"][3].Evt.Meta["datasource_path"]) == "sabnzbd-logs.log" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sabnzbd-logs"][3].Evt.Meta["log_type"] == "sabnzbd_failed_auth" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][3].Evt.Meta["service"] == "sabnzbd" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][3].Evt.Meta["source_ip"] == "192.168.10.1" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][3].Evt.Whitelisted == false @@ -109,9 +109,9 @@ results["s01-parse"]["crowdsecurity/sabnzbd-logs"][4].Evt.Parsed["program"] == " results["s01-parse"]["crowdsecurity/sabnzbd-logs"][4].Evt.Parsed["sabnzbd_message"] == "Unsuccessful login attempt from ::ffff:172.18.0.1 (X-Forwarded-For: ::1) [Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36]" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][4].Evt.Parsed["timestamp"] == "2024-07-22 11:11:16,301" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][4].Evt.Parsed["user_agent"] == "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" -results["s01-parse"]["crowdsecurity/sabnzbd-logs"][4].Evt.Meta["datasource_path"] == "sabnzbd-logs.log" +results["s01-parse"]["crowdsecurity/sabnzbd-logs"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/sabnzbd-logs"][4].Evt.Meta["datasource_path"]) == "sabnzbd-logs.log" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sabnzbd-logs"][4].Evt.Meta["log_type"] == "sabnzbd_failed_auth" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][4].Evt.Meta["service"] == "sabnzbd" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][4].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["crowdsecurity/sabnzbd-logs"][4].Evt.Whitelisted == false @@ -126,9 +126,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["sabnzbd_message"] == "Unsuccessful login attempt from 192.168.10.1 (X-Forwarded-For: 192.168.1.2, 192.168.1.3) [Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0]" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2024-07-20 12:27:52,797" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "sabnzbd-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "sabnzbd-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "sabnzbd_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "sabnzbd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.1.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2024-07-20T12:27:52.797Z" @@ -144,9 +144,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["sabnzbd_message"] == "Fehlerhafter Login Versuch von 192.168.10.1 (X-Forwarded-For: 192.168.1.2) [Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0]" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2024-07-20 12:27:55,267" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "sabnzbd-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "sabnzbd-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "sabnzbd_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "sabnzbd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.1.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2024-07-20T12:27:55.267Z" @@ -161,9 +161,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["sabnzbd_message"] == "Echec de la tentative de connexion de 192.168.10.1 [Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0]" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "2024-07-20 12:27:57,593" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "sabnzbd-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "sabnzbd-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "sabnzbd_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "sabnzbd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "192.168.10.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2024-07-20T12:27:57.593Z" @@ -178,9 +178,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["sabnzbd_message"] == "Mislukte login poging van 192.168.10.1 [Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0]" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "2024-07-20 12:28:00,034" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "sabnzbd-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "sabnzbd-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "sabnzbd_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "sabnzbd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "192.168.10.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2024-07-20T12:28:00.034Z" @@ -196,9 +196,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["sabnzbd_message"] == "Unsuccessful login attempt from ::ffff:172.18.0.1 (X-Forwarded-For: ::1) [Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36]" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "2024-07-22 11:11:16,301" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["user_agent"] == "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "sabnzbd-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "sabnzbd-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "sabnzbd_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "sabnzbd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2024-07-22T11:11:16.301Z" diff --git a/.tests/sap-probing/parser.assert b/.tests/sap-probing/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/sftpgo-bf/scenario.assert b/.tests/sftpgo-bf/scenario.assert index f46f3eaf3be..401d2eb6055 100644 --- a/.tests/sftpgo-bf/scenario.assert +++ b/.tests/sftpgo-bf/scenario.assert @@ -4,48 +4,48 @@ results[0].Overflow.Sources["192.168.1.101"].IP == "192.168.1.101" results[0].Overflow.Sources["192.168.1.101"].Range == "" results[0].Overflow.Sources["192.168.1.101"].GetScope() == "Ip" results[0].Overflow.Sources["192.168.1.101"].GetValue() == "192.168.1.101" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "sftpgo-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("error") == "invalid credentials" results[0].Overflow.Alert.Events[0].GetMeta("is_failed_login") == "true" results[0].Overflow.Alert.Events[0].GetMeta("log_level") == "debug" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "sftpgo_auth" results[0].Overflow.Alert.Events[0].GetMeta("login_type") == "password" results[0].Overflow.Alert.Events[0].GetMeta("protocol") == "SSH" results[0].Overflow.Alert.Events[0].GetMeta("service") == "sftpgo" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.101" results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "admin" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-09-14T17:00:00.1Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "sftpgo-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("error") == "invalid credentials" results[0].Overflow.Alert.Events[1].GetMeta("is_failed_login") == "true" results[0].Overflow.Alert.Events[1].GetMeta("log_level") == "debug" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "sftpgo_auth" results[0].Overflow.Alert.Events[1].GetMeta("login_type") == "password" results[0].Overflow.Alert.Events[1].GetMeta("protocol") == "SSH" results[0].Overflow.Alert.Events[1].GetMeta("service") == "sftpgo" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.101" results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "root" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-09-14T17:00:05.2Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "sftpgo-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("error") == "invalid credentials" results[0].Overflow.Alert.Events[2].GetMeta("is_failed_login") == "true" results[0].Overflow.Alert.Events[2].GetMeta("log_level") == "debug" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "sftpgo_auth" results[0].Overflow.Alert.Events[2].GetMeta("login_type") == "keyboard-interactive" results[0].Overflow.Alert.Events[2].GetMeta("protocol") == "SSH" results[0].Overflow.Alert.Events[2].GetMeta("service") == "sftpgo" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.101" results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "test" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-09-14T17:00:10.3Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "sftpgo-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("error") == "invalid credentials" results[0].Overflow.Alert.Events[3].GetMeta("is_failed_login") == "true" results[0].Overflow.Alert.Events[3].GetMeta("log_level") == "debug" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "sftpgo_auth" results[0].Overflow.Alert.Events[3].GetMeta("login_type") == "password" results[0].Overflow.Alert.Events[3].GetMeta("protocol") == "FTP" results[0].Overflow.Alert.Events[3].GetMeta("service") == "sftpgo" diff --git a/.tests/sftpgo-impossible-travel/scenario.assert b/.tests/sftpgo-impossible-travel/scenario.assert index c4f4cb4b45a..5258d99b4be 100644 --- a/.tests/sftpgo-impossible-travel/scenario.assert +++ b/.tests/sftpgo-impossible-travel/scenario.assert @@ -1,36 +1,36 @@ len(results) == 1 -"9.8.8.8" in results[0].Overflow.GetSources() -results[0].Overflow.Sources["9.8.8.8"].IP == "9.8.8.8" -results[0].Overflow.Sources["9.8.8.8"].Range == "" -results[0].Overflow.Sources["9.8.8.8"].GetScope() == "Ip" -results[0].Overflow.Sources["9.8.8.8"].GetValue() == "9.8.8.8" "1.2.3.4" in results[0].Overflow.GetSources() results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" results[0].Overflow.Sources["1.2.3.4"].Range == "" results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" +"9.8.8.8" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["9.8.8.8"].IP == "9.8.8.8" +results[0].Overflow.Sources["9.8.8.8"].Range == "" +results[0].Overflow.Sources["9.8.8.8"].GetScope() == "Ip" +results[0].Overflow.Sources["9.8.8.8"].GetValue() == "9.8.8.8" results[0].Overflow.Alert.Events[0].GetMeta("ASNNumber") == "0" results[0].Overflow.Alert.Events[0].GetMeta("IsInEU") == "false" results[0].Overflow.Alert.Events[0].GetMeta("IsoCode") == "AU" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "success" basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "sftpgo-impossible-travel.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("log_level") == "info" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_success" results[0].Overflow.Alert.Events[0].GetMeta("service") == "sftpgo" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "bob" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-09-14T16:56:57.706Z" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "bob" results[0].Overflow.Alert.Events[1].GetMeta("ASNNumber") == "0" results[0].Overflow.Alert.Events[1].GetMeta("IsInEU") == "false" results[0].Overflow.Alert.Events[1].GetMeta("IsoCode") == "US" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "success" basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "sftpgo-impossible-travel.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("log_level") == "info" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_success" results[0].Overflow.Alert.Events[1].GetMeta("service") == "sftpgo" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "9.8.8.8" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "bob" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-09-14T16:57:19.173Z" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "bob" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/impossible-travel" results[0].Overflow.Alert.Remediation == false results[0].Overflow.Alert.GetEventsCount() == 2 diff --git a/.tests/sftpgo-logs/parser.assert b/.tests/sftpgo-logs/parser.assert index 24f037ac548..aa5b5cc3625 100644 --- a/.tests/sftpgo-logs/parser.assert +++ b/.tests/sftpgo-logs/parser.assert @@ -343,18 +343,18 @@ results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Parsed["message"] == "{\"leve results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Parsed["program"] == "sftpgo" results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Parsed["username"] == "bob" +results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Meta["auth_status"] == "success" basename(results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Meta["log_level"] == "info" -results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Meta["log_type"] == "auth_success" results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Meta["service"] == "sftpgo" results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Meta["user"] == "bob" +results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Meta["target_user"] == "bob" +results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Unmarshaled["sftpgo"]["connection_id"] == "34e4ab426f1522416ac2d92815e2041f2e5d4f0af631d6edcd712afbac2ccf61" results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Unmarshaled["sftpgo"]["level"] == "info" results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Unmarshaled["sftpgo"]["message"] == "User \"bob\" logged in with \"keyboard-interactive\", from ip \"1.2.3.4\", client version \"SSH-2.0-FileZilla_3.69.3\", negotiated algorithms: {KeyExchange:curve25519-sha256 HostKey:ssh-ed25519 Read:{Cipher:aes256-ctr MAC:hmac-sha2-256 compression:none} Write:{Cipher:aes256-ctr MAC:hmac-sha2-256 compression:none}}" results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Unmarshaled["sftpgo"]["sender"] == "SSH" results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:56:57.706" -results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Unmarshaled["sftpgo"]["connection_id"] == "34e4ab426f1522416ac2d92815e2041f2e5d4f0af631d6edcd712afbac2ccf61" results["s01-parse"]["Azlaroc/sftpgo-logs"][0].Evt.Whitelisted == false results["s01-parse"]["Azlaroc/sftpgo-logs"][1].Success == false results["s01-parse"]["Azlaroc/sftpgo-logs"][2].Success == false @@ -370,13 +370,13 @@ results["s01-parse"]["Azlaroc/sftpgo-logs"][10].Evt.Parsed["message"] == "{\"lev results["s01-parse"]["Azlaroc/sftpgo-logs"][10].Evt.Parsed["program"] == "sftpgo" results["s01-parse"]["Azlaroc/sftpgo-logs"][10].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["Azlaroc/sftpgo-logs"][10].Evt.Parsed["username"] == "bob" +results["s01-parse"]["Azlaroc/sftpgo-logs"][10].Evt.Meta["auth_status"] == "success" basename(results["s01-parse"]["Azlaroc/sftpgo-logs"][10].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s01-parse"]["Azlaroc/sftpgo-logs"][10].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["Azlaroc/sftpgo-logs"][10].Evt.Meta["log_level"] == "info" -results["s01-parse"]["Azlaroc/sftpgo-logs"][10].Evt.Meta["log_type"] == "auth_success" results["s01-parse"]["Azlaroc/sftpgo-logs"][10].Evt.Meta["service"] == "sftpgo" results["s01-parse"]["Azlaroc/sftpgo-logs"][10].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["Azlaroc/sftpgo-logs"][10].Evt.Meta["user"] == "bob" +results["s01-parse"]["Azlaroc/sftpgo-logs"][10].Evt.Meta["target_user"] == "bob" results["s01-parse"]["Azlaroc/sftpgo-logs"][10].Evt.Unmarshaled["sftpgo"]["connection_id"] == "FTP_0_13" results["s01-parse"]["Azlaroc/sftpgo-logs"][10].Evt.Unmarshaled["sftpgo"]["level"] == "info" results["s01-parse"]["Azlaroc/sftpgo-logs"][10].Evt.Unmarshaled["sftpgo"]["message"] == "User \"bob\" logged in with \"password\" from ip \"1.2.3.4\", TLS enabled? false" @@ -390,18 +390,18 @@ results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Parsed["message"] == "{\"lev results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Parsed["program"] == "sftpgo" results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Parsed["username"] == "bob" +results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Meta["auth_status"] == "success" basename(results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Meta["log_level"] == "info" -results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Meta["log_type"] == "auth_success" results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Meta["service"] == "sftpgo" results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Meta["user"] == "bob" -results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Unmarshaled["sftpgo"]["connection_id"] == "b6e3b2dca7eec7e1672472f83466853e1589f1991d0fac2b962c2b714fc984ba" +results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Meta["target_user"] == "bob" results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Unmarshaled["sftpgo"]["level"] == "info" results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Unmarshaled["sftpgo"]["message"] == "User \"bob\" logged in with \"keyboard-interactive\", from ip \"1.2.3.4\", client version \"SSH-2.0-FileZilla_3.69.3\", negotiated algorithms: {KeyExchange:curve25519-sha256 HostKey:ssh-ed25519 Read:{Cipher:aes256-ctr MAC:hmac-sha2-256 compression:none} Write:{Cipher:aes256-ctr MAC:hmac-sha2-256 compression:none}}" results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Unmarshaled["sftpgo"]["sender"] == "SSH" results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:57:36.616" +results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Unmarshaled["sftpgo"]["connection_id"] == "b6e3b2dca7eec7e1672472f83466853e1589f1991d0fac2b962c2b714fc984ba" results["s01-parse"]["Azlaroc/sftpgo-logs"][13].Evt.Whitelisted == false results["s01-parse"]["Azlaroc/sftpgo-logs"][14].Success == false results["s01-parse"]["Azlaroc/sftpgo-logs"][15].Success == false @@ -416,18 +416,18 @@ results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Parsed["message"] == "{\"lev results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Parsed["program"] == "sftpgo" results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Parsed["username"] == "bob" +results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Meta["auth_status"] == "success" basename(results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Meta["log_level"] == "info" -results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Meta["log_type"] == "auth_success" results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Meta["service"] == "sftpgo" results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Meta["user"] == "bob" +results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Meta["target_user"] == "bob" +results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Unmarshaled["sftpgo"]["sender"] == "FTP" +results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:57:45.270" results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Unmarshaled["sftpgo"]["connection_id"] == "FTP_0_14" results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Unmarshaled["sftpgo"]["level"] == "info" results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Unmarshaled["sftpgo"]["message"] == "User \"bob\" logged in with \"password\" from ip \"1.2.3.4\", TLS enabled? false" -results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Unmarshaled["sftpgo"]["sender"] == "FTP" -results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:57:45.270" results["s01-parse"]["Azlaroc/sftpgo-logs"][22].Evt.Whitelisted == false results["s01-parse"]["Azlaroc/sftpgo-logs"][23].Success == false results["s01-parse"]["Azlaroc/sftpgo-logs"][24].Success == false @@ -436,18 +436,18 @@ results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Parsed["message"] == "{\"lev results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Parsed["program"] == "sftpgo" results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Parsed["username"] == "bob" +results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Meta["auth_status"] == "success" basename(results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Meta["log_level"] == "info" -results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Meta["log_type"] == "auth_success" results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Meta["service"] == "sftpgo" results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Meta["user"] == "bob" +results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Meta["target_user"] == "bob" +results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Unmarshaled["sftpgo"]["connection_id"] == "55f35cafbc585ec9ec97e08785cc43a90310fb89c9b6ef150f46f07b9ae9802a" +results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Unmarshaled["sftpgo"]["level"] == "info" results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Unmarshaled["sftpgo"]["message"] == "User \"bob\" logged in with \"keyboard-interactive\", from ip \"1.2.3.4\", client version \"SSH-2.0-FileZilla_3.69.3\", negotiated algorithms: {KeyExchange:curve25519-sha256 HostKey:ssh-ed25519 Read:{Cipher:aes256-ctr MAC:hmac-sha2-256 compression:none} Write:{Cipher:aes256-ctr MAC:hmac-sha2-256 compression:none}}" results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Unmarshaled["sftpgo"]["sender"] == "SSH" results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:58:02.799" -results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Unmarshaled["sftpgo"]["connection_id"] == "55f35cafbc585ec9ec97e08785cc43a90310fb89c9b6ef150f46f07b9ae9802a" -results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Unmarshaled["sftpgo"]["level"] == "info" results["s01-parse"]["Azlaroc/sftpgo-logs"][25].Evt.Whitelisted == false results["s01-parse"]["Azlaroc/sftpgo-logs"][26].Success == false results["s01-parse"]["Azlaroc/sftpgo-logs"][27].Success == false @@ -462,36 +462,35 @@ results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Parsed["message"] == "{\"lev results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Parsed["program"] == "sftpgo" results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Parsed["username"] == "bob" +results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Meta["auth_status"] == "success" basename(results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Meta["log_level"] == "info" -results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Meta["log_type"] == "auth_success" results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Meta["service"] == "sftpgo" results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Meta["user"] == "bob" +results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Meta["target_user"] == "bob" +results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Unmarshaled["sftpgo"]["sender"] == "FTP" +results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:58:13.269" results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Unmarshaled["sftpgo"]["connection_id"] == "FTP_0_15" results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Unmarshaled["sftpgo"]["level"] == "info" results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Unmarshaled["sftpgo"]["message"] == "User \"bob\" logged in with \"password\" from ip \"1.2.3.4\", TLS enabled? false" -results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Unmarshaled["sftpgo"]["sender"] == "FTP" -results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:58:13.269" results["s01-parse"]["Azlaroc/sftpgo-logs"][34].Evt.Whitelisted == false results["s01-parse"]["Azlaroc/sftpgo-logs"][35].Success == false results["s01-parse"]["Azlaroc/sftpgo-logs"][36].Success == false results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Success == true results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Parsed["message"] == "{\"level\":\"debug\",\"time\":\"2025-09-14T16:59:44.443\",\"sender\":\"connection_failed\",\"client_ip\":\"192.168.1.101\",\"username\":\"bob\",\"login_type\":\"password\",\"protocol\":\"SSH\",\"error\":\"invalid credentials\"}" results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Parsed["program"] == "sftpgo" +results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Meta["error"] == "invalid credentials" results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Meta["is_failed_login"] == "true" results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Meta["log_level"] == "debug" -results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Meta["log_type"] == "sftpgo_auth" results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Meta["login_type"] == "password" results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Meta["protocol"] == "SSH" results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Meta["service"] == "sftpgo" results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Meta["source_ip"] == "192.168.1.101" results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Meta["target_user"] == "bob" -results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:59:44.443" results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Unmarshaled["sftpgo"]["username"] == "bob" results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Unmarshaled["sftpgo"]["client_ip"] == "192.168.1.101" results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Unmarshaled["sftpgo"]["error"] == "invalid credentials" @@ -499,16 +498,17 @@ results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Unmarshaled["sftpgo"]["level results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Unmarshaled["sftpgo"]["login_type"] == "password" results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Unmarshaled["sftpgo"]["protocol"] == "SSH" results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Unmarshaled["sftpgo"]["sender"] == "connection_failed" +results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:59:44.443" results["s01-parse"]["Azlaroc/sftpgo-logs"][37].Evt.Whitelisted == false results["s01-parse"]["Azlaroc/sftpgo-logs"][38].Success == true results["s01-parse"]["Azlaroc/sftpgo-logs"][38].Evt.Parsed["message"] == "{\"level\":\"debug\",\"time\":\"2025-09-14T16:59:44.796\",\"sender\":\"connection_failed\",\"client_ip\":\"192.168.1.101\",\"username\":\"bob\",\"login_type\":\"keyboard-interactive\",\"protocol\":\"SSH\",\"error\":\"invalid credentials\"}" results["s01-parse"]["Azlaroc/sftpgo-logs"][38].Evt.Parsed["program"] == "sftpgo" +results["s01-parse"]["Azlaroc/sftpgo-logs"][38].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Azlaroc/sftpgo-logs"][38].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s01-parse"]["Azlaroc/sftpgo-logs"][38].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["Azlaroc/sftpgo-logs"][38].Evt.Meta["error"] == "invalid credentials" results["s01-parse"]["Azlaroc/sftpgo-logs"][38].Evt.Meta["is_failed_login"] == "true" results["s01-parse"]["Azlaroc/sftpgo-logs"][38].Evt.Meta["log_level"] == "debug" -results["s01-parse"]["Azlaroc/sftpgo-logs"][38].Evt.Meta["log_type"] == "sftpgo_auth" results["s01-parse"]["Azlaroc/sftpgo-logs"][38].Evt.Meta["login_type"] == "keyboard-interactive" results["s01-parse"]["Azlaroc/sftpgo-logs"][38].Evt.Meta["protocol"] == "SSH" results["s01-parse"]["Azlaroc/sftpgo-logs"][38].Evt.Meta["service"] == "sftpgo" @@ -527,36 +527,36 @@ results["s01-parse"]["Azlaroc/sftpgo-logs"][39].Success == false results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Success == true results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Parsed["message"] == "{\"level\":\"debug\",\"time\":\"2025-09-14T16:59:50.520\",\"sender\":\"connection_failed\",\"client_ip\":\"192.168.1.101\",\"username\":\"\",\"login_type\":\"no_auth_tried\",\"protocol\":\"SSH\",\"error\":\"ssh: disconnect, reason 11: \"}" results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Parsed["program"] == "sftpgo" +results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Meta["error"] == "ssh: disconnect, reason 11: " results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Meta["is_failed_login"] == "true" results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Meta["log_level"] == "debug" -results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Meta["log_type"] == "sftpgo_auth" results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Meta["login_type"] == "no_auth_tried" results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Meta["protocol"] == "SSH" results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Meta["service"] == "sftpgo" results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Meta["source_ip"] == "192.168.1.101" +results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Unmarshaled["sftpgo"]["sender"] == "connection_failed" +results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:59:50.520" results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Unmarshaled["sftpgo"]["username"] == "" results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Unmarshaled["sftpgo"]["client_ip"] == "192.168.1.101" results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Unmarshaled["sftpgo"]["error"] == "ssh: disconnect, reason 11: " results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Unmarshaled["sftpgo"]["level"] == "debug" results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Unmarshaled["sftpgo"]["login_type"] == "no_auth_tried" results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Unmarshaled["sftpgo"]["protocol"] == "SSH" -results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Unmarshaled["sftpgo"]["sender"] == "connection_failed" -results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:59:50.520" results["s01-parse"]["Azlaroc/sftpgo-logs"][40].Evt.Whitelisted == false results["s01-parse"]["Azlaroc/sftpgo-logs"][41].Success == false results["s01-parse"]["Azlaroc/sftpgo-logs"][42].Success == false results["s01-parse"]["Azlaroc/sftpgo-logs"][43].Success == true results["s01-parse"]["Azlaroc/sftpgo-logs"][43].Evt.Parsed["message"] == "{\"level\":\"debug\",\"time\":\"2025-09-14T17:00:12.574\",\"sender\":\"connection_failed\",\"client_ip\":\"192.168.1.101\",\"username\":\"bob\",\"login_type\":\"password\",\"protocol\":\"FTP\",\"error\":\"invalid credentials\"}" results["s01-parse"]["Azlaroc/sftpgo-logs"][43].Evt.Parsed["program"] == "sftpgo" +results["s01-parse"]["Azlaroc/sftpgo-logs"][43].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Azlaroc/sftpgo-logs"][43].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s01-parse"]["Azlaroc/sftpgo-logs"][43].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["Azlaroc/sftpgo-logs"][43].Evt.Meta["error"] == "invalid credentials" results["s01-parse"]["Azlaroc/sftpgo-logs"][43].Evt.Meta["is_failed_login"] == "true" results["s01-parse"]["Azlaroc/sftpgo-logs"][43].Evt.Meta["log_level"] == "debug" -results["s01-parse"]["Azlaroc/sftpgo-logs"][43].Evt.Meta["log_type"] == "sftpgo_auth" results["s01-parse"]["Azlaroc/sftpgo-logs"][43].Evt.Meta["login_type"] == "password" results["s01-parse"]["Azlaroc/sftpgo-logs"][43].Evt.Meta["protocol"] == "FTP" results["s01-parse"]["Azlaroc/sftpgo-logs"][43].Evt.Meta["service"] == "sftpgo" @@ -581,94 +581,94 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "sftpgo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "bob" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "success" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_level"] == "info" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "auth_success" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "sftpgo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "bob" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-09-14T16:56:57.706Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "bob" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-09-14T16:56:57.706Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["sftpgo"]["message"] == "User \"bob\" logged in with \"keyboard-interactive\", from ip \"1.2.3.4\", client version \"SSH-2.0-FileZilla_3.69.3\", negotiated algorithms: {KeyExchange:curve25519-sha256 HostKey:ssh-ed25519 Read:{Cipher:aes256-ctr MAC:hmac-sha2-256 compression:none} Write:{Cipher:aes256-ctr MAC:hmac-sha2-256 compression:none}}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["sftpgo"]["sender"] == "SSH" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:56:57.706" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["sftpgo"]["connection_id"] == "34e4ab426f1522416ac2d92815e2041f2e5d4f0af631d6edcd712afbac2ccf61" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["sftpgo"]["level"] == "info" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["sftpgo"]["message"] == "User \"bob\" logged in with \"keyboard-interactive\", from ip \"1.2.3.4\", client version \"SSH-2.0-FileZilla_3.69.3\", negotiated algorithms: {KeyExchange:curve25519-sha256 HostKey:ssh-ed25519 Read:{Cipher:aes256-ctr MAC:hmac-sha2-256 compression:none} Write:{Cipher:aes256-ctr MAC:hmac-sha2-256 compression:none}}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "{\"level\":\"info\",\"time\":\"2025-09-14T16:57:19.173\",\"sender\":\"FTP\",\"connection_id\":\"FTP_0_13\",\"message\":\"User \\\"bob\\\" logged in with \\\"password\\\" from ip \\\"1.2.3.4\\\", TLS enabled? false\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "sftpgo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "bob" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "success" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_level"] == "info" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "auth_success" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "sftpgo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "bob" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-09-14T16:57:19.173Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "bob" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-09-14T16:57:19.173Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["sftpgo"]["sender"] == "FTP" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:57:19.173" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["sftpgo"]["connection_id"] == "FTP_0_13" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["sftpgo"]["level"] == "info" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["sftpgo"]["message"] == "User \"bob\" logged in with \"password\" from ip \"1.2.3.4\", TLS enabled? false" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["sftpgo"]["sender"] == "FTP" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:57:19.173" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "{\"level\":\"info\",\"time\":\"2025-09-14T16:57:36.616\",\"sender\":\"SSH\",\"connection_id\":\"b6e3b2dca7eec7e1672472f83466853e1589f1991d0fac2b962c2b714fc984ba\",\"message\":\"User \\\"bob\\\" logged in with \\\"keyboard-interactive\\\", from ip \\\"1.2.3.4\\\", client version \\\"SSH-2.0-FileZilla_3.69.3\\\", negotiated algorithms: {KeyExchange:curve25519-sha256 HostKey:ssh-ed25519 Read:{Cipher:aes256-ctr MAC:hmac-sha2-256 compression:none} Write:{Cipher:aes256-ctr MAC:hmac-sha2-256 compression:none}}\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "sftpgo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "bob" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "success" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_level"] == "info" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "auth_success" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "sftpgo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "bob" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-09-14T16:57:36.616Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["user"] == "bob" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2025-09-14T16:57:36.616Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["sftpgo"]["connection_id"] == "b6e3b2dca7eec7e1672472f83466853e1589f1991d0fac2b962c2b714fc984ba" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["sftpgo"]["level"] == "info" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["sftpgo"]["message"] == "User \"bob\" logged in with \"keyboard-interactive\", from ip \"1.2.3.4\", client version \"SSH-2.0-FileZilla_3.69.3\", negotiated algorithms: {KeyExchange:curve25519-sha256 HostKey:ssh-ed25519 Read:{Cipher:aes256-ctr MAC:hmac-sha2-256 compression:none} Write:{Cipher:aes256-ctr MAC:hmac-sha2-256 compression:none}}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["sftpgo"]["sender"] == "SSH" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:57:36.616" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["sftpgo"]["connection_id"] == "b6e3b2dca7eec7e1672472f83466853e1589f1991d0fac2b962c2b714fc984ba" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["sftpgo"]["level"] == "info" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "{\"level\":\"info\",\"time\":\"2025-09-14T16:57:45.270\",\"sender\":\"FTP\",\"connection_id\":\"FTP_0_14\",\"message\":\"User \\\"bob\\\" logged in with \\\"password\\\" from ip \\\"1.2.3.4\\\", TLS enabled? false\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "sftpgo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "bob" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "success" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_level"] == "info" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "auth_success" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "sftpgo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "bob" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2025-09-14T16:57:45.27Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["user"] == "bob" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2025-09-14T16:57:45.27Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["sftpgo"]["message"] == "User \"bob\" logged in with \"password\" from ip \"1.2.3.4\", TLS enabled? false" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["sftpgo"]["sender"] == "FTP" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:57:45.270" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["sftpgo"]["connection_id"] == "FTP_0_14" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["sftpgo"]["level"] == "info" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["sftpgo"]["message"] == "User \"bob\" logged in with \"password\" from ip \"1.2.3.4\", TLS enabled? false" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["sftpgo"]["sender"] == "FTP" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "{\"level\":\"info\",\"time\":\"2025-09-14T16:58:02.799\",\"sender\":\"SSH\",\"connection_id\":\"55f35cafbc585ec9ec97e08785cc43a90310fb89c9b6ef150f46f07b9ae9802a\",\"message\":\"User \\\"bob\\\" logged in with \\\"keyboard-interactive\\\", from ip \\\"1.2.3.4\\\", client version \\\"SSH-2.0-FileZilla_3.69.3\\\", negotiated algorithms: {KeyExchange:curve25519-sha256 HostKey:ssh-ed25519 Read:{Cipher:aes256-ctr MAC:hmac-sha2-256 compression:none} Write:{Cipher:aes256-ctr MAC:hmac-sha2-256 compression:none}}\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "sftpgo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username"] == "bob" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "success" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_level"] == "info" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "auth_success" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "sftpgo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_user"] == "bob" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2025-09-14T16:58:02.799Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["user"] == "bob" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2025-09-14T16:58:02.799Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["sftpgo"]["connection_id"] == "55f35cafbc585ec9ec97e08785cc43a90310fb89c9b6ef150f46f07b9ae9802a" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["sftpgo"]["level"] == "info" @@ -681,30 +681,30 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "sftpgo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["username"] == "bob" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "success" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_level"] == "info" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "auth_success" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "sftpgo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_user"] == "bob" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2025-09-14T16:58:13.269Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["user"] == "bob" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2025-09-14T16:58:13.269Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["sftpgo"]["connection_id"] == "FTP_0_15" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["sftpgo"]["level"] == "info" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["sftpgo"]["message"] == "User \"bob\" logged in with \"password\" from ip \"1.2.3.4\", TLS enabled? false" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["sftpgo"]["sender"] == "FTP" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:58:13.269" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["sftpgo"]["connection_id"] == "FTP_0_15" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["sftpgo"]["level"] == "info" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "{\"level\":\"debug\",\"time\":\"2025-09-14T16:59:44.443\",\"sender\":\"connection_failed\",\"client_ip\":\"192.168.1.101\",\"username\":\"bob\",\"login_type\":\"password\",\"protocol\":\"SSH\",\"error\":\"invalid credentials\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "sftpgo" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["error"] == "invalid credentials" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["is_failed_login"] == "true" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_level"] == "debug" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "sftpgo_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["login_type"] == "password" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["protocol"] == "SSH" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "sftpgo" @@ -724,12 +724,12 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == fa results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "{\"level\":\"debug\",\"time\":\"2025-09-14T16:59:44.796\",\"sender\":\"connection_failed\",\"client_ip\":\"192.168.1.101\",\"username\":\"bob\",\"login_type\":\"keyboard-interactive\",\"protocol\":\"SSH\",\"error\":\"invalid credentials\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "sftpgo" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["error"] == "invalid credentials" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["is_failed_login"] == "true" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_level"] == "debug" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "sftpgo_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["login_type"] == "keyboard-interactive" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["protocol"] == "SSH" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "sftpgo" @@ -737,48 +737,48 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["target_user"] == "bob" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2025-09-14T16:59:44.796Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2025-09-14T16:59:44.796Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["sftpgo"]["level"] == "debug" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["sftpgo"]["login_type"] == "keyboard-interactive" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["sftpgo"]["protocol"] == "SSH" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["sftpgo"]["sender"] == "connection_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:59:44.796" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["sftpgo"]["username"] == "bob" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["sftpgo"]["client_ip"] == "192.168.1.101" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["sftpgo"]["error"] == "invalid credentials" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["sftpgo"]["level"] == "debug" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["sftpgo"]["login_type"] == "keyboard-interactive" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["sftpgo"]["protocol"] == "SSH" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["sftpgo"]["sender"] == "connection_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["message"] == "{\"level\":\"debug\",\"time\":\"2025-09-14T16:59:50.520\",\"sender\":\"connection_failed\",\"client_ip\":\"192.168.1.101\",\"username\":\"\",\"login_type\":\"no_auth_tried\",\"protocol\":\"SSH\",\"error\":\"ssh: disconnect, reason 11: \"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["program"] == "sftpgo" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["error"] == "ssh: disconnect, reason 11: " results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["is_failed_login"] == "true" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_level"] == "debug" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "sftpgo_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["login_type"] == "no_auth_tried" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["protocol"] == "SSH" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "sftpgo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "192.168.1.101" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2025-09-14T16:59:50.52Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Enriched["MarshaledTime"] == "2025-09-14T16:59:50.52Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["sftpgo"]["error"] == "ssh: disconnect, reason 11: " +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["sftpgo"]["level"] == "debug" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["sftpgo"]["login_type"] == "no_auth_tried" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["sftpgo"]["protocol"] == "SSH" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["sftpgo"]["sender"] == "connection_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["sftpgo"]["time"] == "2025-09-14T16:59:50.520" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["sftpgo"]["username"] == "" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["sftpgo"]["client_ip"] == "192.168.1.101" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["sftpgo"]["error"] == "ssh: disconnect, reason 11: " -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Unmarshaled["sftpgo"]["level"] == "debug" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["message"] == "{\"level\":\"debug\",\"time\":\"2025-09-14T17:00:12.574\",\"sender\":\"connection_failed\",\"client_ip\":\"192.168.1.101\",\"username\":\"bob\",\"login_type\":\"password\",\"protocol\":\"FTP\",\"error\":\"invalid credentials\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["program"] == "sftpgo" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"]) == "sftpgo-logs-25.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["error"] == "invalid credentials" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["is_failed_login"] == "true" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_level"] == "debug" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_type"] == "sftpgo_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["login_type"] == "password" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["protocol"] == "FTP" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "sftpgo" @@ -786,7 +786,6 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["target_user"] == "bob" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2025-09-14T17:00:12.574Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Enriched["MarshaledTime"] == "2025-09-14T17:00:12.574Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["sftpgo"]["level"] == "debug" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["sftpgo"]["login_type"] == "password" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["sftpgo"]["protocol"] == "FTP" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["sftpgo"]["sender"] == "connection_failed" @@ -794,5 +793,6 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["sftp results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["sftpgo"]["username"] == "bob" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["sftpgo"]["client_ip"] == "192.168.1.101" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["sftpgo"]["error"] == "invalid credentials" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Unmarshaled["sftpgo"]["level"] == "debug" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/smb-bf/parser.assert b/.tests/smb-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/smb-bf/scenario.assert b/.tests/smb-bf/scenario.assert index ba9e9fe1fba..4e4a2215e6c 100644 --- a/.tests/smb-bf/scenario.assert +++ b/.tests/smb-bf/scenario.assert @@ -4,37 +4,60 @@ results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" results[0].Overflow.Sources["1.2.3.4"].Range == "" results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "smb-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "smb-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[0].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "smb" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "toto" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "smb-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "toto" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-09-24T10:04:52Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "smb-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[1].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "smb" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "toto" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "smb-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "toto" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-09-24T10:04:53Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "smb-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[2].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "smb" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "toto" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "smb-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "toto" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-09-24T10:04:54Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "smb-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[3].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "smb" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "toto" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "smb-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "toto" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-09-24T10:04:55Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "smb-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[4].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[4].GetMeta("service") == "smb" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "toto" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "smb-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "toto" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-09-24T10:04:55Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "smb-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[5].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[5].GetMeta("service") == "smb" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "toto" +results[0].Overflow.Alert.Events[5].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "toto" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-09-24T10:04:57Z" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/smb-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 - diff --git a/.tests/smb-logs/parser.assert b/.tests/smb-logs/parser.assert index f8a84828d8b..f453b13273e 100644 --- a/.tests/smb-logs/parser.assert +++ b/.tests/smb-logs/parser.assert @@ -1,26 +1,47 @@ len(results) == 3 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 2 +results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [WORKGROUP]\\[root] at [Thu, 14 Oct 2021 15:24:12.023984 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MANTIS] remote host [ipv4:172.17.0.1:44890] mapped to [WORKGROUP]\\[root]. local host [ipv4:172.17.0.2:445] " +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "smb" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "smb-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [WORKGROUP]\\[administrator] at [Thu, 14 Oct 2021 15:24:16.248504 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MANTIS] remote host [ipv4:172.17.0.1:44896] mapped to [WORKGROUP]\\[administrator]. local host [ipv4:172.17.0.2:445] " +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "smb" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "smb-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false len(results["s01-parse"]["crowdsecurity/smb-logs"]) == 2 results["s01-parse"]["crowdsecurity/smb-logs"][0].Success == true +results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Parsed["ip_source"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [WORKGROUP]\\[root] at [Thu, 14 Oct 2021 15:24:12.023984 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MANTIS] remote host [ipv4:172.17.0.1:44890] mapped to [WORKGROUP]\\[root]. local host [ipv4:172.17.0.2:445] " results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Parsed["program"] == "smb" results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Parsed["smb_domain"] == "WORKGROUP" results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Parsed["user"] == "root" -results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Parsed["ip_source"] == "172.17.0.1" -results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["log_type"] == "smb_failed_auth" +results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["datasource_path"]) == "smb-logs.log" +results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["service"] == "smb" results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["source_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["subtype"] == "smb_bad_user" -results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["user"] == "root" -results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["datasource_path"] == "smb-logs.log" -results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["target_user"] == "root" +results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/smb-logs"][1].Success == true results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Parsed["ip_source"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [WORKGROUP]\\[administrator] at [Thu, 14 Oct 2021 15:24:16.248504 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MANTIS] remote host [ipv4:172.17.0.1:44896] mapped to [WORKGROUP]\\[administrator]. local host [ipv4:172.17.0.2:445] " results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Parsed["program"] == "smb" results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Parsed["smb_domain"] == "WORKGROUP" results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Parsed["user"] == "administrator" -results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["datasource_path"] == "smb-logs.log" +results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["datasource_path"]) == "smb-logs.log" results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["log_type"] == "smb_failed_auth" +results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["service"] == "smb" results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["source_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["subtype"] == "smb_bad_password" -results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["user"] == "administrator" +results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["target_user"] == "administrator" +results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/sonarr-bf/parser.assert b/.tests/sonarr-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/sonarr-bf/scenario.assert b/.tests/sonarr-bf/scenario.assert index 46d7e5f671b..8203c50d4f0 100644 --- a/.tests/sonarr-bf/scenario.assert +++ b/.tests/sonarr-bf/scenario.assert @@ -4,54 +4,54 @@ results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" results[0].Overflow.Sources["1.2.3.4"].Range == "" results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "sonarr-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "sonarr-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "sonarr_failed_authentication" results[0].Overflow.Alert.Events[0].GetMeta("machine") == "sonarr" results[0].Overflow.Alert.Events[0].GetMeta("service") == "sonarr" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[0].GetMeta("timestamp")[4:] == "-10-09T11:55:12Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "'test'" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "sonarr-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "'test'" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-10-09T11:55:12Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "sonarr-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "sonarr_failed_authentication" results[0].Overflow.Alert.Events[1].GetMeta("machine") == "sonarr" results[0].Overflow.Alert.Events[1].GetMeta("service") == "sonarr" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[1].GetMeta("timestamp")[4:] == "-10-09T11:55:13Z" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "'test'" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "sonarr-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "'test'" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-10-09T11:55:13Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "sonarr-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "sonarr_failed_authentication" results[0].Overflow.Alert.Events[2].GetMeta("machine") == "sonarr" results[0].Overflow.Alert.Events[2].GetMeta("service") == "sonarr" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[2].GetMeta("timestamp")[4:] == "-10-09T11:55:14Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "'test'" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "sonarr-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "'test'" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-10-09T11:55:14Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "sonarr-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "sonarr_failed_authentication" results[0].Overflow.Alert.Events[3].GetMeta("machine") == "sonarr" results[0].Overflow.Alert.Events[3].GetMeta("service") == "sonarr" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[3].GetMeta("timestamp")[4:] == "-10-09T11:55:15Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "'test'" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "sonarr-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "'test'" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-10-09T11:55:15Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "sonarr-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "sonarr_failed_authentication" results[0].Overflow.Alert.Events[4].GetMeta("machine") == "sonarr" results[0].Overflow.Alert.Events[4].GetMeta("service") == "sonarr" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[4].GetMeta("timestamp")[4:] == "-10-09T11:55:16Z" -results[0].Overflow.Alert.Events[4].GetMeta("username") == "'test'" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "sonarr-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "'test'" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-10-09T11:55:16Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "sonarr-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "sonarr_failed_authentication" results[0].Overflow.Alert.Events[5].GetMeta("machine") == "sonarr" results[0].Overflow.Alert.Events[5].GetMeta("service") == "sonarr" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[5].GetMeta("timestamp")[4:] == "-10-09T11:55:17Z" -results[0].Overflow.Alert.Events[5].GetMeta("username") == "'test'" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "'test'" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-10-09T11:55:17Z" results[0].Overflow.Alert.GetScenario() == "schiz0phr3ne/sonarr-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/sonarr-logs/parser.assert b/.tests/sonarr-logs/parser.assert index ddcfe966c68..11635081e09 100644 --- a/.tests/sonarr-logs/parser.assert +++ b/.tests/sonarr-logs/parser.assert @@ -1,158 +1,197 @@ len(results) == 3 -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 7 +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 8 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Oct 9 11:55:12" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "125" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "mono" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"] == "sonarr-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Oct 9 11:55:12" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "sonarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "sonarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "125" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "mono" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Oct 9 11:55:13" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"] == "sonarr-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "sonarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "sonarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "125" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "mono" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Oct 9 11:55:14" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"] == "sonarr-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "sonarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "sonarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "mono" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Oct 9 11:55:15" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "125" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"] == "sonarr-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "mono" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Oct 9 11:55:15" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "sonarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "sonarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "125" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "mono" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Oct 9 11:55:16" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"]) == "sonarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "sonarr" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"] == "sonarr-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Oct 9 11:55:17" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["pid"] == "125" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "mono" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"] == "sonarr-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Oct 9 11:55:17" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"]) == "sonarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "sonarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["message"] == "[Info] Auth: Auth-Success ip 1.2.3.5 username 'test'" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["pid"] == "125" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["program"] == "mono" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["timestamp"] == "Oct 9 12:29:27" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"] == "sonarr-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"]) == "sonarr-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["machine"] == "sonarr" -len(results["s01-parse"]["schiz0phr3ne/sonarr-logs"]) == 7 +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl'" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["pid"] == "125" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["program"] == "mono" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["timestamp"] == "Oct 9 12:30:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_path"]) == "sonarr-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["machine"] == "sonarr" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Whitelisted == false +len(results["s01-parse"]["schiz0phr3ne/sonarr-logs"]) == 8 results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Success == true -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["pid"] == "125" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["username"] == "'test'" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["pid"] == "125" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["program"] == "mono" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["timestamp"] == "Oct 9 11:55:12" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["username"] == "'test'" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["datasource_path"]) == "sonarr-logs.log" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["machine"] == "sonarr" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["service"] == "sonarr" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["datasource_path"] == "sonarr-logs.log" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["log_type"] == "sonarr_failed_authentication" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["target_user"] == "'test'" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Success == true -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["timestamp"] == "Oct 9 11:55:13" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["pid"] == "125" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["program"] == "mono" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["timestamp"] == "Oct 9 11:55:13" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["pid"] == "125" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["datasource_path"] == "sonarr-logs.log" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["datasource_path"]) == "sonarr-logs.log" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["log_type"] == "sonarr_failed_authentication" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["machine"] == "sonarr" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["service"] == "sonarr" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["target_user"] == "'test'" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Success == true -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Parsed["program"] == "mono" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Parsed["timestamp"] == "Oct 9 11:55:14" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Parsed["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Parsed["pid"] == "125" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Parsed["pid"] == "125" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Parsed["program"] == "mono" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Meta["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Meta["datasource_path"] == "sonarr-logs.log" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Parsed["timestamp"] == "Oct 9 11:55:14" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Parsed["username"] == "'test'" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Meta["datasource_path"]) == "sonarr-logs.log" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Meta["log_type"] == "sonarr_failed_authentication" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Meta["machine"] == "sonarr" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Meta["service"] == "sonarr" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Meta["target_user"] == "'test'" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][2].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Success == true +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Parsed["pid"] == "125" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Parsed["program"] == "mono" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Parsed["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Parsed["pid"] == "125" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Parsed["timestamp"] == "Oct 9 11:55:15" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Meta["service"] == "sonarr" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Meta["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Meta["datasource_path"] == "sonarr-logs.log" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Parsed["username"] == "'test'" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Meta["datasource_path"]) == "sonarr-logs.log" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Meta["log_type"] == "sonarr_failed_authentication" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Meta["machine"] == "sonarr" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Meta["service"] == "sonarr" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Meta["target_user"] == "'test'" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][3].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Success == true +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Parsed["pid"] == "125" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Parsed["program"] == "mono" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Parsed["timestamp"] == "Oct 9 11:55:16" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Parsed["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Meta["datasource_path"]) == "sonarr-logs.log" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Meta["log_type"] == "sonarr_failed_authentication" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Meta["machine"] == "sonarr" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Meta["service"] == "sonarr" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Meta["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Meta["datasource_path"] == "sonarr-logs.log" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Meta["target_user"] == "'test'" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][4].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Success == true +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test'" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Parsed["pid"] == "125" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Parsed["program"] == "mono" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Parsed["timestamp"] == "Oct 9 11:55:17" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Parsed["username"] == "'test'" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Meta["datasource_path"]) == "sonarr-logs.log" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Meta["log_type"] == "sonarr_failed_authentication" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Meta["machine"] == "sonarr" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Meta["service"] == "sonarr" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Meta["username"] == "'test'" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Meta["datasource_path"] == "sonarr-logs.log" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Meta["target_user"] == "'test'" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][5].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/sonarr-logs"][6].Success == false +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][7].Success == true +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][7].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][7].Evt.Parsed["message"] == "[Warn] Auth: Auth-Failure ip 1.2.3.4 username 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl'" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][7].Evt.Parsed["pid"] == "125" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][7].Evt.Parsed["program"] == "mono" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][7].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][7].Evt.Parsed["timestamp"] == "Oct 9 12:30:00" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][7].Evt.Parsed["username"] == "'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl'" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][7].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/sonarr-logs"][7].Evt.Meta["datasource_path"]) == "sonarr-logs.log" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][7].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][7].Evt.Meta["machine"] == "sonarr" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][7].Evt.Meta["service"] == "sonarr" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][7].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][7].Evt.Meta["target_user"] == "'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl'" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][7].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/sonarr-logs/sonarr-logs.log b/.tests/sonarr-logs/sonarr-logs.log index 780c094126b..6decfb50007 100644 --- a/.tests/sonarr-logs/sonarr-logs.log +++ b/.tests/sonarr-logs/sonarr-logs.log @@ -5,3 +5,4 @@ Oct 9 11:55:15 sonarr mono[125]: [Warn] Auth: Auth-Failure ip 1.2.3.4 username Oct 9 11:55:16 sonarr mono[125]: [Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test' Oct 9 11:55:17 sonarr mono[125]: [Warn] Auth: Auth-Failure ip 1.2.3.4 username 'test' Oct 9 12:29:27 sonarr mono[125]: [Info] Auth: Auth-Success ip 1.2.3.5 username 'test' +Oct 9 12:30:00 sonarr mono[125]: [Warn] Auth: Auth-Failure ip 1.2.3.4 username 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl' diff --git a/.tests/sonarr-nonsyslog-logs/parser.assert b/.tests/sonarr-nonsyslog-logs/parser.assert index 792643f364a..a8de52bdaf9 100644 --- a/.tests/sonarr-nonsyslog-logs/parser.assert +++ b/.tests/sonarr-nonsyslog-logs/parser.assert @@ -3,92 +3,98 @@ len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 2 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2022-12-17 22:04:36.2|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'testing'" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "Sonarr" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "sonarr-nonsyslog-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "sonarr-nonsyslog-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2022-12-17 22:04:41.7|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'testing2'" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "Sonarr" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "sonarr-nonsyslog-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "sonarr-nonsyslog-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false len(results["s01-parse"]["schiz0phr3ne/sonarr-logs"]) == 2 results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Success == true +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["date"] == "2022-12-17" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["day"] == "17" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["log_level"] == "Warn" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["message"] == "2022-12-17 22:04:36.2|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'testing'" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["month"] == "12" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["program"] == "Sonarr" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["time"] == "22:04:36.2" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["date"] == "2022-12-17" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["month"] == "12" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["message"] == "2022-12-17 22:04:36.2|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'testing'" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["timestamp"] == "2022-12-17 22:04:36.2" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["username"] == "testing" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["year"] == "2022" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["day"] == "17" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Parsed["log_level"] == "Warn" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["username"] == "testing" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["datasource_path"] == "sonarr-nonsyslog-logs.log" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["datasource_path"]) == "sonarr-nonsyslog-logs.log" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["log_type"] == "sonarr_failed_authentication" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["service"] == "sonarr" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Meta["target_user"] == "testing" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][0].Evt.Whitelisted == false results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Success == true -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["year"] == "2022" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["date"] == "2022-12-17" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["day"] == "17" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["log_level"] == "Warn" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["program"] == "Sonarr" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["timestamp"] == "2022-12-17 22:04:41.7" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["message"] == "2022-12-17 22:04:41.7|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'testing2'" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["month"] == "12" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["program"] == "Sonarr" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["time"] == "22:04:41.7" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["timestamp"] == "2022-12-17 22:04:41.7" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["username"] == "testing2" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["date"] == "2022-12-17" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["day"] == "17" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["message"] == "2022-12-17 22:04:41.7|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'testing2'" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["username"] == "testing2" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["datasource_path"] == "sonarr-nonsyslog-logs.log" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Parsed["year"] == "2022" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["datasource_path"]) == "sonarr-nonsyslog-logs.log" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["log_type"] == "sonarr_failed_authentication" results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["service"] == "sonarr" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Meta["target_user"] == "testing2" +results["s01-parse"]["schiz0phr3ne/sonarr-logs"][1].Evt.Whitelisted == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "Sonarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["date"] == "2022-12-17" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["day"] == "17" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["log_level"] == "Warn" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2022-12-17 22:04:36.2|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'testing'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["month"] == "12" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "Sonarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "1.2.3.4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time"] == "22:04:36.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2022-12-17 22:04:36.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "testing" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["year"] == "2022" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["log_level"] == "Warn" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2022-12-17 22:04:36.2|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'testing'" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "sonarr-nonsyslog-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "sonarr-nonsyslog-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "sonarr_failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "sonarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "testing" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-12-17T22:04:36.2Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "testing" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-12-17T22:04:36.2Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["year"] == "2022" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["date"] == "2022-12-17" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["day"] == "17" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "Sonarr" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2022-12-17 22:04:41.7" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["time"] == "22:04:41.7" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "testing2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["log_level"] == "Warn" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "2022-12-17 22:04:41.7|Warn|Auth|Auth-Failure ip 1.2.3.4 username 'testing2'" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["month"] == "12" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "Sonarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["time"] == "22:04:41.7" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2022-12-17 22:04:41.7" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "testing2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["year"] == "2022" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "sonarr-nonsyslog-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "sonarr" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "testing2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-12-17T22:04:41.7Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "testing2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "sonarr-nonsyslog-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "sonarr_failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-12-17T22:04:41.7Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/ssh-bf/scenario.assert b/.tests/ssh-bf/scenario.assert index a633d367fd4..ef892c898f9 100644 --- a/.tests/ssh-bf/scenario.assert +++ b/.tests/ssh-bf/scenario.assert @@ -4,42 +4,54 @@ results[0].Overflow.Sources["35.188.49.176"].IP == "35.188.49.176" results[0].Overflow.Sources["35.188.49.176"].Range == "" results[0].Overflow.Sources["35.188.49.176"].GetScope() == "Ip" results[0].Overflow.Sources["35.188.49.176"].GetValue() == "35.188.49.176" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "ssh-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "ssh-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[0].GetMeta("machine") == "sd-126005" results[0].Overflow.Alert.Events[0].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "35.188.49.176" results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "pascal" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "ssh-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-02-12T14:10:21Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "ssh-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[1].GetMeta("machine") == "sd-126005" results[0].Overflow.Alert.Events[1].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "35.188.49.176" results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "pascal1" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "ssh-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-02-12T14:10:21Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "ssh-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[2].GetMeta("machine") == "sd-126005" results[0].Overflow.Alert.Events[2].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "35.188.49.176" results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "pascal2" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "ssh-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-02-12T14:10:22Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "ssh-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[3].GetMeta("machine") == "sd-126005" results[0].Overflow.Alert.Events[3].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "35.188.49.176" results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "pascal3" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "ssh-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-02-12T14:10:22Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "ssh-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[4].GetMeta("machine") == "sd-126005" results[0].Overflow.Alert.Events[4].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "35.188.49.176" results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "pascal4" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "ssh-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-02-12T14:10:23Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "ssh-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[5].GetMeta("machine") == "sd-126005" results[0].Overflow.Alert.Events[5].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "35.188.49.176" results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "pascal5" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-02-12T14:10:24Z" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/ssh-bf_user-enum" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 @@ -48,43 +60,54 @@ results[1].Overflow.Sources["35.188.49.176"].IP == "35.188.49.176" results[1].Overflow.Sources["35.188.49.176"].Range == "" results[1].Overflow.Sources["35.188.49.176"].GetScope() == "Ip" results[1].Overflow.Sources["35.188.49.176"].GetValue() == "35.188.49.176" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "ssh-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "ssh-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_failed-auth" +results[1].Overflow.Alert.Events[0].GetMeta("machine") == "sd-126005" results[1].Overflow.Alert.Events[0].GetMeta("service") == "ssh" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "35.188.49.176" results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "pascal" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "ssh-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-02-12T14:10:21Z" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "ssh-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "ssh_failed-auth" +results[1].Overflow.Alert.Events[1].GetMeta("machine") == "sd-126005" results[1].Overflow.Alert.Events[1].GetMeta("service") == "ssh" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "35.188.49.176" results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "pascal1" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "ssh-bf.log" +results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-02-12T14:10:21Z" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "ssh-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "ssh_failed-auth" +results[1].Overflow.Alert.Events[2].GetMeta("machine") == "sd-126005" results[1].Overflow.Alert.Events[2].GetMeta("service") == "ssh" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "35.188.49.176" results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "pascal2" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "ssh-bf.log" +results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-02-12T14:10:22Z" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "ssh-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "ssh_failed-auth" +results[1].Overflow.Alert.Events[3].GetMeta("machine") == "sd-126005" results[1].Overflow.Alert.Events[3].GetMeta("service") == "ssh" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "35.188.49.176" results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "pascal3" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "ssh-bf.log" +results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-02-12T14:10:22Z" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "ssh-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "ssh_failed-auth" +results[1].Overflow.Alert.Events[4].GetMeta("machine") == "sd-126005" results[1].Overflow.Alert.Events[4].GetMeta("service") == "ssh" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "35.188.49.176" results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "pascal4" -results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "ssh-bf.log" +results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-02-12T14:10:23Z" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "ssh-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "ssh_failed-auth" +results[1].Overflow.Alert.Events[5].GetMeta("machine") == "sd-126005" results[1].Overflow.Alert.Events[5].GetMeta("service") == "ssh" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "35.188.49.176" results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "pascal5" +results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-02-12T14:10:24Z" results[1].Overflow.Alert.GetScenario() == "crowdsecurity/ssh-bf" results[1].Overflow.Alert.Remediation == true results[1].Overflow.Alert.GetEventsCount() == 6 - diff --git a/.tests/ssh-generic-test/scenario.assert b/.tests/ssh-generic-test/scenario.assert index 9e69004ebae..ef818894247 100644 --- a/.tests/ssh-generic-test/scenario.assert +++ b/.tests/ssh-generic-test/scenario.assert @@ -4,9 +4,9 @@ results[0].Overflow.Sources["127.0.0.1"].IP == "127.0.0.1" results[0].Overflow.Sources["127.0.0.1"].Range == "" results[0].Overflow.Sources["127.0.0.1"].GetScope() == "Ip" results[0].Overflow.Sources["127.0.0.1"].GetValue() == "127.0.0.1" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "ssh-generic-test.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_failed-auth" results[0].Overflow.Alert.Events[0].GetMeta("machine") == "leto" results[0].Overflow.Alert.Events[0].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1" diff --git a/.tests/ssh-slow-bf/scenario.assert b/.tests/ssh-slow-bf/scenario.assert index 9fe0f2a4cdc..7ab804a8d92 100644 --- a/.tests/ssh-slow-bf/scenario.assert +++ b/.tests/ssh-slow-bf/scenario.assert @@ -1,74 +1,97 @@ +len(results) == 1 "103.100.210.198" in results[0].Overflow.GetSources() results[0].Overflow.Sources["103.100.210.198"].IP == "103.100.210.198" results[0].Overflow.Sources["103.100.210.198"].Range == "" results[0].Overflow.Sources["103.100.210.198"].GetScope() == "Ip" results[0].Overflow.Sources["103.100.210.198"].GetValue() == "103.100.210.198" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "ssh-slow-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "ssh-slow-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[0].GetMeta("machine") == "ip-172-31-43-28" results[0].Overflow.Alert.Events[0].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "103.100.210.198" results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "hadoop" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "ssh-slow-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-09-30T12:16:00Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "ssh-slow-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[1].GetMeta("machine") == "ip-172-31-43-28" results[0].Overflow.Alert.Events[1].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "103.100.210.198" results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "hadoop" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "ssh-slow-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-09-30T12:16:33Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "ssh-slow-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[2].GetMeta("machine") == "ip-172-31-43-28" results[0].Overflow.Alert.Events[2].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "103.100.210.198" results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "hadoop" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "ssh-slow-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-09-30T12:17:00Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "ssh-slow-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[3].GetMeta("machine") == "ip-172-31-43-28" results[0].Overflow.Alert.Events[3].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "103.100.210.198" results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "hadoop" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "ssh-slow-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-09-30T12:17:33Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "ssh-slow-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[4].GetMeta("machine") == "ip-172-31-43-28" results[0].Overflow.Alert.Events[4].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "103.100.210.198" results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "hadoop" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "ssh-slow-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-09-30T12:18:00Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "ssh-slow-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[5].GetMeta("machine") == "ip-172-31-43-28" results[0].Overflow.Alert.Events[5].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "103.100.210.198" results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "hadoop" -results[0].Overflow.Alert.Events[6].GetMeta("datasource_path") == "ssh-slow-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-09-30T12:18:33Z" +results[0].Overflow.Alert.Events[6].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[6].GetMeta("datasource_path")) == "ssh-slow-bf.log" results[0].Overflow.Alert.Events[6].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[6].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[6].GetMeta("machine") == "ip-172-31-43-28" results[0].Overflow.Alert.Events[6].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[6].GetMeta("source_ip") == "103.100.210.198" results[0].Overflow.Alert.Events[6].GetMeta("target_user") == "hadoop" -results[0].Overflow.Alert.Events[7].GetMeta("datasource_path") == "ssh-slow-bf.log" +results[0].Overflow.Alert.Events[6].GetMeta("timestamp") == "2025-09-30T12:19:00Z" +results[0].Overflow.Alert.Events[7].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[7].GetMeta("datasource_path")) == "ssh-slow-bf.log" results[0].Overflow.Alert.Events[7].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[7].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[7].GetMeta("machine") == "ip-172-31-43-28" results[0].Overflow.Alert.Events[7].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[7].GetMeta("source_ip") == "103.100.210.198" results[0].Overflow.Alert.Events[7].GetMeta("target_user") == "hadoop" -results[0].Overflow.Alert.Events[8].GetMeta("datasource_path") == "ssh-slow-bf.log" +results[0].Overflow.Alert.Events[7].GetMeta("timestamp") == "2025-09-30T12:19:33Z" +results[0].Overflow.Alert.Events[8].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[8].GetMeta("datasource_path")) == "ssh-slow-bf.log" results[0].Overflow.Alert.Events[8].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[8].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[8].GetMeta("machine") == "ip-172-31-43-28" results[0].Overflow.Alert.Events[8].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[8].GetMeta("source_ip") == "103.100.210.198" results[0].Overflow.Alert.Events[8].GetMeta("target_user") == "hadoop" -results[0].Overflow.Alert.Events[9].GetMeta("datasource_path") == "ssh-slow-bf.log" +results[0].Overflow.Alert.Events[8].GetMeta("timestamp") == "2025-09-30T12:20:00Z" +results[0].Overflow.Alert.Events[9].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[9].GetMeta("datasource_path")) == "ssh-slow-bf.log" results[0].Overflow.Alert.Events[9].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[9].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[9].GetMeta("machine") == "ip-172-31-43-28" results[0].Overflow.Alert.Events[9].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[9].GetMeta("source_ip") == "103.100.210.198" results[0].Overflow.Alert.Events[9].GetMeta("target_user") == "hadoop" -results[0].Overflow.Alert.Events[10].GetMeta("datasource_path") == "ssh-slow-bf.log" +results[0].Overflow.Alert.Events[9].GetMeta("timestamp") == "2025-09-30T12:20:33Z" +results[0].Overflow.Alert.Events[10].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[10].GetMeta("datasource_path")) == "ssh-slow-bf.log" results[0].Overflow.Alert.Events[10].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[10].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[10].GetMeta("machine") == "ip-172-31-43-28" results[0].Overflow.Alert.Events[10].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[10].GetMeta("source_ip") == "103.100.210.198" results[0].Overflow.Alert.Events[10].GetMeta("target_user") == "hadoop" +results[0].Overflow.Alert.Events[10].GetMeta("timestamp") == "2025-09-30T12:21:00Z" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/ssh-slow-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 20 diff --git a/.tests/ssh-timeout/parser.assert b/.tests/ssh-timeout/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/sshd-bad-keyexchange-bf/parser.assert b/.tests/sshd-bad-keyexchange-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/sshd-impossible-travel-user/parser.assert b/.tests/sshd-impossible-travel-user/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/sshd-impossible-travel-user/scenario.assert b/.tests/sshd-impossible-travel-user/scenario.assert index 6f35c5e4fbe..ba92e289b6b 100644 --- a/.tests/sshd-impossible-travel-user/scenario.assert +++ b/.tests/sshd-impossible-travel-user/scenario.assert @@ -7,25 +7,25 @@ results[0].Overflow.Sources["vagrant"].GetValue() == "vagrant" results[0].Overflow.Alert.Events[0].GetMeta("ASNNumber") == "0" results[0].Overflow.Alert.Events[0].GetMeta("IsInEU") == "false" results[0].Overflow.Alert.Events[0].GetMeta("IsoCode") == "AU" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "sshd-success-logs.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "success" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "sshd-success-logs.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_success" results[0].Overflow.Alert.Events[0].GetMeta("machine") == "bullseye" results[0].Overflow.Alert.Events[0].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[0].GetMeta("timestamp")[4:] == "-09-06T09:57:21Z" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "vagrant" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "vagrant" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-09-06T09:57:21Z" results[0].Overflow.Alert.Events[1].GetMeta("ASNNumber") == "0" results[0].Overflow.Alert.Events[1].GetMeta("IsInEU") == "false" results[0].Overflow.Alert.Events[1].GetMeta("IsoCode") == "US" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "sshd-success-logs.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "success" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "sshd-success-logs.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_success" results[0].Overflow.Alert.Events[1].GetMeta("machine") == "bullseye" results[0].Overflow.Alert.Events[1].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "9.8.8.8" -results[0].Overflow.Alert.Events[1].GetMeta("timestamp")[4:] == "-09-06T09:57:24Z" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "vagrant" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "vagrant" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-09-06T09:57:24Z" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/impossible-travel-user" results[0].Overflow.Alert.Remediation == false results[0].Overflow.Alert.GetEventsCount() == 2 diff --git a/.tests/sshd-impossible-travel/parser.assert b/.tests/sshd-impossible-travel/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/sshd-impossible-travel/scenario.assert b/.tests/sshd-impossible-travel/scenario.assert index cb3dee00d09..0bd36a324db 100644 --- a/.tests/sshd-impossible-travel/scenario.assert +++ b/.tests/sshd-impossible-travel/scenario.assert @@ -12,25 +12,25 @@ results[0].Overflow.Sources["9.8.8.8"].GetValue() == "9.8.8.8" results[0].Overflow.Alert.Events[0].GetMeta("ASNNumber") == "0" results[0].Overflow.Alert.Events[0].GetMeta("IsInEU") == "false" results[0].Overflow.Alert.Events[0].GetMeta("IsoCode") == "AU" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "sshd-success-logs.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "success" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "sshd-success-logs.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_success" results[0].Overflow.Alert.Events[0].GetMeta("machine") == "bullseye" results[0].Overflow.Alert.Events[0].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" -results[0].Overflow.Alert.Events[0].GetMeta("timestamp")[4:] == "-09-06T09:57:21Z" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "vagrant" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "vagrant" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-09-06T09:57:21Z" results[0].Overflow.Alert.Events[1].GetMeta("ASNNumber") == "0" results[0].Overflow.Alert.Events[1].GetMeta("IsInEU") == "false" results[0].Overflow.Alert.Events[1].GetMeta("IsoCode") == "US" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "sshd-success-logs.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "success" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "sshd-success-logs.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_success" results[0].Overflow.Alert.Events[1].GetMeta("machine") == "bullseye" results[0].Overflow.Alert.Events[1].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "9.8.8.8" -results[0].Overflow.Alert.Events[1].GetMeta("timestamp")[4:] == "-09-06T09:57:24Z" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "vagrant" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "vagrant" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-09-06T09:57:24Z" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/impossible-travel" results[0].Overflow.Alert.Remediation == false results[0].Overflow.Alert.GetEventsCount() == 2 diff --git a/.tests/sshd-invalid-bf/config.yaml b/.tests/sshd-invalid-bf/config.yaml index bd521f7d4fa..d0a86ad6b3e 100644 --- a/.tests/sshd-invalid-bf/config.yaml +++ b/.tests/sshd-invalid-bf/config.yaml @@ -9,4 +9,4 @@ postoverflows: log_file: sshd-invalid-bf.log log_type: syslog labels: {} -ignore_parsers: false +ignore_parsers: true diff --git a/.tests/sshd-invalid-bf/parser.assert b/.tests/sshd-invalid-bf/parser.assert deleted file mode 100644 index f30f6f5b35c..00000000000 --- a/.tests/sshd-invalid-bf/parser.assert +++ /dev/null @@ -1,251 +0,0 @@ -len(results) == 4 -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 6 -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "Disconnected from authenticating user root 179.43.183.98 port 59402 [preauth]" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "2651912" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "sshd" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jan 24 15:32:31" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "server" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"] == "sshd-invalid-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "Disconnected from authenticating user root 179.43.183.98 port 38260 [preauth]" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "2654543" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "sshd" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Jan 24 15:32:32" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"] == "sshd-invalid-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "server" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "Disconnected from authenticating user root 179.43.183.98 port 45326 [preauth]" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "2657307" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "sshd" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jan 24 15:32:33" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"] == "sshd-invalid-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "server" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "2660116" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "sshd" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Jan 24 15:32:34" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "Disconnected from authenticating user root 179.43.183.98 port 52414 [preauth]" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"] == "sshd-invalid-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "server" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Jan 24 15:32:35" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "Disconnected from authenticating user root 179.43.183.98 port 59502 [preauth]" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "2662890" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "sshd" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "server" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"] == "sshd-invalid-bf.log" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["pid"] == "2665707" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "sshd" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Jan 24 15:32:36" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "Disconnected from authenticating user root 179.43.183.98 port 38346 [preauth]" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "server" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"] == "sshd-invalid-bf.log" -len(results["s01-parse"]["crowdsecurity/sshd-logs"]) == 6 -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Success == true -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["pid"] == "2651912" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["program"] == "sshd" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["sshd_invalid_user"] == "root" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["timestamp"] == "Jan 24 15:32:31" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["message"] == "Disconnected from authenticating user root 179.43.183.98 port 59402 [preauth]" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["sshd_client_ip"] == "179.43.183.98" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["target_user"] == "root" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["datasource_path"] == "sshd-invalid-bf.log" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["log_type"] == "ssh_failed-auth" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["machine"] == "server" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["service"] == "ssh" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["source_ip"] == "179.43.183.98" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Success == true -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["message"] == "Disconnected from authenticating user root 179.43.183.98 port 38260 [preauth]" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["pid"] == "2654543" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["program"] == "sshd" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["sshd_client_ip"] == "179.43.183.98" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["sshd_invalid_user"] == "root" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["timestamp"] == "Jan 24 15:32:32" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["log_type"] == "ssh_failed-auth" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["machine"] == "server" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["service"] == "ssh" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["source_ip"] == "179.43.183.98" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["target_user"] == "root" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["datasource_path"] == "sshd-invalid-bf.log" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Success == true -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["program"] == "sshd" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["sshd_invalid_user"] == "root" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["timestamp"] == "Jan 24 15:32:33" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["message"] == "Disconnected from authenticating user root 179.43.183.98 port 45326 [preauth]" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["pid"] == "2657307" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["sshd_client_ip"] == "179.43.183.98" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["machine"] == "server" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["service"] == "ssh" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["source_ip"] == "179.43.183.98" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["target_user"] == "root" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["datasource_path"] == "sshd-invalid-bf.log" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["log_type"] == "ssh_failed-auth" -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Success == true -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["program"] == "sshd" -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["sshd_client_ip"] == "179.43.183.98" -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["timestamp"] == "Jan 24 15:32:34" -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["pid"] == "2660116" -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["sshd_invalid_user"] == "root" -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["message"] == "Disconnected from authenticating user root 179.43.183.98 port 52414 [preauth]" -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["target_user"] == "root" -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["datasource_path"] == "sshd-invalid-bf.log" -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["log_type"] == "ssh_failed-auth" -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["machine"] == "server" -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["service"] == "ssh" -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["source_ip"] == "179.43.183.98" -results["s01-parse"]["crowdsecurity/sshd-logs"][4].Success == true -results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["pid"] == "2662890" -results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["sshd_invalid_user"] == "root" -results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["message"] == "Disconnected from authenticating user root 179.43.183.98 port 59502 [preauth]" -results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["program"] == "sshd" -results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["sshd_client_ip"] == "179.43.183.98" -results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["timestamp"] == "Jan 24 15:32:35" -results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["machine"] == "server" -results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["service"] == "ssh" -results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["source_ip"] == "179.43.183.98" -results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["target_user"] == "root" -results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["datasource_path"] == "sshd-invalid-bf.log" -results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["log_type"] == "ssh_failed-auth" -results["s01-parse"]["crowdsecurity/sshd-logs"][5].Success == true -results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["program"] == "sshd" -results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["sshd_client_ip"] == "179.43.183.98" -results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["sshd_invalid_user"] == "root" -results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["message"] == "Disconnected from authenticating user root 179.43.183.98 port 38346 [preauth]" -results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["pid"] == "2665707" -results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["timestamp"] == "Jan 24 15:32:36" -results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["service"] == "ssh" -results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["source_ip"] == "179.43.183.98" -results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["target_user"] == "root" -results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["datasource_path"] == "sshd-invalid-bf.log" -results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["log_type"] == "ssh_failed-auth" -results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["machine"] == "server" -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "sshd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "Disconnected from authenticating user root 179.43.183.98 port 59402 [preauth]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "2651912" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["sshd_client_ip"] == "179.43.183.98" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["sshd_invalid_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Jan 24 15:32:31" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "ssh" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "179.43.183.98" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"][4:] == "-01-24T15:32:31Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "sshd-invalid-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "ssh_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "server" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"][4:] == "-01-24T15:32:31Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Jan 24 15:32:32" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "Disconnected from authenticating user root 179.43.183.98 port 38260 [preauth]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "2654543" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "sshd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["sshd_client_ip"] == "179.43.183.98" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["sshd_invalid_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "ssh_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "server" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "ssh" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "179.43.183.98" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"][4:] == "-01-24T15:32:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "sshd-invalid-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"][4:] == "-01-24T15:32:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Jan 24 15:32:33" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "2657307" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["sshd_invalid_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "Disconnected from authenticating user root 179.43.183.98 port 45326 [preauth]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "sshd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["sshd_client_ip"] == "179.43.183.98" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "ssh_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "server" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "ssh" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "179.43.183.98" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"][4:] == "-01-24T15:32:33Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "sshd-invalid-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"][4:] == "-01-24T15:32:33Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["sshd_invalid_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "Disconnected from authenticating user root 179.43.183.98 port 52414 [preauth]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "2660116" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "sshd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["sshd_client_ip"] == "179.43.183.98" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Jan 24 15:32:34" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "server" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "ssh" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "179.43.183.98" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"][4:] == "-01-24T15:32:34Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "sshd-invalid-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "ssh_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"][4:] == "-01-24T15:32:34Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "Disconnected from authenticating user root 179.43.183.98 port 59502 [preauth]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pid"] == "2662890" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "sshd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["sshd_invalid_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "Jan 24 15:32:35" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["sshd_client_ip"] == "179.43.183.98" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "ssh_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "server" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "ssh" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "179.43.183.98" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"][4:] == "-01-24T15:32:35Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "sshd-invalid-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"][4:] == "-01-24T15:32:35Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pid"] == "2665707" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["sshd_client_ip"] == "179.43.183.98" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["sshd_invalid_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "Jan 24 15:32:36" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "Disconnected from authenticating user root 179.43.183.98 port 38346 [preauth]" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "sshd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "ssh_failed-auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["machine"] == "server" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "ssh" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "179.43.183.98" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"][4:] == "-01-24T15:32:36Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "sshd-invalid-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"][4:] == "-01-24T15:32:36Z" -len(results["success"][""]) == 0 diff --git a/.tests/sshd-invalid-bf/scenario.assert b/.tests/sshd-invalid-bf/scenario.assert index f873d79c6dd..0603b8a8c54 100644 --- a/.tests/sshd-invalid-bf/scenario.assert +++ b/.tests/sshd-invalid-bf/scenario.assert @@ -4,55 +4,54 @@ results[0].Overflow.Sources["179.43.183.98"].IP == "179.43.183.98" results[0].Overflow.Sources["179.43.183.98"].Range == "" results[0].Overflow.Sources["179.43.183.98"].GetScope() == "Ip" results[0].Overflow.Sources["179.43.183.98"].GetValue() == "179.43.183.98" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "sshd-invalid-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "sshd-invalid-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_failed-auth" results[0].Overflow.Alert.Events[0].GetMeta("machine") == "server" results[0].Overflow.Alert.Events[0].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "179.43.183.98" results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "root" -results[0].Overflow.Alert.Events[0].GetMeta("timestamp")[4:] == "-01-24T15:32:31Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "sshd-invalid-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-01-24T15:32:31Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "sshd-invalid-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "ssh_failed-auth" results[0].Overflow.Alert.Events[1].GetMeta("machine") == "server" results[0].Overflow.Alert.Events[1].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "179.43.183.98" results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "root" -results[0].Overflow.Alert.Events[1].GetMeta("timestamp")[4:] == "-01-24T15:32:32Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "sshd-invalid-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-01-24T15:32:32Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "sshd-invalid-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "ssh_failed-auth" results[0].Overflow.Alert.Events[2].GetMeta("machine") == "server" results[0].Overflow.Alert.Events[2].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "179.43.183.98" results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "root" -results[0].Overflow.Alert.Events[2].GetMeta("timestamp")[4:] == "-01-24T15:32:33Z" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "sshd-invalid-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-01-24T15:32:33Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "sshd-invalid-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "ssh_failed-auth" results[0].Overflow.Alert.Events[3].GetMeta("machine") == "server" results[0].Overflow.Alert.Events[3].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "179.43.183.98" results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "root" -results[0].Overflow.Alert.Events[3].GetMeta("timestamp")[4:] == "-01-24T15:32:34Z" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "sshd-invalid-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-01-24T15:32:34Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "sshd-invalid-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "ssh_failed-auth" results[0].Overflow.Alert.Events[4].GetMeta("machine") == "server" results[0].Overflow.Alert.Events[4].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "179.43.183.98" results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "root" -results[0].Overflow.Alert.Events[4].GetMeta("timestamp")[4:] == "-01-24T15:32:35Z" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "sshd-invalid-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-01-24T15:32:35Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "sshd-invalid-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "ssh_failed-auth" results[0].Overflow.Alert.Events[5].GetMeta("machine") == "server" results[0].Overflow.Alert.Events[5].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "179.43.183.98" results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "root" -results[0].Overflow.Alert.Events[5].GetMeta("timestamp")[4:] == "-01-24T15:32:36Z" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-01-24T15:32:36Z" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/ssh-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 - diff --git a/.tests/sshd-logs/parser.assert b/.tests/sshd-logs/parser.assert index 5f42fad3dd9..e5560dda940 100644 --- a/.tests/sshd-logs/parser.assert +++ b/.tests/sshd-logs/parser.assert @@ -249,9 +249,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["program"] == "ssh results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["sshd_client_ip"] == "35.188.49.176" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["sshd_invalid_user"] == "pascal" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" +results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["datasource_path"]) == "sshd-logs.log" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["machine"] == "sd-126005" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["source_ip"] == "35.188.49.176" @@ -265,9 +265,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["program"] == "ssh results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["sshd_client_ip"] == "35.188.49.176" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["sshd_invalid_user"] == "pascal" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" +results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["datasource_path"]) == "sshd-logs.log" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["machine"] == "sd-126005" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["source_ip"] == "35.188.49.176" @@ -281,9 +281,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["program"] == "ssh results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["sshd_client_ip"] == "35.188.49.176" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["sshd_invalid_user"] == "pascal" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" +results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["datasource_path"]) == "sshd-logs.log" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["machine"] == "sd-126005" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["source_ip"] == "35.188.49.176" @@ -300,9 +300,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["sshd_client_ip"] results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["sshd_invalid_user"] == "workshop" results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["timestamp"] == "Nov 2 15:40:14" results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["uid"] == "0" +results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["datasource_path"]) == "sshd-logs.log" results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["machine"] == "workshop" results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["source_ip"] == "5.33.63.160" @@ -318,9 +318,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["program"] == "ssh results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["sshd_client_ip"] == "5.33.63.161" results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["timestamp"] == "Nov 2 15:40:15" results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["uid"] == "0" +results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["datasource_path"]) == "sshd-logs.log" results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["machine"] == "workshop" results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["source_ip"] == "5.33.63.161" @@ -333,9 +333,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["program"] == "ssh results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["sshd_client_ip"] == "206.81.24.125" results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["sshd_invalid_user"] == "root" results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["timestamp"] == "Dec 22 14:53:37" +results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["datasource_path"]) == "sshd-logs.log" results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["machine"] == "ip-172-31-20-90" results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["source_ip"] == "206.81.24.125" @@ -349,9 +349,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Parsed["program"] == "ssh results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Parsed["sshd_client_ip"] == "92.255.85.135" results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Parsed["sshd_invalid_user"] == "ftp" results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Parsed["timestamp"] == "Feb 19 10:38:14" +results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["datasource_path"]) == "sshd-logs.log" results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["machine"] == "myhost" results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["source_ip"] == "92.255.85.135" @@ -365,9 +365,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Parsed["program"] == "ssh results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Parsed["sshd_client_ip"] == "92.255.85.135" results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Parsed["sshd_invalid_user"] == "ftp" results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Parsed["timestamp"] == "Feb 19 10:38:14" +results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["datasource_path"]) == "sshd-logs.log" results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["machine"] == "myhost" results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["source_ip"] == "92.255.85.135" @@ -381,9 +381,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Parsed["pid"] == "386400" results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Parsed["program"] == "sshd" results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Parsed["sshd_client_ip"] == "94.232.46.213" results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Parsed["timestamp"] == "Oct 10 01:48:14" +results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["datasource_path"]) == "sshd-logs.log" results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["machine"] == "username" results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["source_ip"] == "94.232.46.213" @@ -395,9 +395,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Parsed["pid"] == "386400 results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Parsed["program"] == "sshd" results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Parsed["sshd_client_ip"] == "94.232.46.213" results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Parsed["timestamp"] == "Oct 10 01:48:14" +results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Meta["datasource_path"]) == "sshd-logs.log" results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Meta["machine"] == "username" results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Meta["source_ip"] == "94.232.46.213" @@ -410,9 +410,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Parsed["program"] == "ss results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Parsed["sshd_client_ip"] == "206.81.24.125" results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Parsed["sshd_invalid_user"] == "root" results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Parsed["timestamp"] == "Aug 03 21:39:20" +results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Meta["datasource_path"]) == "sshd-logs.log" results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Meta["machine"] == "hostname" results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Meta["source_ip"] == "206.81.24.125" @@ -468,9 +468,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Parsed["program"] == "ss results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Parsed["sshd_client_ip"] == "80.94.92.63" results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Parsed["sshd_invalid_user"] == "root" results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Parsed["timestamp"] == "Feb 8 17:15:01" +results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Meta["datasource_path"]) == "sshd-logs.log" results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Meta["machine"] == "hostname" results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Meta["source_ip"] == "80.94.92.63" @@ -484,9 +484,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Parsed["program"] == "ss results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Parsed["sshd_client_ip"] == "192.168.1.1" results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Parsed["sshd_invalid_user"] == "root" results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Parsed["timestamp8601"] == "2023-11-14T00:20:42.738197+01:00" +results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["datasource_path"]) == "sshd-logs.log" results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["machine"] == "myserver" results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["source_ip"] == "192.168.1.1" @@ -502,9 +502,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Parsed["sshd_invalid_use results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Parsed["sshd_port"] == "51182" results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Parsed["sshd_protocol"] == "ssh2" results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Parsed["timestamp"] == "Apr 6 18:51:41" +results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Meta["datasource_path"]) == "sshd-logs.log" results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Meta["machine"] == "eve" results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Meta["source_ip"] == "192.168.1.2" @@ -546,9 +546,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][20].Evt.Parsed["program"] == "ss results["s01-parse"]["crowdsecurity/sshd-logs"][20].Evt.Parsed["sshd_client_ip"] == "192.168.1.3" results["s01-parse"]["crowdsecurity/sshd-logs"][20].Evt.Parsed["sshd_invalid_user"] == "pascal5" results["s01-parse"]["crowdsecurity/sshd-logs"][20].Evt.Parsed["timestamp"] == "Feb 12 14:10:24" +results["s01-parse"]["crowdsecurity/sshd-logs"][20].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][20].Evt.Meta["datasource_path"]) == "sshd-logs.log" results["s01-parse"]["crowdsecurity/sshd-logs"][20].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][20].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][20].Evt.Meta["machine"] == "sd-126005" results["s01-parse"]["crowdsecurity/sshd-logs"][20].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][20].Evt.Meta["source_ip"] == "192.168.1.3" @@ -561,9 +561,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Parsed["pid"] == "36648" results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Parsed["program"] == "sshd" results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Parsed["sshd_client_ip"] == "118.27.24.104" results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Parsed["timestamp"] == "Nov 19 11:28:15" +results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Meta["datasource_path"]) == "sshd-logs.log" results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Meta["machine"] == "myhost" results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Meta["source_ip"] == "118.27.24.104" diff --git a/.tests/sshd-refused-conn/parser.assert b/.tests/sshd-refused-conn/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/sshd-success-logs/parser.assert b/.tests/sshd-success-logs/parser.assert index e137c642172..43fd3130e3a 100644 --- a/.tests/sshd-success-logs/parser.assert +++ b/.tests/sshd-success-logs/parser.assert @@ -6,178 +6,190 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "Acc results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "581" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "sshd" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Sep 6 09:57:21" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"] == "sshd-success-logs.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "sshd-success-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "bullseye" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "sshd" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Sep 6 09:57:24" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "Accepted publickey for vagrant from 192.168.121.1 port 56302 ssh2: RSA SHA256:kzfjfps/WFgXAdNgzvHBLuI072Y+f+91rpinXJAAvkM" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "812" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"] == "sshd-success-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "sshd" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Sep 6 09:57:24" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "sshd-success-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "bullseye" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "sshd" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Sep 6 09:57:30" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "Accepted publickey for vagrant from 192.168.121.1 port 45652 ssh2: RSA SHA256:kzfjfps/WFgXAdNgzvHBLuI072Y+f+91rpinXJAAvkM" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "855" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"] == "sshd-success-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "sshd" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Sep 6 09:57:30" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "sshd-success-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "bullseye" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "sshd" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Sep 6 10:00:56" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "Accepted password for test from 192.168.121.1 port 43124 ssh2" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "12032" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "sshd" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Sep 6 10:00:56" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "sshd-success-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "bullseye" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"] == "sshd-success-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false len(results["s01-parse"]["crowdsecurity/sshd-success-logs"]) == 4 results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Success == true -results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Parsed["sshd_client_port"] == "56296" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Parsed["message"] == "Accepted publickey for vagrant from 192.168.121.1 port 56296 ssh2: RSA SHA256:1M4RzhMyWuFS/86uPY/ce2prh/dVTHW7iD2RhpquOZA" results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Parsed["pid"] == "581" results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Parsed["program"] == "sshd" results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Parsed["sshd_auth_user"] == "vagrant" results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Parsed["sshd_client_ip"] == "192.168.121.1" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Parsed["message"] == "Accepted publickey for vagrant from 192.168.121.1 port 56296 ssh2: RSA SHA256:1M4RzhMyWuFS/86uPY/ce2prh/dVTHW7iD2RhpquOZA" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Parsed["sshd_client_port"] == "56296" results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Parsed["sshd_trail"] == ": RSA SHA256:1M4RzhMyWuFS/86uPY/ce2prh/dVTHW7iD2RhpquOZA" results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Parsed["timestamp"] == "Sep 6 09:57:21" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Meta["source_ip"] == "192.168.121.1" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Meta["user"] == "vagrant" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Meta["datasource_path"] == "sshd-success-logs.log" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Meta["auth_status"] == "success" +basename(results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Meta["datasource_path"]) == "sshd-success-logs.log" results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Meta["log_type"] == "auth_success" results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Meta["machine"] == "bullseye" results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Meta["service"] == "ssh" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Meta["source_ip"] == "192.168.121.1" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Meta["target_user"] == "vagrant" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][0].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Success == true results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Parsed["message"] == "Accepted publickey for vagrant from 192.168.121.1 port 56302 ssh2: RSA SHA256:kzfjfps/WFgXAdNgzvHBLuI072Y+f+91rpinXJAAvkM" results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Parsed["pid"] == "812" results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Parsed["program"] == "sshd" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Parsed["sshd_trail"] == ": RSA SHA256:kzfjfps/WFgXAdNgzvHBLuI072Y+f+91rpinXJAAvkM" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Parsed["timestamp"] == "Sep 6 09:57:24" results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Parsed["sshd_auth_user"] == "vagrant" results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Parsed["sshd_client_ip"] == "192.168.121.1" results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Parsed["sshd_client_port"] == "56302" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Parsed["sshd_trail"] == ": RSA SHA256:kzfjfps/WFgXAdNgzvHBLuI072Y+f+91rpinXJAAvkM" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Parsed["timestamp"] == "Sep 6 09:57:24" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Meta["auth_status"] == "success" +basename(results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Meta["datasource_path"]) == "sshd-success-logs.log" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Meta["machine"] == "bullseye" results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Meta["source_ip"] == "192.168.121.1" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Meta["user"] == "vagrant" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Meta["datasource_path"] == "sshd-success-logs.log" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Meta["log_type"] == "auth_success" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Meta["target_user"] == "vagrant" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][1].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Success == true +results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Parsed["message"] == "Accepted publickey for vagrant from 192.168.121.1 port 45652 ssh2: RSA SHA256:kzfjfps/WFgXAdNgzvHBLuI072Y+f+91rpinXJAAvkM" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Parsed["pid"] == "855" results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Parsed["program"] == "sshd" results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Parsed["sshd_auth_user"] == "vagrant" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Parsed["sshd_client_ip"] == "192.168.121.1" results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Parsed["sshd_client_port"] == "45652" results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Parsed["sshd_trail"] == ": RSA SHA256:kzfjfps/WFgXAdNgzvHBLuI072Y+f+91rpinXJAAvkM" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Parsed["message"] == "Accepted publickey for vagrant from 192.168.121.1 port 45652 ssh2: RSA SHA256:kzfjfps/WFgXAdNgzvHBLuI072Y+f+91rpinXJAAvkM" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Parsed["pid"] == "855" results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Parsed["timestamp"] == "Sep 6 09:57:30" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Parsed["sshd_client_ip"] == "192.168.121.1" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Meta["log_type"] == "auth_success" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Meta["auth_status"] == "success" +basename(results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Meta["datasource_path"]) == "sshd-success-logs.log" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Meta["machine"] == "bullseye" results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Meta["source_ip"] == "192.168.121.1" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Meta["user"] == "vagrant" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Meta["datasource_path"] == "sshd-success-logs.log" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Meta["target_user"] == "vagrant" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][2].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Success == true +results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Parsed["message"] == "Accepted password for test from 192.168.121.1 port 43124 ssh2" results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Parsed["pid"] == "12032" results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Parsed["program"] == "sshd" results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Parsed["sshd_auth_user"] == "test" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Parsed["sshd_client_ip"] == "192.168.121.1" results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Parsed["sshd_client_port"] == "43124" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Parsed["timestamp"] == "Sep 6 10:00:56" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Parsed["message"] == "Accepted password for test from 192.168.121.1 port 43124 ssh2" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Parsed["sshd_client_ip"] == "192.168.121.1" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Meta["user"] == "test" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Meta["datasource_path"] == "sshd-success-logs.log" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Meta["auth_status"] == "success" +basename(results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Meta["datasource_path"]) == "sshd-success-logs.log" results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Meta["log_type"] == "auth_success" results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Meta["machine"] == "bullseye" results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Meta["source_ip"] == "192.168.121.1" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Meta["target_user"] == "test" +results["s01-parse"]["crowdsecurity/sshd-success-logs"][3].Evt.Whitelisted == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 4 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["sshd_client_port"] == "56296" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["sshd_trail"] == ": RSA SHA256:1M4RzhMyWuFS/86uPY/ce2prh/dVTHW7iD2RhpquOZA" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "Accepted publickey for vagrant from 192.168.121.1 port 56296 ssh2: RSA SHA256:1M4RzhMyWuFS/86uPY/ce2prh/dVTHW7iD2RhpquOZA" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "581" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "sshd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["sshd_auth_user"] == "vagrant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["sshd_client_ip"] == "192.168.121.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["sshd_client_port"] == "56296" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["sshd_trail"] == ": RSA SHA256:1M4RzhMyWuFS/86uPY/ce2prh/dVTHW7iD2RhpquOZA" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Sep 6 09:57:21" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "Accepted publickey for vagrant from 192.168.121.1 port 56296 ssh2: RSA SHA256:1M4RzhMyWuFS/86uPY/ce2prh/dVTHW7iD2RhpquOZA" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "sshd-success-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "success" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "sshd-success-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "auth_success" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "bullseye" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.121.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"][4:] == "-09-06T09:57:21Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "vagrant" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"][4:] == "-09-06T09:57:21Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "vagrant" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-09-06T09:57:21Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-09-06T09:57:21Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "sshd" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["sshd_client_ip"] == "192.168.121.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["sshd_client_port"] == "56302" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Sep 6 09:57:24" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "Accepted publickey for vagrant from 192.168.121.1 port 56302 ssh2: RSA SHA256:kzfjfps/WFgXAdNgzvHBLuI072Y+f+91rpinXJAAvkM" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "812" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "sshd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["sshd_auth_user"] == "vagrant" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["sshd_client_ip"] == "192.168.121.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["sshd_client_port"] == "56302" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["sshd_trail"] == ": RSA SHA256:kzfjfps/WFgXAdNgzvHBLuI072Y+f+91rpinXJAAvkM" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "vagrant" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "sshd-success-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Sep 6 09:57:24" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "success" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "sshd-success-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "auth_success" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "bullseye" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.121.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"][4:] == "-09-06T09:57:24Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"][4:] == "-09-06T09:57:24Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "vagrant" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-09-06T09:57:24Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-09-06T09:57:24Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "Accepted publickey for vagrant from 192.168.121.1 port 45652 ssh2: RSA SHA256:kzfjfps/WFgXAdNgzvHBLuI072Y+f+91rpinXJAAvkM" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "855" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "sshd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["sshd_auth_user"] == "vagrant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["sshd_client_ip"] == "192.168.121.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["sshd_client_port"] == "45652" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "Accepted publickey for vagrant from 192.168.121.1 port 45652 ssh2: RSA SHA256:kzfjfps/WFgXAdNgzvHBLuI072Y+f+91rpinXJAAvkM" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["sshd_auth_user"] == "vagrant" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["sshd_trail"] == ": RSA SHA256:kzfjfps/WFgXAdNgzvHBLuI072Y+f+91rpinXJAAvkM" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Sep 6 09:57:30" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["user"] == "vagrant" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "sshd-success-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "success" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "sshd-success-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "auth_success" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "bullseye" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "192.168.121.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"][4:] == "-09-06T09:57:30Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"][4:] == "-09-06T09:57:30Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "vagrant" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-09-06T09:57:30Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2025-09-06T09:57:30Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["sshd_client_port"] == "43124" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Sep 6 10:00:56" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "sshd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "Accepted password for test from 192.168.121.1 port 43124 ssh2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "12032" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "sshd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["sshd_auth_user"] == "test" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["sshd_client_ip"] == "192.168.121.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["user"] == "test" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "sshd-success-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["sshd_client_port"] == "43124" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Sep 6 10:00:56" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "success" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "sshd-success-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "auth_success" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "bullseye" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "192.168.121.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"][4:] == "-09-06T10:00:56Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"][4:] == "-09-06T10:00:56Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "test" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2025-09-06T10:00:56Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2025-09-06T10:00:56Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/sshd_banner_exchange/scenario.assert b/.tests/sshd_banner_exchange/scenario.assert index 8aca60edd5c..670363f86e8 100644 --- a/.tests/sshd_banner_exchange/scenario.assert +++ b/.tests/sshd_banner_exchange/scenario.assert @@ -4,36 +4,48 @@ results[0].Overflow.Sources["59.91.122.57"].IP == "59.91.122.57" results[0].Overflow.Sources["59.91.122.57"].Range == "" results[0].Overflow.Sources["59.91.122.57"].GetScope() == "Ip" results[0].Overflow.Sources["59.91.122.57"].GetValue() == "59.91.122.57" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "sshd_banner_exchange.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "sshd_banner_exchange.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[0].GetMeta("machine") == "hostname" results[0].Overflow.Alert.Events[0].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "59.91.122.57" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "sshd_banner_exchange.log" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-12-01T18:59:33Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "sshd_banner_exchange.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[1].GetMeta("machine") == "hostname" results[0].Overflow.Alert.Events[1].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "59.91.122.57" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "sshd_banner_exchange.log" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-12-01T18:59:33Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "sshd_banner_exchange.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[2].GetMeta("machine") == "hostname" results[0].Overflow.Alert.Events[2].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "59.91.122.57" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "sshd_banner_exchange.log" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-12-01T18:59:33Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "sshd_banner_exchange.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[3].GetMeta("machine") == "hostname" results[0].Overflow.Alert.Events[3].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "59.91.122.57" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "sshd_banner_exchange.log" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-12-01T18:59:33Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "sshd_banner_exchange.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[4].GetMeta("machine") == "hostname" results[0].Overflow.Alert.Events[4].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "59.91.122.57" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "sshd_banner_exchange.log" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-12-01T18:59:33Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "sshd_banner_exchange.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "ssh_failed-auth" +results[0].Overflow.Alert.Events[5].GetMeta("machine") == "hostname" results[0].Overflow.Alert.Events[5].GetMeta("service") == "ssh" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "59.91.122.57" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-12-01T18:59:33Z" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/ssh-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/sshesame/parser.assert b/.tests/sshesame/parser.assert index 0eb2431b58b..1a7de4a020b 100644 --- a/.tests/sshesame/parser.assert +++ b/.tests/sshesame/parser.assert @@ -3,1908 +3,2289 @@ len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 381 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2022/05/06 04:53:57 [190.2.139.67:58629] [channel 106] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.136.142:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2022/05/06 04:53:57 [190.2.139.67:58629] [channel 106] input: \"GET /?requestid=53219 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "2022/05/06 04:53:57 [190.2.139.67:58629] [channel 106] closed" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "2022/05/06 04:58:33 [190.2.139.67:7117] [channel 63] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.136.142:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "2022/05/06 04:58:33 [190.2.139.67:7117] [channel 63] input: \"GET /?requestid=61619 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "2022/05/06 04:58:33 [190.2.139.67:7117] [channel 63] closed" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][6].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["message"] == "2022/05/06 05:10:03 [195.3.147.60:28696] authentication for user \"admin\" without credentials rejected" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][7].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["message"] == "2022/05/06 05:10:03 [195.3.147.60:28696] authentication for user \"admin\" with password \"aisadmin\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][8].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["message"] == "2022/05/06 05:10:03 [195.3.147.60:28696] connection with client version \"SSH-2.0-OpenSSH_5.9\" established" results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][9].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["message"] == "2022/05/06 05:10:03 [195.3.147.60:28696] [channel 0] direct TCP/IP forwarding from 127.0.0.1:24161 to 74.125.205.113:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][10].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Parsed["message"] == "2022/05/06 05:10:03 [195.3.147.60:28696] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][11].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Parsed["message"] == "2022/05/06 05:10:03 [195.3.147.60:28696] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][12].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Parsed["message"] == "2022/05/06 05:10:03 [195.3.147.60:28696] [channel 1] direct TCP/IP forwarding from 127.0.0.1:14687 to [2a00:1450:4010:c02::8b]:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][13].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Parsed["message"] == "2022/05/06 05:10:03 [195.3.147.60:28696] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][14].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Parsed["message"] == "2022/05/06 05:10:03 [195.3.147.60:28696] [channel 1] closed" results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][15].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Parsed["message"] == "2022/05/06 05:10:03 [195.3.147.60:28696] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][16].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Parsed["message"] == "2022/05/06 05:11:00 [185.131.12.144:60273] authentication for user \"default\" without credentials rejected" results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][17].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][17].Evt.Parsed["message"] == "2022/05/06 05:11:02 [185.131.12.144:60273] authentication for user \"default\" with password \"1\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][17].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][17].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][17].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][17].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][17].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][18].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][18].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][18].Evt.Parsed["message"] == "2022/05/06 05:11:02 [185.131.12.144:60273] connection with client version \"SSH-2.0-OpenSSH_7.4\" established" +results["s00-raw"]["crowdsecurity/non-syslog"][18].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][18].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][18].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][18].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][18].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][19].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][19].Evt.Parsed["message"] == "2022/05/06 05:11:04 [185.131.12.144:60273] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][19].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][19].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][19].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][19].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][19].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][20].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][20].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][20].Evt.Parsed["message"] == "2022/05/06 05:37:28 [165.232.183.156:55934] authentication for user \"xuexiaoman\" without credentials rejected" -results["s00-raw"]["crowdsecurity/non-syslog"][20].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][20].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][20].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][20].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][20].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][21].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][21].Evt.Parsed["message"] == "2022/05/06 05:37:28 [165.232.183.156:55934] authentication for user \"xuexiaoman\" with password \"xuexiaoman\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][21].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][21].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][21].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][21].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][21].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][22].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][22].Evt.Parsed["message"] == "2022/05/06 05:37:28 [165.232.183.156:55934] connection with client version \"SSH-2.0-Go\" established" results["s00-raw"]["crowdsecurity/non-syslog"][22].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][22].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][22].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][22].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][22].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][23].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][23].Evt.Parsed["message"] == "2022/05/06 05:37:28 [165.232.183.156:55934] [channel 0] session requested" results["s00-raw"]["crowdsecurity/non-syslog"][23].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][23].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][23].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][23].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][23].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][24].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][24].Evt.Parsed["message"] == "2022/05/06 05:37:28 [165.232.183.156:55934] [channel 0] command \"uname -s -v -n -r -m\" requested" results["s00-raw"]["crowdsecurity/non-syslog"][24].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][24].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][24].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][24].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][24].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][25].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][25].Evt.Parsed["message"] == "2022/05/06 05:37:29 [165.232.183.156:55934] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][25].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][25].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][25].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][25].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][25].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][26].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][26].Evt.Parsed["message"] == "2022/05/06 05:40:00 [165.232.183.156:55934] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][26].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][26].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][26].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][26].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][26].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][27].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][27].Evt.Parsed["message"] == "2022/05/06 05:40:30 [186.78.209.242:47338] authentication for user \"pi\" without credentials rejected" results["s00-raw"]["crowdsecurity/non-syslog"][27].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][27].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][27].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][27].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][27].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][28].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][28].Evt.Parsed["message"] == "2022/05/06 05:40:30 [186.78.209.242:47338] authentication for user \"pi\" with password \"raspberryraspberry993311\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][28].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][28].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][28].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][28].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][28].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][29].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][29].Evt.Parsed["message"] == "2022/05/06 05:40:30 [186.78.209.242:47338] connection with client version \"SSH-2.0-OpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1\" established" results["s00-raw"]["crowdsecurity/non-syslog"][29].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][29].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][29].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][29].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][29].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][30].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][30].Evt.Parsed["message"] == "2022/05/06 05:40:30 [186.78.209.242:47338] rejection of further session channels requested" results["s00-raw"]["crowdsecurity/non-syslog"][30].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][30].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][30].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][30].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][30].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][31].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][31].Evt.Parsed["message"] == "2022/05/06 05:40:30 [186.78.209.242:47338] [channel 0] session requested" results["s00-raw"]["crowdsecurity/non-syslog"][31].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][31].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][31].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][31].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][31].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][32].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][32].Evt.Parsed["message"] == "2022/05/06 05:40:31 [186.78.209.242:47338] [channel 0] environment variable \"LANG\" with value \"en_GB.UTF-8\" requested" results["s00-raw"]["crowdsecurity/non-syslog"][32].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][32].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][32].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][32].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][32].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][33].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][33].Evt.Parsed["message"] == "2022/05/06 05:40:31 [186.78.209.242:47338] [channel 0] command \"scp -t /tmp/taCiyiIF\" requested" results["s00-raw"]["crowdsecurity/non-syslog"][33].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][33].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][33].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][33].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][33].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][34].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][34].Evt.Parsed["message"] == "2022/05/06 05:40:31 [186.78.209.242:47338] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][34].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][34].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][34].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][34].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][34].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][35].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][35].Evt.Parsed["message"] == "2022/05/06 05:40:31 [186.78.209.242:47338] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][35].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][35].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][35].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][35].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][35].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][36].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][36].Evt.Parsed["message"] == "2022/05/06 05:40:32 [186.78.209.242:47346] authentication for user \"pi\" without credentials rejected" results["s00-raw"]["crowdsecurity/non-syslog"][36].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][36].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][36].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][36].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][36].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][37].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][37].Evt.Parsed["message"] == "2022/05/06 05:40:32 [186.78.209.242:47346] authentication for user \"pi\" with password \"raspberry\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][37].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][37].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][37].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][37].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][37].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][38].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][38].Evt.Parsed["message"] == "2022/05/06 05:40:32 [186.78.209.242:47346] connection with client version \"SSH-2.0-OpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1\" established" results["s00-raw"]["crowdsecurity/non-syslog"][38].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][38].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][38].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][38].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][38].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][39].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][39].Evt.Parsed["message"] == "2022/05/06 05:40:32 [186.78.209.242:47346] rejection of further session channels requested" results["s00-raw"]["crowdsecurity/non-syslog"][39].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][39].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][39].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][39].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][39].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][40].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][40].Evt.Parsed["message"] == "2022/05/06 05:40:32 [186.78.209.242:47346] [channel 0] session requested" results["s00-raw"]["crowdsecurity/non-syslog"][40].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][40].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][40].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][40].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][40].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][41].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][41].Evt.Parsed["message"] == "2022/05/06 05:40:32 [186.78.209.242:47346] [channel 0] environment variable \"LANG\" with value \"en_GB.UTF-8\" requested" results["s00-raw"]["crowdsecurity/non-syslog"][41].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][41].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][41].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][41].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][41].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][42].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][42].Evt.Parsed["message"] == "2022/05/06 05:40:32 [186.78.209.242:47346] [channel 0] command \"scp -t /tmp/taCiyiIF\" requested" results["s00-raw"]["crowdsecurity/non-syslog"][42].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][42].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][42].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][42].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][42].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][43].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][43].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][43].Evt.Parsed["message"] == "2022/05/06 05:40:33 [186.78.209.242:47346] [channel 0] closed" -results["s00-raw"]["crowdsecurity/non-syslog"][43].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][43].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][43].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][43].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][43].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][44].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][44].Evt.Parsed["message"] == "2022/05/06 05:40:33 [186.78.209.242:47346] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][44].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][44].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][44].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][44].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][44].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][45].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][45].Evt.Parsed["message"] == "2022/05/06 05:48:16 [190.2.139.67:7117] [channel 76] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.134.128:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][45].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][45].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][45].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][45].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][45].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][46].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][46].Evt.Parsed["message"] == "2022/05/06 05:48:16 [190.2.139.67:7117] [channel 76] input: \"GET /?requestid=78679 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][46].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][46].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][46].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][46].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][46].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][47].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][47].Evt.Parsed["message"] == "2022/05/06 05:48:16 [190.2.139.67:7117] [channel 76] closed" results["s00-raw"]["crowdsecurity/non-syslog"][47].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][47].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][47].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][47].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][47].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][48].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][48].Evt.Parsed["message"] == "2022/05/06 06:08:09 [190.2.139.67:7117] [channel 92] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.136.142:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][48].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][48].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][48].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][48].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][48].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][49].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][49].Evt.Parsed["message"] == "2022/05/06 06:08:09 [190.2.139.67:7117] [channel 92] input: \"GET /?requestid=16383 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][49].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][49].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][49].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][49].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][49].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][50].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][50].Evt.Parsed["message"] == "2022/05/06 06:08:09 [190.2.139.67:7117] [channel 92] closed" results["s00-raw"]["crowdsecurity/non-syslog"][50].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][50].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][50].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][50].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][50].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][51].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][51].Evt.Parsed["message"] == "2022/05/06 06:12:22 [190.2.139.67:58629] [channel 109] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.136.142:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][51].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][51].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][51].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][51].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][51].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][52].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][52].Evt.Parsed["message"] == "2022/05/06 06:12:22 [190.2.139.67:58629] [channel 109] input: \"GET /?requestid=34743 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][52].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][52].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][52].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][52].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][52].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][53].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][53].Evt.Parsed["message"] == "2022/05/06 06:12:22 [190.2.139.67:58629] [channel 109] closed" results["s00-raw"]["crowdsecurity/non-syslog"][53].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][53].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][53].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][53].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][53].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][54].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][54].Evt.Parsed["message"] == "2022/05/06 06:40:52 [45.82.65.44:42736] [channel 26] direct TCP/IP forwarding from 127.0.0.1:22 to 104.23.141.25:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][54].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][54].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][54].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][54].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][54].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][55].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][55].Evt.Parsed["message"] == "2022/05/06 06:40:52 [45.82.65.44:42736] [channel 26] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][55].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][55].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][55].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][55].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][55].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][56].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][56].Evt.Parsed["message"] == "2022/05/06 06:40:52 [45.82.65.44:42736] [channel 26] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][56].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][56].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][56].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][56].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][56].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][57].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][57].Evt.Parsed["message"] == "2022/05/06 06:41:23 [45.82.65.44:42736] [channel 26] closed" results["s00-raw"]["crowdsecurity/non-syslog"][57].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][57].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][57].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][57].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][57].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][58].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][58].Evt.Parsed["message"] == "2022/05/06 06:41:28 [111.70.9.198:39673] authentication for user \"default\" without credentials rejected" results["s00-raw"]["crowdsecurity/non-syslog"][58].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][58].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][58].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][58].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][58].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][59].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][59].Evt.Parsed["message"] == "2022/05/06 06:41:29 [111.70.9.198:39673] authentication for user \"default\" with password \"1\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][59].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][59].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][59].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][59].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][59].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][60].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][60].Evt.Parsed["message"] == "2022/05/06 06:41:29 [111.70.9.198:39673] connection with client version \"SSH-2.0-OpenSSH_7.4\" established" results["s00-raw"]["crowdsecurity/non-syslog"][60].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][60].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][60].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][60].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][60].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][61].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][61].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][61].Evt.Parsed["message"] == "2022/05/06 06:41:31 [111.70.9.198:39673] connection closed" -results["s00-raw"]["crowdsecurity/non-syslog"][61].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][61].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][61].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][61].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][61].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][62].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][62].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][62].Evt.Parsed["message"] == "2022/05/06 06:43:09 [195.3.147.60:38745] authentication for user \"!root\" without credentials rejected" -results["s00-raw"]["crowdsecurity/non-syslog"][62].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][62].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][62].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][62].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][62].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][63].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][63].Evt.Parsed["message"] == "2022/05/06 06:43:09 [195.3.147.60:38745] authentication for user \"!root\" with password \"\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][63].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][63].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][63].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][63].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][63].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][64].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][64].Evt.Parsed["message"] == "2022/05/06 06:43:09 [195.3.147.60:38745] connection with client version \"SSH-2.0-OpenSSH_4.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][64].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][64].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][64].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][64].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][64].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][65].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][65].Evt.Parsed["message"] == "2022/05/06 06:43:10 [195.3.147.60:38745] [channel 0] direct TCP/IP forwarding from 127.0.0.1:6487 to 74.125.205.102:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][65].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][65].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][65].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][65].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][65].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][66].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][66].Evt.Parsed["message"] == "2022/05/06 06:43:10 [195.3.147.60:38745] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][66].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][66].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][66].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][66].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][66].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][67].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][67].Evt.Parsed["message"] == "2022/05/06 06:43:10 [195.3.147.60:38745] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][67].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][67].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][67].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][67].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][67].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][68].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][68].Evt.Parsed["message"] == "2022/05/06 06:43:10 [195.3.147.60:38745] [channel 1] direct TCP/IP forwarding from 127.0.0.1:2206 to [2a00:1450:4010:c02::8b]:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][68].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][68].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][68].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][68].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][68].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][69].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][69].Evt.Parsed["message"] == "2022/05/06 06:43:10 [195.3.147.60:38745] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][69].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][69].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][69].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][69].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][69].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][70].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][70].Evt.Parsed["message"] == "2022/05/06 06:43:10 [195.3.147.60:38745] [channel 1] closed" results["s00-raw"]["crowdsecurity/non-syslog"][70].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][70].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][70].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][70].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][70].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][71].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][71].Evt.Parsed["message"] == "2022/05/06 06:43:10 [195.3.147.60:38745] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][71].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][71].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][71].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][71].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][71].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][72].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][72].Evt.Parsed["message"] == "2022/05/06 07:05:23 [190.189.12.92:60614] authentication for user \"arjun\" with password \"arjun123\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][72].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][72].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][72].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][72].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][72].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][73].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][73].Evt.Parsed["message"] == "2022/05/06 07:05:23 [190.189.12.92:60614] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][73].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][73].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][73].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][73].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][73].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][74].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][74].Evt.Parsed["message"] == "2022/05/06 07:05:25 [190.189.12.92:32868] authentication for user \"nproc\" with password \"nproc\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][74].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][74].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][74].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][74].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][74].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][75].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][75].Evt.Parsed["message"] == "2022/05/06 07:05:25 [190.189.12.92:32868] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][75].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][75].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][75].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][75].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][75].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][76].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][76].Evt.Parsed["message"] == "2022/05/06 07:05:25 [190.189.12.92:60614] [channel 0] session requested" results["s00-raw"]["crowdsecurity/non-syslog"][76].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][76].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][76].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][76].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][76].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][77].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][77].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][77].Evt.Parsed["message"] == "2022/05/06 07:05:25 [190.189.12.92:32868] connection closed" -results["s00-raw"]["crowdsecurity/non-syslog"][77].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][77].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][77].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][77].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][77].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][78].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][78].Evt.Parsed["message"] == "2022/05/06 07:05:25 [190.189.12.92:60614] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][78].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][78].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][78].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][78].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][78].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][79].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][79].Evt.Parsed["message"] == "2022/05/06 07:05:25 [190.189.12.92:60614] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][79].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][79].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][79].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][79].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][79].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][80].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][80].Evt.Parsed["message"] == "2022/05/06 07:45:57 [190.2.139.67:58629] [channel 111] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.136.142:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][80].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][80].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][80].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][80].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][80].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][81].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][81].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][81].Evt.Parsed["message"] == "2022/05/06 07:45:57 [190.2.139.67:58629] [channel 111] input: \"GET /?requestid=97339 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s00-raw"]["crowdsecurity/non-syslog"][81].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][81].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][81].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][81].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][81].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][82].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][82].Evt.Parsed["message"] == "2022/05/06 07:45:57 [190.2.139.67:58629] [channel 111] closed" results["s00-raw"]["crowdsecurity/non-syslog"][82].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][82].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][82].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][82].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][82].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][83].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][83].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][83].Evt.Parsed["message"] == "2022/05/06 07:51:27 [190.2.139.67:7117] [channel 104] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.136.142:80 requested" +results["s00-raw"]["crowdsecurity/non-syslog"][83].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][83].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][83].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][83].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][83].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][84].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][84].Evt.Parsed["message"] == "2022/05/06 07:51:27 [190.2.139.67:7117] [channel 104] input: \"GET /?requestid=32137 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][84].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][84].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][84].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][84].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][84].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][85].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][85].Evt.Parsed["message"] == "2022/05/06 07:51:27 [190.2.139.67:7117] [channel 104] closed" results["s00-raw"]["crowdsecurity/non-syslog"][85].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][85].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][85].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][85].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][85].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][86].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][86].Evt.Parsed["message"] == "2022/05/06 07:54:02 [190.2.139.67:58629] [channel 113] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.142.17:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][86].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][86].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][86].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][86].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][86].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][87].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][87].Evt.Parsed["message"] == "2022/05/06 07:54:02 [190.2.139.67:58629] [channel 113] input: \"GET /?requestid=85851 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][87].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][87].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][87].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][87].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][87].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][88].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][88].Evt.Parsed["message"] == "2022/05/06 07:54:02 [190.2.139.67:58629] [channel 113] closed" results["s00-raw"]["crowdsecurity/non-syslog"][88].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][88].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][88].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][88].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][88].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][89].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][89].Evt.Parsed["message"] == "2022/05/06 08:01:27 [190.2.139.67:58629] [channel 115] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.136.142:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][89].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][89].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][89].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][89].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][89].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][90].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][90].Evt.Parsed["message"] == "2022/05/06 08:01:27 [190.2.139.67:58629] [channel 115] input: \"GET /?requestid=36986 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][90].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][90].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][90].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][90].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][90].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][91].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][91].Evt.Parsed["message"] == "2022/05/06 08:01:27 [190.2.139.67:58629] [channel 115] closed" results["s00-raw"]["crowdsecurity/non-syslog"][91].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][91].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][91].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][91].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][91].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][92].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][92].Evt.Parsed["message"] == "2022/05/06 08:06:24 [190.2.139.67:7117] [channel 106] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.134.128:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][92].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][92].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][92].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][92].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][92].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][93].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][93].Evt.Parsed["message"] == "2022/05/06 08:06:24 [190.2.139.67:7117] [channel 106] input: \"GET /?requestid=61985 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][93].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][93].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][93].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][93].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][93].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][94].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][94].Evt.Parsed["message"] == "2022/05/06 08:06:24 [190.2.139.67:7117] [channel 106] closed" results["s00-raw"]["crowdsecurity/non-syslog"][94].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][94].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][94].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][94].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][94].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][95].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][95].Evt.Parsed["message"] == "2022/05/06 08:14:21 [190.2.139.67:58629] [channel 132] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.142.17:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][95].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][95].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][95].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][95].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][95].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][96].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][96].Evt.Parsed["message"] == "2022/05/06 08:14:21 [190.2.139.67:58629] [channel 132] input: \"GET /?requestid=6514 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][96].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][96].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][96].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][96].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][96].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][97].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][97].Evt.Parsed["message"] == "2022/05/06 08:14:21 [190.2.139.67:58629] [channel 132] closed" results["s00-raw"]["crowdsecurity/non-syslog"][97].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][97].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][97].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][97].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][97].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][98].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][98].Evt.Parsed["message"] == "2022/05/06 08:36:14 [190.2.139.67:7117] [channel 108] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.136.142:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][98].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][98].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][98].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][98].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][98].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][99].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][99].Evt.Parsed["message"] == "2022/05/06 08:36:14 [190.2.139.67:7117] [channel 108] input: \"GET /?requestid=12818 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][99].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][99].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][99].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][99].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][99].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][100].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][100].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][100].Evt.Parsed["message"] == "2022/05/06 08:36:15 [190.2.139.67:7117] [channel 108] closed" -results["s00-raw"]["crowdsecurity/non-syslog"][100].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][100].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][100].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][100].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][100].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][101].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][101].Evt.Parsed["message"] == "2022/05/06 08:57:43 [190.2.139.67:58629] [channel 135] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.136.142:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][101].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][101].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][101].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][101].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][101].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][102].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][102].Evt.Parsed["message"] == "2022/05/06 08:57:43 [190.2.139.67:58629] [channel 135] input: \"GET /?requestid=65533 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][102].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][102].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][102].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][102].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][102].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][103].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][103].Evt.Parsed["message"] == "2022/05/06 08:57:44 [190.2.139.67:58629] [channel 135] closed" results["s00-raw"]["crowdsecurity/non-syslog"][103].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][103].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][103].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][103].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][103].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][104].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][104].Evt.Parsed["message"] == "2022/05/06 09:14:07 [92.159.59.16:39498] authentication for user \"ubnt\" without credentials rejected" results["s00-raw"]["crowdsecurity/non-syslog"][104].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][104].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][104].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][104].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][104].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][105].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][105].Evt.Parsed["message"] == "2022/05/06 09:14:09 [92.159.59.16:39498] authentication for user \"ubnt\" with password \"ubnt1\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][105].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][105].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][105].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][105].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][105].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][106].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][106].Evt.Parsed["message"] == "2022/05/06 09:14:09 [92.159.59.16:39498] connection with client version \"SSH-2.0-OpenSSH_7.4\" established" results["s00-raw"]["crowdsecurity/non-syslog"][106].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][106].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][106].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][106].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][106].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][107].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][107].Evt.Parsed["message"] == "2022/05/06 09:14:10 [92.159.59.16:39498] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][107].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][107].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][107].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][107].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][107].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][108].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][108].Evt.Parsed["message"] == "2022/05/06 09:14:14 [15.207.177.208:41458] authentication for user \"roo\" with password \"123456\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][108].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][108].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][108].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][108].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][108].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][109].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][109].Evt.Parsed["message"] == "2022/05/06 09:14:14 [15.207.177.208:41458] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][109].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][109].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][109].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][109].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][109].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][110].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][110].Evt.Parsed["message"] == "2022/05/06 09:14:15 [15.207.177.208:41458] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][110].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][110].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][110].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][110].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][110].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][111].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][111].Evt.Parsed["message"] == "2022/05/06 09:14:16 [15.207.177.208:41708] authentication for user \"nproc\" with password \"nproc\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][111].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][111].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][111].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][111].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][111].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][112].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][112].Evt.Parsed["message"] == "2022/05/06 09:14:16 [15.207.177.208:41708] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][112].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][112].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][112].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][112].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][112].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][113].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][113].Evt.Parsed["message"] == "2022/05/06 09:14:16 [15.207.177.208:41708] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][113].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][113].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][113].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][113].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][113].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][114].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][114].Evt.Parsed["message"] == "2022/05/06 09:15:03 [3.16.59.158:43316] authentication for user \"root\" with password \"sr1234\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][114].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][114].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][114].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][114].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][114].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][115].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][115].Evt.Parsed["message"] == "2022/05/06 09:15:03 [3.16.59.158:43316] connection with client version \"SSH-2.0-libssh_0.9.5\" established" results["s00-raw"]["crowdsecurity/non-syslog"][115].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][115].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][115].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][115].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][115].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][116].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][116].Evt.Parsed["message"] == "2022/05/06 09:15:04 [3.16.59.158:43318] authentication for user \"knockknockwhosthere\" with password \"knockknockwhosthere\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][116].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][116].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][116].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][116].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][116].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][117].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][117].Evt.Parsed["message"] == "2022/05/06 09:15:04 [3.16.59.158:43318] connection with client version \"SSH-2.0-libssh_0.9.5\" established" results["s00-raw"]["crowdsecurity/non-syslog"][117].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][117].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][117].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][117].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][117].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][118].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][118].Evt.Parsed["message"] == "2022/05/06 09:15:04 [3.16.59.158:43318] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][118].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][118].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][118].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][118].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][118].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][119].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][119].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][119].Evt.Parsed["message"] == "2022/05/06 09:15:04 [3.16.59.158:43316] connection closed" -results["s00-raw"]["crowdsecurity/non-syslog"][119].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][119].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][119].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][119].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][119].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][120].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][120].Evt.Parsed["message"] == "2022/05/06 09:17:10 [3.16.59.158:43418] authentication for user \"root\" with password \"1212\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][120].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][120].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][120].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][120].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][120].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][121].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][121].Evt.Parsed["message"] == "2022/05/06 09:17:10 [3.16.59.158:43418] connection with client version \"SSH-2.0-libssh_0.9.5\" established" results["s00-raw"]["crowdsecurity/non-syslog"][121].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][121].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][121].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][121].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][121].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][122].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][122].Evt.Parsed["message"] == "2022/05/06 09:17:11 [3.16.59.158:43420] authentication for user \"knockknockwhosthere\" with password \"knockknockwhosthere\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][122].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][122].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][122].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][122].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][122].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][123].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][123].Evt.Parsed["message"] == "2022/05/06 09:17:11 [3.16.59.158:43420] connection with client version \"SSH-2.0-libssh_0.9.5\" established" results["s00-raw"]["crowdsecurity/non-syslog"][123].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][123].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][123].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][123].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][123].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][124].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][124].Evt.Parsed["message"] == "2022/05/06 09:17:11 [3.16.59.158:43418] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][124].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][124].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][124].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][124].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][124].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][125].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][125].Evt.Parsed["message"] == "2022/05/06 09:17:11 [3.16.59.158:43420] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][125].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][125].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][125].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][125].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][125].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][126].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][126].Evt.Parsed["message"] == "2022/05/06 09:21:27 [190.2.139.67:7117] [channel 127] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.134.128:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][126].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][126].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][126].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][126].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][126].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][127].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][127].Evt.Parsed["message"] == "2022/05/06 09:21:27 [190.2.139.67:7117] [channel 127] input: \"GET /?requestid=11658 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][127].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][127].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][127].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][127].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][127].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][128].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][128].Evt.Parsed["message"] == "2022/05/06 09:21:27 [190.2.139.67:7117] [channel 127] closed" results["s00-raw"]["crowdsecurity/non-syslog"][128].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][128].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][128].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][128].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][128].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][129].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][129].Evt.Parsed["message"] == "2022/05/06 09:23:00 [45.82.65.44:42736] [channel 27] direct TCP/IP forwarding from 127.0.0.1:22 to 104.23.143.25:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][129].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][129].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][129].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][129].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][129].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][130].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][130].Evt.Parsed["message"] == "2022/05/06 09:23:00 [45.82.65.44:42736] [channel 27] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.642.0 Chrome/10.0.642.0 Safari/534.16\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][130].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][130].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][130].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][130].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][130].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][131].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][131].Evt.Parsed["message"] == "2022/05/06 09:23:01 [45.82.65.44:42736] [channel 27] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.642.0 Chrome/10.0.642.0 Safari/534.16\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][131].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][131].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][131].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][131].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][131].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][132].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][132].Evt.Parsed["message"] == "2022/05/06 09:23:32 [45.82.65.44:42736] [channel 27] closed" results["s00-raw"]["crowdsecurity/non-syslog"][132].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][132].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][132].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][132].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][132].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][133].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][133].Evt.Parsed["message"] == "2022/05/06 09:27:47 [190.2.139.67:7117] [channel 132] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.142.17:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][133].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][133].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][133].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][133].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][133].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][134].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][134].Evt.Parsed["message"] == "2022/05/06 09:27:47 [190.2.139.67:7117] [channel 132] input: \"GET /?requestid=58465 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][134].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][134].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][134].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][134].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][134].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][135].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][135].Evt.Parsed["message"] == "2022/05/06 09:27:47 [190.2.139.67:7117] [channel 132] closed" results["s00-raw"]["crowdsecurity/non-syslog"][135].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][135].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][135].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][135].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][135].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][136].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][136].Evt.Parsed["message"] == "2022/05/06 09:36:45 [190.2.139.67:7117] [channel 134] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.142.17:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][136].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][136].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][136].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][136].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][136].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][137].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][137].Evt.Parsed["message"] == "2022/05/06 09:36:45 [190.2.139.67:7117] [channel 134] input: \"GET /?requestid=17483 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][137].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][137].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][137].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][137].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][137].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][138].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][138].Evt.Parsed["message"] == "2022/05/06 09:36:45 [190.2.139.67:7117] [channel 134] closed" results["s00-raw"]["crowdsecurity/non-syslog"][138].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][138].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][138].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][138].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][138].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][139].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][139].Evt.Parsed["message"] == "2022/05/06 09:39:53 [195.3.147.60:48037] authentication for user \"!root\" without credentials rejected" results["s00-raw"]["crowdsecurity/non-syslog"][139].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][139].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][139].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][139].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][139].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][140].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][140].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][140].Evt.Parsed["message"] == "2022/05/06 09:39:53 [195.3.147.60:48037] authentication for user \"!root\" with password \"\" accepted" -results["s00-raw"]["crowdsecurity/non-syslog"][140].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][140].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][140].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][140].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][140].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][141].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][141].Evt.Parsed["message"] == "2022/05/06 09:39:53 [195.3.147.60:48037] connection with client version \"SSH-2.0-libssh_0.11\" established" results["s00-raw"]["crowdsecurity/non-syslog"][141].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][141].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][141].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][141].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][141].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][142].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][142].Evt.Parsed["message"] == "2022/05/06 09:39:53 [195.3.147.60:48037] [channel 0] direct TCP/IP forwarding from 127.0.0.1:6629 to 74.125.205.139:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][142].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][142].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][142].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][142].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][142].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][143].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][143].Evt.Parsed["message"] == "2022/05/06 09:39:53 [195.3.147.60:48037] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][143].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][143].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][143].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][143].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][143].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][144].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][144].Evt.Parsed["message"] == "2022/05/06 09:39:53 [195.3.147.60:48037] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][144].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][144].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][144].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][144].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][144].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][145].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][145].Evt.Parsed["message"] == "2022/05/06 09:39:53 [195.3.147.60:48037] [channel 1] direct TCP/IP forwarding from 127.0.0.1:8451 to [2a00:1450:4010:c02::71]:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][145].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][145].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][145].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][145].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][145].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][146].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][146].Evt.Parsed["message"] == "2022/05/06 09:39:53 [195.3.147.60:48037] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][146].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][146].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][146].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][146].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][146].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][147].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][147].Evt.Parsed["message"] == "2022/05/06 09:39:53 [195.3.147.60:48037] [channel 1] closed" results["s00-raw"]["crowdsecurity/non-syslog"][147].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][147].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][147].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][147].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][147].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][148].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][148].Evt.Parsed["message"] == "2022/05/06 09:39:53 [195.3.147.60:48037] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][148].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][148].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][148].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][148].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][148].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][149].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][149].Evt.Parsed["message"] == "2022/05/06 09:44:27 [190.123.44.157:50934] authentication for user \"root\" with password \"1234!@#$\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][149].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][149].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][149].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][149].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][149].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][150].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][150].Evt.Parsed["message"] == "2022/05/06 09:44:27 [190.123.44.157:50934] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][150].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][150].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][150].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][150].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][150].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][151].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][151].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][151].Evt.Parsed["message"] == "2022/05/06 09:44:29 [190.123.44.157:51298] authentication for user \"nproc\" with password \"nproc\" accepted" -results["s00-raw"]["crowdsecurity/non-syslog"][151].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][151].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][151].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][151].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][151].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][152].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][152].Evt.Parsed["message"] == "2022/05/06 09:44:29 [190.123.44.157:51298] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][152].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][152].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][152].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][152].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][152].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][153].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][153].Evt.Parsed["message"] == "2022/05/06 09:44:29 [190.123.44.157:51298] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][153].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][153].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][153].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][153].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][153].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][154].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][154].Evt.Parsed["message"] == "2022/05/06 09:44:29 [190.123.44.157:50934] [channel 0] session requested" results["s00-raw"]["crowdsecurity/non-syslog"][154].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][154].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][154].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][154].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][154].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][155].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][155].Evt.Parsed["message"] == "2022/05/06 09:44:29 [190.123.44.157:50934] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][155].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][155].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][155].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][155].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][155].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][156].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][156].Evt.Parsed["message"] == "2022/05/06 09:44:29 [190.123.44.157:50934] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][156].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][156].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][156].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][156].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][156].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][157].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][157].Evt.Parsed["message"] == "2022/05/06 09:46:12 [92.38.176.30:58548] authentication for user \"tareq\" with password \"tareq\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][157].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][157].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][157].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][157].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][157].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][158].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][158].Evt.Parsed["message"] == "2022/05/06 09:46:12 [92.38.176.30:58548] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][158].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][158].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][158].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][158].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][158].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][159].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][159].Evt.Parsed["message"] == "2022/05/06 09:46:12 [92.38.176.30:58548] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][159].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][159].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][159].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][159].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][159].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][160].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][160].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][160].Evt.Parsed["message"] == "2022/05/06 09:46:13 [92.38.176.30:58768] authentication for user \"nproc\" with password \"nproc\" accepted" -results["s00-raw"]["crowdsecurity/non-syslog"][160].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][160].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][160].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][160].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][160].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][161].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][161].Evt.Parsed["message"] == "2022/05/06 09:46:13 [92.38.176.30:58768] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][161].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][161].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][161].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][161].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][161].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][162].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][162].Evt.Parsed["message"] == "2022/05/06 09:46:13 [92.38.176.30:58768] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][162].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][162].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][162].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][162].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][162].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][163].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][163].Evt.Parsed["message"] == "2022/05/06 09:52:11 [165.232.183.156:46374] authentication for user \"zhaodandan\" without credentials rejected" results["s00-raw"]["crowdsecurity/non-syslog"][163].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][163].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][163].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][163].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][163].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][164].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][164].Evt.Parsed["message"] == "2022/05/06 09:52:11 [165.232.183.156:46374] authentication for user \"zhaodandan\" with password \"zhaodandan\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][164].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][164].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][164].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][164].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][164].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][165].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][165].Evt.Parsed["message"] == "2022/05/06 09:52:11 [165.232.183.156:46374] connection with client version \"SSH-2.0-Go\" established" results["s00-raw"]["crowdsecurity/non-syslog"][165].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][165].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][165].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][165].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][165].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][166].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][166].Evt.Parsed["message"] == "2022/05/06 09:52:11 [165.232.183.156:46374] [channel 0] session requested" results["s00-raw"]["crowdsecurity/non-syslog"][166].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][166].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][166].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][166].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][166].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][167].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][167].Evt.Parsed["message"] == "2022/05/06 09:52:12 [165.232.183.156:46374] [channel 0] command \"uname -s -v -n -r -m\" requested" results["s00-raw"]["crowdsecurity/non-syslog"][167].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][167].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][167].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][167].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][167].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][168].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][168].Evt.Parsed["message"] == "2022/05/06 09:52:12 [165.232.183.156:46374] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][168].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][168].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][168].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][168].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][168].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][169].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][169].Evt.Parsed["message"] == "2022/05/06 09:54:43 [165.232.183.156:46374] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][169].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][169].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][169].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][169].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][169].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][170].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][170].Evt.Parsed["message"] == "2022/05/06 10:01:04 [133.18.236.86:43326] authentication for user \"root\" with password \"Qq@12345\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][170].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][170].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][170].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][170].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][170].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][171].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][171].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][171].Evt.Parsed["message"] == "2022/05/06 10:01:04 [133.18.236.86:43326] connection with client version \"SSH-2.0-libssh-0.6.3\" established" -results["s00-raw"]["crowdsecurity/non-syslog"][171].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][171].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][171].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][171].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][171].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][172].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][172].Evt.Parsed["message"] == "2022/05/06 10:01:07 [133.18.236.86:43334] authentication for user \"nproc\" with password \"nproc\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][172].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][172].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][172].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][172].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][172].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][173].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][173].Evt.Parsed["message"] == "2022/05/06 10:01:07 [133.18.236.86:43334] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][173].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][173].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][173].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][173].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][173].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][174].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][174].Evt.Parsed["message"] == "2022/05/06 10:01:07 [133.18.236.86:43334] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][174].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][174].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][174].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][174].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][174].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][175].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][175].Evt.Parsed["message"] == "2022/05/06 10:01:07 [133.18.236.86:43326] [channel 0] session requested" results["s00-raw"]["crowdsecurity/non-syslog"][175].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][175].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][175].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][175].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][175].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][176].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][176].Evt.Parsed["message"] == "2022/05/06 10:01:07 [133.18.236.86:43326] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][176].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][176].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][176].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][176].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][176].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][177].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][177].Evt.Parsed["message"] == "2022/05/06 10:01:07 [133.18.236.86:43326] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][177].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][177].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][177].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][177].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][177].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][178].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][178].Evt.Parsed["message"] == "2022/05/06 10:06:35 [190.2.139.67:58629] [channel 137] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.136.142:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][178].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][178].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][178].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][178].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][178].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][179].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][179].Evt.Parsed["message"] == "2022/05/06 10:06:35 [190.2.139.67:58629] [channel 137] input: \"GET /?requestid=76082 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][179].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][179].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][179].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][179].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][179].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][180].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][180].Evt.Parsed["message"] == "2022/05/06 10:06:35 [190.2.139.67:58629] [channel 137] closed" results["s00-raw"]["crowdsecurity/non-syslog"][180].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][180].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][180].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][180].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][180].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][181].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][181].Evt.Parsed["message"] == "2022/05/06 10:28:45 [193.105.134.95:20411] authentication for user \"admin\" without credentials rejected" results["s00-raw"]["crowdsecurity/non-syslog"][181].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][181].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][181].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][181].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][181].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][182].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][182].Evt.Parsed["message"] == "2022/05/06 10:28:45 [193.105.134.95:20411] authentication for user \"admin\" with password \"aisadmin\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][182].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][182].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][182].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][182].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][182].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][183].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][183].Evt.Parsed["message"] == "2022/05/06 10:28:45 [193.105.134.95:20411] connection with client version \"SSH-2.0-paramiko_1.12.4\" established" results["s00-raw"]["crowdsecurity/non-syslog"][183].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][183].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][183].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][183].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][183].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][184].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][184].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][184].Evt.Parsed["message"] == "2022/05/06 10:28:45 [193.105.134.95:20411] [channel 0] direct TCP/IP forwarding from 127.0.0.1:5262 to 172.217.21.174:80 requested" +results["s00-raw"]["crowdsecurity/non-syslog"][184].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][184].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][184].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][184].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][184].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][185].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][185].Evt.Parsed["message"] == "2022/05/06 10:28:45 [193.105.134.95:20411] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][185].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][185].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][185].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][185].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][185].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][186].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][186].Evt.Parsed["message"] == "2022/05/06 10:28:45 [193.105.134.95:20411] [channel 1] direct TCP/IP forwarding from 127.0.0.1:1821 to [2a00:1450:400f:80a::200e]:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][186].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][186].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][186].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][186].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][186].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][187].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][187].Evt.Parsed["message"] == "2022/05/06 10:28:45 [193.105.134.95:20411] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][187].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][187].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][187].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][187].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][187].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][188].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][188].Evt.Parsed["message"] == "2022/05/06 10:28:45 [193.105.134.95:20411] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][188].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][188].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][188].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][188].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][188].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][189].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][189].Evt.Parsed["message"] == "2022/05/06 10:28:45 [193.105.134.95:20411] [channel 1] closed" results["s00-raw"]["crowdsecurity/non-syslog"][189].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][189].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][189].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][189].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][189].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][190].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][190].Evt.Parsed["message"] == "2022/05/06 10:28:45 [193.105.134.95:20411] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][190].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][190].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][190].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][190].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][190].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][191].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][191].Evt.Parsed["message"] == "2022/05/06 10:39:28 [45.82.65.44:42736] [channel 28] direct TCP/IP forwarding from 127.0.0.1:22 to 104.23.142.25:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][191].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][191].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][191].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][191].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][191].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][192].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][192].Evt.Parsed["message"] == "2022/05/06 10:39:28 [45.82.65.44:42736] [channel 28] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.600.0 Safari/534.14\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][192].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][192].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][192].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][192].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][192].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][193].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][193].Evt.Parsed["message"] == "2022/05/06 10:39:28 [45.82.65.44:42736] [channel 28] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.600.0 Safari/534.14\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][193].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][193].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][193].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][193].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][193].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][194].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][194].Evt.Parsed["message"] == "2022/05/06 10:39:59 [45.82.65.44:42736] [channel 28] closed" results["s00-raw"]["crowdsecurity/non-syslog"][194].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][194].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][194].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][194].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][194].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][195].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][195].Evt.Parsed["message"] == "2022/05/06 10:43:18 [193.105.134.95:46780] authentication for user \"!root\" without credentials rejected" results["s00-raw"]["crowdsecurity/non-syslog"][195].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][195].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][195].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][195].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][195].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][196].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][196].Evt.Parsed["message"] == "2022/05/06 10:43:18 [193.105.134.95:46780] authentication for user \"!root\" with password \"\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][196].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][196].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][196].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][196].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][196].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][197].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][197].Evt.Parsed["message"] == "2022/05/06 10:43:18 [193.105.134.95:46780] connection with client version \"SSH-2.0-Granados-1.0\" established" results["s00-raw"]["crowdsecurity/non-syslog"][197].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][197].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][197].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][197].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][197].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][198].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][198].Evt.Parsed["message"] == "2022/05/06 10:43:18 [193.105.134.95:46780] [channel 0] direct TCP/IP forwarding from 127.0.0.1:19536 to 172.217.21.174:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][198].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][198].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][198].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][198].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][198].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][199].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][199].Evt.Parsed["message"] == "2022/05/06 10:43:18 [193.105.134.95:46780] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][199].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][199].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][199].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][199].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][199].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][200].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][200].Evt.Parsed["message"] == "2022/05/06 10:43:19 [193.105.134.95:46780] [channel 1] direct TCP/IP forwarding from 127.0.0.1:17549 to [2a00:1450:400f:80a::200e]:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][200].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][200].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][200].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][200].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][200].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][201].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][201].Evt.Parsed["message"] == "2022/05/06 10:43:19 [193.105.134.95:46780] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][201].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][201].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][201].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][201].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][201].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][202].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][202].Evt.Parsed["message"] == "2022/05/06 10:43:19 [193.105.134.95:46780] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][202].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][202].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][202].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][202].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][202].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][203].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][203].Evt.Parsed["message"] == "2022/05/06 10:43:19 [193.105.134.95:46780] [channel 1] closed" results["s00-raw"]["crowdsecurity/non-syslog"][203].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][203].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][203].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][203].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][203].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][204].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][204].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][204].Evt.Parsed["message"] == "2022/05/06 10:43:19 [193.105.134.95:46780] connection closed" -results["s00-raw"]["crowdsecurity/non-syslog"][204].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][204].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][204].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][204].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][204].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][205].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][205].Evt.Parsed["message"] == "2022/05/06 10:44:30 [202.153.33.62:26354] authentication for user \"ubnt\" without credentials rejected" results["s00-raw"]["crowdsecurity/non-syslog"][205].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][205].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][205].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][205].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][205].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][206].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][206].Evt.Parsed["message"] == "2022/05/06 10:44:31 [202.153.33.62:26354] authentication for user \"ubnt\" with password \"ubnt1\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][206].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][206].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][206].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][206].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][206].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][207].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][207].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][207].Evt.Parsed["message"] == "2022/05/06 10:44:31 [202.153.33.62:26354] connection with client version \"SSH-2.0-OpenSSH_7.4\" established" +results["s00-raw"]["crowdsecurity/non-syslog"][207].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][207].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][207].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][207].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][207].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][208].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][208].Evt.Parsed["message"] == "2022/05/06 10:44:33 [202.153.33.62:26354] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][208].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][208].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][208].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][208].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][208].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][209].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][209].Evt.Parsed["message"] == "2022/05/06 11:06:40 [190.2.139.67:7117] [channel 136] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.134.128:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][209].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][209].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][209].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][209].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][209].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][210].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][210].Evt.Parsed["message"] == "2022/05/06 11:06:40 [190.2.139.67:7117] [channel 136] input: \"GET /?requestid=3381 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][210].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][210].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][210].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][210].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][210].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][211].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][211].Evt.Parsed["message"] == "2022/05/06 11:06:40 [190.2.139.67:7117] [channel 136] closed" results["s00-raw"]["crowdsecurity/non-syslog"][211].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][211].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][211].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][211].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][211].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][212].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][212].Evt.Parsed["message"] == "2022/05/06 11:44:51 [65.108.254.29:39240] authentication for user \"root\" with password \"Subby123123\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][212].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][212].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][212].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][212].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][212].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][213].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][213].Evt.Parsed["message"] == "2022/05/06 11:44:51 [65.108.254.29:39240] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][213].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][213].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][213].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][213].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][213].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][214].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][214].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][214].Evt.Parsed["message"] == "2022/05/06 11:44:51 [65.108.254.29:39240] connection closed" -results["s00-raw"]["crowdsecurity/non-syslog"][214].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][214].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][214].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][214].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][214].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][215].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][215].Evt.Parsed["message"] == "2022/05/06 11:44:51 [65.108.254.29:39858] authentication for user \"nproc\" with password \"nproc\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][215].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][215].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][215].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][215].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][215].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][216].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][216].Evt.Parsed["message"] == "2022/05/06 11:44:51 [65.108.254.29:39858] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][216].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][216].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][216].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][216].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][216].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][217].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][217].Evt.Parsed["message"] == "2022/05/06 11:44:51 [65.108.254.29:39858] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][217].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][217].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][217].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][217].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][217].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][218].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][218].Evt.Parsed["message"] == "2022/05/06 11:44:56 [190.2.139.67:58629] [channel 140] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.136.142:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][218].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][218].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][218].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][218].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][218].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][219].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][219].Evt.Parsed["message"] == "2022/05/06 11:44:56 [190.2.139.67:58629] [channel 140] input: \"GET /?requestid=54995 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][219].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][219].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][219].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][219].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][219].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][220].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][220].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][220].Evt.Parsed["message"] == "2022/05/06 11:44:56 [190.2.139.67:58629] [channel 140] closed" -results["s00-raw"]["crowdsecurity/non-syslog"][220].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][220].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][220].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][220].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][220].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][221].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][221].Evt.Parsed["message"] == "2022/05/06 11:47:01 [217.95.152.37:62602] authentication for user \"sales\" with password \"sales123\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][221].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][221].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][221].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][221].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][221].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][222].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][222].Evt.Parsed["message"] == "2022/05/06 11:47:01 [217.95.152.37:62602] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][222].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][222].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][222].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][222].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][222].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][223].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][223].Evt.Parsed["message"] == "2022/05/06 11:47:02 [217.95.152.37:33514] authentication for user \"nproc\" with password \"nproc\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][223].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][223].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][223].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][223].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][223].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][224].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][224].Evt.Parsed["message"] == "2022/05/06 11:47:02 [217.95.152.37:33514] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][224].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][224].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][224].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][224].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][224].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][225].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][225].Evt.Parsed["message"] == "2022/05/06 11:47:02 [217.95.152.37:33514] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][225].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][225].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][225].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][225].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][225].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][226].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][226].Evt.Parsed["message"] == "2022/05/06 11:47:02 [217.95.152.37:62602] [channel 0] session requested" results["s00-raw"]["crowdsecurity/non-syslog"][226].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][226].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][226].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][226].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][226].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][227].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][227].Evt.Parsed["message"] == "2022/05/06 11:47:02 [217.95.152.37:62602] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][227].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][227].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][227].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][227].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][227].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][228].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][228].Evt.Parsed["message"] == "2022/05/06 11:47:02 [217.95.152.37:62602] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][228].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][228].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][228].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][228].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][228].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][229].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][229].Evt.Parsed["message"] == "2022/05/06 11:53:48 [45.82.65.44:42736] [channel 29] direct TCP/IP forwarding from 127.0.0.1:22 to 104.23.139.25:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][229].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][229].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][229].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][229].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][229].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][230].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][230].Evt.Parsed["message"] == "2022/05/06 11:53:48 [45.82.65.44:42736] [channel 29] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.107 Safari/535.1\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][230].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][230].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][230].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][230].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][230].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][231].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][231].Evt.Parsed["message"] == "2022/05/06 11:53:50 [45.82.65.44:42736] [channel 29] closed" results["s00-raw"]["crowdsecurity/non-syslog"][231].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][231].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][231].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][231].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][231].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][232].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][232].Evt.Parsed["message"] == "2022/05/06 12:11:39 [190.2.139.67:7117] [channel 138] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.142.17:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][232].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][232].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][232].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][232].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][232].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][233].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][233].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][233].Evt.Parsed["message"] == "2022/05/06 12:11:39 [190.2.139.67:7117] [channel 138] input: \"GET /?requestid=13796 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s00-raw"]["crowdsecurity/non-syslog"][233].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][233].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][233].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][233].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][233].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][234].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][234].Evt.Parsed["message"] == "2022/05/06 12:11:39 [190.2.139.67:7117] [channel 138] closed" results["s00-raw"]["crowdsecurity/non-syslog"][234].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][234].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][234].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][234].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][234].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][235].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][235].Evt.Parsed["message"] == "2022/05/06 12:25:39 [188.255.62.33:48649] authentication for user \"root\" with password \"root\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][235].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][235].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][235].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][235].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][235].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][236].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][236].Evt.Parsed["message"] == "2022/05/06 12:25:39 [188.255.62.33:48649] connection with client version \"SSH-2.0-libssh2_1.7.0\" established" results["s00-raw"]["crowdsecurity/non-syslog"][236].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][236].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][236].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][236].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][236].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][237].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][237].Evt.Parsed["message"] == "2022/05/06 12:25:39 [188.255.62.33:48649] [channel 0] session requested" results["s00-raw"]["crowdsecurity/non-syslog"][237].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][237].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][237].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][237].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][237].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][238].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][238].Evt.Parsed["message"] == "2022/05/06 12:25:39 [188.255.62.33:48649] [channel 0] command \"/ip cloud print\" requested" results["s00-raw"]["crowdsecurity/non-syslog"][238].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][238].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][238].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][238].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][238].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][239].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][239].Evt.Parsed["message"] == "2022/05/06 12:25:39 [188.255.62.33:48649] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][239].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][239].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][239].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][239].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][239].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][240].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][240].Evt.Parsed["message"] == "2022/05/06 12:25:39 [188.255.62.33:48649] [channel 1] session requested" results["s00-raw"]["crowdsecurity/non-syslog"][240].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][240].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][240].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][240].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][240].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][241].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][241].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][241].Evt.Parsed["message"] == "2022/05/06 12:25:39 [188.255.62.33:48649] [channel 1] command \"ifconfig\" requested" -results["s00-raw"]["crowdsecurity/non-syslog"][241].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][241].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][241].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][241].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][241].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][242].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][242].Evt.Parsed["message"] == "2022/05/06 12:25:39 [188.255.62.33:48649] [channel 1] closed" results["s00-raw"]["crowdsecurity/non-syslog"][242].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][242].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][242].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][242].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][242].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][243].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][243].Evt.Parsed["message"] == "2022/05/06 12:25:39 [188.255.62.33:48649] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][243].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][243].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][243].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][243].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][243].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][244].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][244].Evt.Parsed["message"] == "2022/05/06 12:33:29 [154.86.27.24:33448] authentication for user \"sam\" with password \"12345678\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][244].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][244].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][244].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][244].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][244].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][245].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][245].Evt.Parsed["message"] == "2022/05/06 12:33:29 [154.86.27.24:33448] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][245].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][245].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][245].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][245].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][245].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][246].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][246].Evt.Parsed["message"] == "2022/05/06 12:33:29 [154.86.27.24:33448] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][246].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][246].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][246].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][246].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][246].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][247].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][247].Evt.Parsed["message"] == "2022/05/06 12:33:31 [154.86.27.24:34072] authentication for user \"nproc\" with password \"nproc\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][247].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][247].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][247].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][247].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][247].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][248].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][248].Evt.Parsed["message"] == "2022/05/06 12:33:31 [154.86.27.24:34072] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][248].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][248].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][248].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][248].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][248].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][249].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][249].Evt.Parsed["message"] == "2022/05/06 12:33:31 [154.86.27.24:34072] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][249].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][249].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][249].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][249].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][249].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][250].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][250].Evt.Parsed["message"] == "2022/05/06 12:39:33 [195.3.147.60:9217] authentication for user \"admin\" without credentials rejected" results["s00-raw"]["crowdsecurity/non-syslog"][250].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][250].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][250].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][250].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][250].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][251].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][251].Evt.Parsed["message"] == "2022/05/06 12:39:33 [195.3.147.60:9217] authentication for user \"admin\" with password \"aisadmin\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][251].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][251].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][251].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][251].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][251].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][252].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][252].Evt.Parsed["message"] == "2022/05/06 12:39:33 [195.3.147.60:9217] connection with client version \"SSH-2.0-paramiko_1.16.1\" established" results["s00-raw"]["crowdsecurity/non-syslog"][252].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][252].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][252].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][252].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][252].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][253].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][253].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][253].Evt.Parsed["message"] == "2022/05/06 12:39:33 [195.3.147.60:9217] [channel 0] direct TCP/IP forwarding from 127.0.0.1:4909 to 74.125.205.139:80 requested" -results["s00-raw"]["crowdsecurity/non-syslog"][253].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][253].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][253].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][253].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][253].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][254].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][254].Evt.Parsed["message"] == "2022/05/06 12:39:33 [195.3.147.60:9217] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][254].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][254].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][254].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][254].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][254].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][255].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][255].Evt.Parsed["message"] == "2022/05/06 12:39:33 [195.3.147.60:9217] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][255].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][255].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][255].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][255].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][255].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][256].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][256].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][256].Evt.Parsed["message"] == "2022/05/06 12:39:33 [195.3.147.60:9217] [channel 1] direct TCP/IP forwarding from 127.0.0.1:18210 to [2a00:1450:4010:c02::71]:80 requested" -results["s00-raw"]["crowdsecurity/non-syslog"][256].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][256].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][256].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][256].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][256].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][257].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][257].Evt.Parsed["message"] == "2022/05/06 12:39:33 [195.3.147.60:9217] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][257].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][257].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][257].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][257].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][257].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][258].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][258].Evt.Parsed["message"] == "2022/05/06 12:39:33 [195.3.147.60:9217] [channel 1] closed" results["s00-raw"]["crowdsecurity/non-syslog"][258].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][258].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][258].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][258].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][258].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][259].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][259].Evt.Parsed["message"] == "2022/05/06 12:39:33 [195.3.147.60:9217] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][259].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][259].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][259].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][259].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][259].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][260].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][260].Evt.Parsed["message"] == "2022/05/06 12:58:50 [190.2.139.67:7117] [channel 141] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.136.142:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][260].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][260].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][260].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][260].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][260].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][261].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][261].Evt.Parsed["message"] == "2022/05/06 12:58:50 [190.2.139.67:7117] [channel 141] input: \"GET /?requestid=72371 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][261].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][261].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][261].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][261].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][261].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][262].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][262].Evt.Parsed["message"] == "2022/05/06 12:58:50 [190.2.139.67:7117] [channel 141] closed" results["s00-raw"]["crowdsecurity/non-syslog"][262].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][262].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][262].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][262].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][262].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][263].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][263].Evt.Parsed["message"] == "2022/05/06 12:59:04 [45.82.65.44:42736] [channel 30] direct TCP/IP forwarding from 127.0.0.1:22 to 104.23.142.25:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][263].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][263].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][263].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][263].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][263].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][264].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][264].Evt.Parsed["message"] == "2022/05/06 12:59:04 [45.82.65.44:42736] [channel 30] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][264].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][264].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][264].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][264].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][264].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][265].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][265].Evt.Parsed["message"] == "2022/05/06 12:59:05 [45.82.65.44:42736] [channel 30] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][265].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][265].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][265].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][265].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][265].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][266].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][266].Evt.Parsed["message"] == "2022/05/06 12:59:36 [45.82.65.44:42736] [channel 30] closed" results["s00-raw"]["crowdsecurity/non-syslog"][266].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][266].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][266].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][266].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][266].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][267].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][267].Evt.Parsed["message"] == "2022/05/06 13:09:34 [190.2.139.67:58629] [channel 143] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.134.128:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][267].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][267].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][267].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][267].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][267].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][268].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][268].Evt.Parsed["message"] == "2022/05/06 13:09:34 [190.2.139.67:58629] [channel 143] input: \"GET /?requestid=12627 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][268].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][268].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][268].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][268].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][268].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][269].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][269].Evt.Parsed["message"] == "2022/05/06 13:09:34 [190.2.139.67:58629] [channel 143] closed" results["s00-raw"]["crowdsecurity/non-syslog"][269].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][269].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][269].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][269].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][269].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][270].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][270].Evt.Parsed["message"] == "2022/05/06 13:12:20 [190.2.139.67:58629] [channel 145] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.142.17:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][270].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][270].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][270].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][270].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][270].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][271].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][271].Evt.Parsed["message"] == "2022/05/06 13:12:20 [190.2.139.67:58629] [channel 145] input: \"GET /?requestid=88211 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][271].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][271].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][271].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][271].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][271].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][272].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][272].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][272].Evt.Parsed["message"] == "2022/05/06 13:12:20 [190.2.139.67:58629] [channel 145] closed" -results["s00-raw"]["crowdsecurity/non-syslog"][272].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][272].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][272].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][272].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][272].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][273].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][273].Evt.Parsed["message"] == "2022/05/06 13:18:31 [193.105.134.95:13053] authentication for user \"!root\" without credentials rejected" results["s00-raw"]["crowdsecurity/non-syslog"][273].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][273].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][273].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][273].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][273].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][274].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][274].Evt.Parsed["message"] == "2022/05/06 13:18:31 [193.105.134.95:13053] authentication for user \"!root\" with password \"\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][274].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][274].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][274].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][274].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][274].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][275].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][275].Evt.Parsed["message"] == "2022/05/06 13:18:31 [193.105.134.95:13053] connection with client version \"SSH-2.0-PuTTY_Release_0.64\" established" results["s00-raw"]["crowdsecurity/non-syslog"][275].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][275].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][275].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][275].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][275].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][276].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][276].Evt.Parsed["message"] == "2022/05/06 13:18:31 [193.105.134.95:13053] [channel 0] direct TCP/IP forwarding from 127.0.0.1:21561 to 172.217.21.174:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][276].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][276].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][276].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][276].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][276].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][277].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][277].Evt.Parsed["message"] == "2022/05/06 13:18:31 [193.105.134.95:13053] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][277].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][277].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][277].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][277].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][277].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][278].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][278].Evt.Parsed["message"] == "2022/05/06 13:18:31 [193.105.134.95:13053] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][278].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][278].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][278].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][278].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][278].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][279].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][279].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][279].Evt.Parsed["message"] == "2022/05/06 13:18:31 [193.105.134.95:13053] [channel 1] direct TCP/IP forwarding from 127.0.0.1:29429 to [2a00:1450:400f:80a::200e]:80 requested" -results["s00-raw"]["crowdsecurity/non-syslog"][279].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][279].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][279].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][279].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][279].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][280].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][280].Evt.Parsed["message"] == "2022/05/06 13:18:31 [193.105.134.95:13053] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][280].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][280].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][280].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][280].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][280].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][281].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][281].Evt.Parsed["message"] == "2022/05/06 13:18:31 [193.105.134.95:13053] [channel 1] closed" results["s00-raw"]["crowdsecurity/non-syslog"][281].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][281].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][281].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][281].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][281].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][282].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][282].Evt.Parsed["message"] == "2022/05/06 13:18:31 [193.105.134.95:13053] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][282].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][282].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][282].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][282].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][282].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][283].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][283].Evt.Parsed["message"] == "2022/05/06 13:25:37 [144.22.213.51:55710] authentication for user \"admin\" without credentials rejected" results["s00-raw"]["crowdsecurity/non-syslog"][283].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][283].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][283].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][283].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][283].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][284].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][284].Evt.Parsed["message"] == "2022/05/06 13:25:40 [144.22.213.51:55710] authentication for user \"admin\" with password \"1234567\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][284].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][284].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][284].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][284].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][284].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][285].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][285].Evt.Parsed["message"] == "2022/05/06 13:25:40 [144.22.213.51:55710] connection with client version \"SSH-2.0-OpenSSH_7.4\" established" results["s00-raw"]["crowdsecurity/non-syslog"][285].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][285].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][285].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][285].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][285].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][286].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][286].Evt.Parsed["message"] == "2022/05/06 13:25:44 [144.22.213.51:55710] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][286].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][286].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][286].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][286].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][286].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][287].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][287].Evt.Parsed["message"] == "2022/05/06 13:39:55 [65.49.20.66:23616] authentication for user \"\" without credentials rejected" results["s00-raw"]["crowdsecurity/non-syslog"][287].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][287].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][287].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][287].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][287].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][288].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][288].Evt.Parsed["message"] == "2022/05/06 13:48:37 [193.105.134.95:49178] authentication for user \"admin\" without credentials rejected" results["s00-raw"]["crowdsecurity/non-syslog"][288].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][288].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][288].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][288].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][288].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][289].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][289].Evt.Parsed["message"] == "2022/05/06 13:48:37 [193.105.134.95:49178] authentication for user \"admin\" with password \"aisadmin\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][289].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][289].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][289].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][289].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][289].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][290].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][290].Evt.Parsed["message"] == "2022/05/06 13:48:37 [193.105.134.95:49178] connection with client version \"SSH-2.0-paramiko_2.0.2\" established" results["s00-raw"]["crowdsecurity/non-syslog"][290].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][290].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][290].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][290].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][290].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][291].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][291].Evt.Parsed["message"] == "2022/05/06 13:48:37 [193.105.134.95:49178] [channel 0] direct TCP/IP forwarding from 127.0.0.1:23817 to 172.217.21.174:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][291].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][291].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][291].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][291].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][291].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][292].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][292].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][292].Evt.Parsed["message"] == "2022/05/06 13:48:37 [193.105.134.95:49178] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s00-raw"]["crowdsecurity/non-syslog"][292].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][292].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][292].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][292].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][292].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][293].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][293].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][293].Evt.Parsed["message"] == "2022/05/06 13:48:37 [193.105.134.95:49178] [channel 1] direct TCP/IP forwarding from 127.0.0.1:10037 to [2a00:1450:400f:80a::200e]:80 requested" -results["s00-raw"]["crowdsecurity/non-syslog"][293].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][293].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][293].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][293].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][293].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][294].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][294].Evt.Parsed["message"] == "2022/05/06 13:48:37 [193.105.134.95:49178] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][294].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][294].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][294].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][294].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][294].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][295].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][295].Evt.Parsed["message"] == "2022/05/06 13:48:37 [193.105.134.95:49178] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][295].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][295].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][295].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][295].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][295].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][296].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][296].Evt.Parsed["message"] == "2022/05/06 13:48:37 [193.105.134.95:49178] [channel 1] closed" results["s00-raw"]["crowdsecurity/non-syslog"][296].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][296].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][296].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][296].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][296].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][297].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][297].Evt.Parsed["message"] == "2022/05/06 13:48:37 [193.105.134.95:49178] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][297].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][297].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][297].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][297].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][297].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][298].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][298].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][298].Evt.Parsed["message"] == "2022/05/06 13:55:12 [190.2.139.67:58629] [channel 147] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.136.142:80 requested" +results["s00-raw"]["crowdsecurity/non-syslog"][298].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][298].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][298].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][298].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][298].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][299].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][299].Evt.Parsed["message"] == "2022/05/06 13:55:12 [190.2.139.67:58629] [channel 147] input: \"GET /?requestid=40353 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][299].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][299].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][299].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][299].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][299].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][300].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][300].Evt.Parsed["message"] == "2022/05/06 13:55:12 [190.2.139.67:58629] [channel 147] closed" results["s00-raw"]["crowdsecurity/non-syslog"][300].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][300].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][300].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][300].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][300].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][301].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][301].Evt.Parsed["message"] == "2022/05/06 13:59:17 [190.2.139.67:58629] [channel 149] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.136.142:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][301].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][301].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][301].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][301].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][301].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][302].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][302].Evt.Parsed["message"] == "2022/05/06 13:59:17 [190.2.139.67:58629] [channel 149] input: \"GET /?requestid=27608 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][302].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][302].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][302].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][302].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][302].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][303].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][303].Evt.Parsed["message"] == "2022/05/06 13:59:17 [190.2.139.67:58629] [channel 149] closed" results["s00-raw"]["crowdsecurity/non-syslog"][303].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][303].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][303].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][303].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][303].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][304].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][304].Evt.Parsed["message"] == "2022/05/06 14:28:01 [43.154.53.163:58300] authentication for user \"root\" with password \"xiaoming\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][304].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][304].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][304].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][304].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][304].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][305].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][305].Evt.Parsed["message"] == "2022/05/06 14:28:01 [43.154.53.163:58300] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][305].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][305].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][305].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][305].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][305].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][306].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][306].Evt.Parsed["message"] == "2022/05/06 14:28:04 [43.154.53.163:58868] authentication for user \"nproc\" with password \"nproc\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][306].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][306].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][306].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][306].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][306].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][307].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][307].Evt.Parsed["message"] == "2022/05/06 14:28:04 [43.154.53.163:58868] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][307].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][307].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][307].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][307].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][307].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][308].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][308].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][308].Evt.Parsed["message"] == "2022/05/06 14:28:04 [43.154.53.163:58300] [channel 0] session requested" -results["s00-raw"]["crowdsecurity/non-syslog"][308].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][308].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][308].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][308].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][308].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][309].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][309].Evt.Parsed["message"] == "2022/05/06 14:28:04 [43.154.53.163:58868] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][309].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][309].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][309].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][309].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][309].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][310].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][310].Evt.Parsed["message"] == "2022/05/06 14:28:05 [43.154.53.163:58300] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][310].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][310].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][310].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][310].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][310].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][311].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][311].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][311].Evt.Parsed["message"] == "2022/05/06 14:28:05 [43.154.53.163:58300] connection closed" -results["s00-raw"]["crowdsecurity/non-syslog"][311].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][311].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][311].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][311].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][311].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][312].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][312].Evt.Parsed["message"] == "2022/05/06 14:28:15 [87.121.6.204:49420] authentication for user \"root\" with password \"Password321\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][312].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][312].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][312].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][312].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][312].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][313].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][313].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][313].Evt.Parsed["message"] == "2022/05/06 14:28:15 [87.121.6.204:49420] connection with client version \"SSH-2.0-libssh-0.6.3\" established" -results["s00-raw"]["crowdsecurity/non-syslog"][313].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][313].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][313].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][313].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][313].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][314].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][314].Evt.Parsed["message"] == "2022/05/06 14:28:15 [87.121.6.204:49568] authentication for user \"nproc\" with password \"nproc\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][314].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][314].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][314].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][314].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][314].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][315].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][315].Evt.Parsed["message"] == "2022/05/06 14:28:15 [87.121.6.204:49568] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][315].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][315].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][315].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][315].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][315].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][316].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][316].Evt.Parsed["message"] == "2022/05/06 14:28:15 [87.121.6.204:49420] [channel 0] session requested" results["s00-raw"]["crowdsecurity/non-syslog"][316].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][316].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][316].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][316].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][316].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][317].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][317].Evt.Parsed["message"] == "2022/05/06 14:28:15 [87.121.6.204:49568] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][317].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][317].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][317].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][317].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][317].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][318].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][318].Evt.Parsed["message"] == "2022/05/06 14:28:15 [87.121.6.204:49420] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][318].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][318].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][318].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][318].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][318].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][319].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][319].Evt.Parsed["message"] == "2022/05/06 14:28:15 [87.121.6.204:49420] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][319].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][319].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][319].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][319].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][319].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][320].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][320].Evt.Parsed["message"] == "2022/05/06 14:30:02 [45.239.216.250:45336] authentication for user \"root\" with password \"root#1234\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][320].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][320].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][320].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][320].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][320].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][321].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][321].Evt.Parsed["message"] == "2022/05/06 14:30:02 [45.239.216.250:45336] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][321].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][321].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][321].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][321].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][321].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][322].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][322].Evt.Parsed["message"] == "2022/05/06 14:30:05 [45.239.216.250:46226] authentication for user \"nproc\" with password \"nproc\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][322].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][322].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][322].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][322].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][322].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][323].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][323].Evt.Parsed["message"] == "2022/05/06 14:30:05 [45.239.216.250:46226] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][323].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][323].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][323].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][323].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][323].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][324].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][324].Evt.Parsed["message"] == "2022/05/06 14:30:05 [45.239.216.250:46226] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][324].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][324].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][324].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][324].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][324].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][325].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][325].Evt.Parsed["message"] == "2022/05/06 14:30:05 [45.239.216.250:45336] [channel 0] session requested" results["s00-raw"]["crowdsecurity/non-syslog"][325].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][325].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][325].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][325].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][325].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][326].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][326].Evt.Parsed["message"] == "2022/05/06 14:30:05 [45.239.216.250:45336] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][326].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][326].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][326].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][326].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][326].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][327].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][327].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][327].Evt.Parsed["message"] == "2022/05/06 14:30:05 [45.239.216.250:45336] connection closed" -results["s00-raw"]["crowdsecurity/non-syslog"][327].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][327].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][327].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][327].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][327].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][328].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][328].Evt.Parsed["message"] == "2022/05/06 14:56:33 [1.7.180.245:44604] authentication for user \"admin\" without credentials rejected" results["s00-raw"]["crowdsecurity/non-syslog"][328].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][328].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][328].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][328].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][328].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][329].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][329].Evt.Parsed["message"] == "2022/05/06 14:56:35 [1.7.180.245:44604] authentication for user \"admin\" with password \"1234567\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][329].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][329].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][329].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][329].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][329].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][330].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][330].Evt.Parsed["message"] == "2022/05/06 14:56:35 [1.7.180.245:44604] connection with client version \"SSH-2.0-OpenSSH_7.4\" established" results["s00-raw"]["crowdsecurity/non-syslog"][330].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][330].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][330].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][330].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][330].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][331].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][331].Evt.Parsed["message"] == "2022/05/06 14:56:37 [1.7.180.245:44604] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][331].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][331].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][331].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][331].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][331].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][332].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][332].Evt.Parsed["message"] == "2022/05/06 15:35:00 [45.82.65.44:42736] [channel 31] direct TCP/IP forwarding from 127.0.0.1:22 to 104.23.141.25:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][332].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][332].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][332].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][332].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][332].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][333].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][333].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][333].Evt.Parsed["message"] == "2022/05/06 15:35:00 [45.82.65.44:42736] [channel 31] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20091218 Firefox 3.6b5\\r\\n\\r\\n\"" -results["s00-raw"]["crowdsecurity/non-syslog"][333].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][333].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][333].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][333].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][333].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][334].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][334].Evt.Parsed["message"] == "2022/05/06 15:35:00 [45.82.65.44:42736] [channel 31] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20091218 Firefox 3.6b5\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][334].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][334].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][334].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][334].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][334].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][335].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][335].Evt.Parsed["message"] == "2022/05/06 15:35:31 [45.82.65.44:42736] [channel 31] closed" results["s00-raw"]["crowdsecurity/non-syslog"][335].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][335].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][335].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][335].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][335].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][336].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][336].Evt.Parsed["message"] == "2022/05/06 15:38:52 [195.3.147.60:39075] authentication for user \"!root\" without credentials rejected" results["s00-raw"]["crowdsecurity/non-syslog"][336].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][336].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][336].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][336].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][336].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][337].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][337].Evt.Parsed["message"] == "2022/05/06 15:38:52 [195.3.147.60:39075] authentication for user \"!root\" with password \"\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][337].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][337].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][337].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][337].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][337].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][338].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][338].Evt.Parsed["message"] == "2022/05/06 15:38:52 [195.3.147.60:39075] connection with client version \"SSH-2.0-PuTTY_Release_0.63\" established" results["s00-raw"]["crowdsecurity/non-syslog"][338].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][338].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][338].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][338].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][338].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][339].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][339].Evt.Parsed["message"] == "2022/05/06 15:38:52 [195.3.147.60:39075] [channel 0] direct TCP/IP forwarding from 127.0.0.1:17762 to 74.125.205.102:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][339].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][339].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][339].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][339].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][339].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][340].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][340].Evt.Parsed["message"] == "2022/05/06 15:38:52 [195.3.147.60:39075] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][340].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][340].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][340].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][340].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][340].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][341].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][341].Evt.Parsed["message"] == "2022/05/06 15:38:52 [195.3.147.60:39075] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][341].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][341].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][341].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][341].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][341].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][342].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][342].Evt.Parsed["message"] == "2022/05/06 15:38:52 [195.3.147.60:39075] [channel 1] direct TCP/IP forwarding from 127.0.0.1:640 to [2a00:1450:4010:c02::64]:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][342].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][342].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][342].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][342].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][342].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][343].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][343].Evt.Parsed["message"] == "2022/05/06 15:38:52 [195.3.147.60:39075] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][343].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][343].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][343].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][343].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][343].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][344].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][344].Evt.Parsed["message"] == "2022/05/06 15:38:52 [195.3.147.60:39075] [channel 1] closed" results["s00-raw"]["crowdsecurity/non-syslog"][344].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][344].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][344].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][344].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][344].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][345].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][345].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][345].Evt.Parsed["message"] == "2022/05/06 15:38:52 [195.3.147.60:39075] connection closed" -results["s00-raw"]["crowdsecurity/non-syslog"][345].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][345].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][345].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][345].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][345].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][346].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][346].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][346].Evt.Parsed["message"] == "2022/05/06 15:40:33 [65.108.254.28:39092] authentication for user \"root\" with password \"1234qwer\" accepted" -results["s00-raw"]["crowdsecurity/non-syslog"][346].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][346].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][346].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][346].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][346].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][347].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][347].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][347].Evt.Parsed["message"] == "2022/05/06 15:40:33 [65.108.254.28:39092] connection with client version \"SSH-2.0-libssh-0.6.3\" established" -results["s00-raw"]["crowdsecurity/non-syslog"][347].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][347].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][347].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][347].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][347].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][348].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][348].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][348].Evt.Parsed["message"] == "2022/05/06 15:40:33 [65.108.254.28:39098] authentication for user \"nproc\" with password \"nproc\" accepted" -results["s00-raw"]["crowdsecurity/non-syslog"][348].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][348].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][348].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][348].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][348].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][349].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][349].Evt.Parsed["message"] == "2022/05/06 15:40:33 [65.108.254.28:39098] connection with client version \"SSH-2.0-libssh-0.6.3\" established" results["s00-raw"]["crowdsecurity/non-syslog"][349].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][349].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][349].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][349].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][349].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][350].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][350].Evt.Parsed["message"] == "2022/05/06 15:40:33 [65.108.254.28:39092] [channel 0] session requested" results["s00-raw"]["crowdsecurity/non-syslog"][350].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][350].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][350].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][350].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][350].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][351].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][351].Evt.Parsed["message"] == "2022/05/06 15:40:33 [65.108.254.28:39098] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][351].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][351].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][351].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][351].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][351].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][352].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][352].Evt.Parsed["message"] == "2022/05/06 15:40:33 [65.108.254.28:39092] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][352].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][352].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][352].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][352].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][352].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][353].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][353].Evt.Parsed["message"] == "2022/05/06 15:40:33 [65.108.254.28:39092] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][353].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][353].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][353].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][353].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][353].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][354].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][354].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][354].Evt.Parsed["message"] == "2022/05/06 15:41:33 [195.3.147.60:33414] authentication for user \"admin\" without credentials rejected" -results["s00-raw"]["crowdsecurity/non-syslog"][354].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][354].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][354].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][354].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][354].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][355].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][355].Evt.Parsed["message"] == "2022/05/06 15:41:33 [195.3.147.60:33414] authentication for user \"admin\" with password \"aisadmin\" accepted" results["s00-raw"]["crowdsecurity/non-syslog"][355].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][355].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][355].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][355].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][355].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][356].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][356].Evt.Parsed["message"] == "2022/05/06 15:41:33 [195.3.147.60:33414] connection with client version \"SSH-2.0-PuTTY_Release_0.65\" established" results["s00-raw"]["crowdsecurity/non-syslog"][356].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][356].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][356].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][356].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][356].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][357].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][357].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][357].Evt.Parsed["message"] == "2022/05/06 15:41:33 [195.3.147.60:33414] [channel 0] direct TCP/IP forwarding from 127.0.0.1:24423 to 74.125.205.138:80 requested" -results["s00-raw"]["crowdsecurity/non-syslog"][357].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][357].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][357].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][357].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][357].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][358].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][358].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][358].Evt.Parsed["message"] == "2022/05/06 15:41:33 [195.3.147.60:33414] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" +results["s00-raw"]["crowdsecurity/non-syslog"][358].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][358].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][358].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][358].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][358].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][359].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][359].Evt.Parsed["message"] == "2022/05/06 15:41:33 [195.3.147.60:33414] [channel 0] closed" results["s00-raw"]["crowdsecurity/non-syslog"][359].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][359].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][359].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][359].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][359].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][360].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][360].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][360].Evt.Parsed["message"] == "2022/05/06 15:41:33 [195.3.147.60:33414] [channel 1] direct TCP/IP forwarding from 127.0.0.1:1511 to [2a00:1450:4010:c02::8a]:80 requested" -results["s00-raw"]["crowdsecurity/non-syslog"][360].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][360].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][360].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][360].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][360].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][361].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][361].Evt.Parsed["message"] == "2022/05/06 15:41:33 [195.3.147.60:33414] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][361].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][361].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][361].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][361].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][361].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][362].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][362].Evt.Parsed["message"] == "2022/05/06 15:41:33 [195.3.147.60:33414] [channel 1] closed" results["s00-raw"]["crowdsecurity/non-syslog"][362].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][362].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][362].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][362].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][362].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][363].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][363].Evt.Parsed["message"] == "2022/05/06 15:41:33 [195.3.147.60:33414] connection closed" results["s00-raw"]["crowdsecurity/non-syslog"][363].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][363].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][363].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][363].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][363].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][364].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][364].Evt.Parsed["program"] == "sshesame" results["s00-raw"]["crowdsecurity/non-syslog"][364].Evt.Parsed["message"] == "2022/05/06 15:44:30 [190.2.139.67:58629] [channel 151] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.136.142:80 requested" -results["s00-raw"]["crowdsecurity/non-syslog"][364].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][364].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][364].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][364].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][364].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][365].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][365].Evt.Parsed["message"] == "2022/05/06 15:44:30 [190.2.139.67:58629] [channel 151] input: \"GET /?requestid=57232 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][365].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][365].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][365].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][365].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][365].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][366].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][366].Evt.Parsed["message"] == "2022/05/06 15:44:30 [190.2.139.67:58629] [channel 151] closed" results["s00-raw"]["crowdsecurity/non-syslog"][366].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][366].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][366].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][366].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][366].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][367].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][367].Evt.Parsed["message"] == "2022/05/06 16:16:45 [45.82.65.44:42736] [channel 32] direct TCP/IP forwarding from 127.0.0.1:22 to 104.23.139.25:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][367].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][367].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][367].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][367].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][367].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][368].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][368].Evt.Parsed["message"] == "2022/05/06 16:16:45 [45.82.65.44:42736] [channel 32] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/13.0.782.41 Chrome/13.0.782.41 Safari/535.1\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][368].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][368].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][368].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][368].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][368].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][369].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][369].Evt.Parsed["message"] == "2022/05/06 16:16:45 [45.82.65.44:42736] [channel 32] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/13.0.782.41 Chrome/13.0.782.41 Safari/535.1\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][369].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][369].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][369].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][369].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][369].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][370].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][370].Evt.Parsed["message"] == "2022/05/06 16:17:16 [45.82.65.44:42736] [channel 32] closed" results["s00-raw"]["crowdsecurity/non-syslog"][370].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][370].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][370].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][370].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][370].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][371].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][371].Evt.Parsed["message"] == "2022/05/06 16:28:03 [45.82.65.44:42736] [channel 33] direct TCP/IP forwarding from 127.0.0.1:22 to 104.23.142.25:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][371].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][371].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][371].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][371].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][371].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][372].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][372].Evt.Parsed["message"] == "2022/05/06 16:28:03 [45.82.65.44:42736] [channel 33] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.698.0 Safari/534.24\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][372].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][372].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][372].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][372].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][372].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][373].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][373].Evt.Parsed["message"] == "2022/05/06 16:28:03 [45.82.65.44:42736] [channel 33] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.698.0 Safari/534.24\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][373].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][373].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][373].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][373].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][373].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][374].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][374].Evt.Parsed["message"] == "2022/05/06 16:28:34 [45.82.65.44:42736] [channel 33] closed" results["s00-raw"]["crowdsecurity/non-syslog"][374].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][374].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][374].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][374].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][374].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][375].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][375].Evt.Parsed["message"] == "2022/05/06 16:33:02 [190.2.139.67:58629] [channel 153] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.134.128:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][375].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][375].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][375].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][375].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][375].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][376].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][376].Evt.Parsed["message"] == "2022/05/06 16:33:02 [190.2.139.67:58629] [channel 153] input: \"GET /?requestid=44562 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][376].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][376].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][376].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][376].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][376].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][377].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][377].Evt.Parsed["message"] == "2022/05/06 16:33:02 [190.2.139.67:58629] [channel 153] closed" results["s00-raw"]["crowdsecurity/non-syslog"][377].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][377].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][377].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][377].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][377].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][378].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][378].Evt.Parsed["message"] == "2022/05/06 16:41:59 [190.2.139.67:58629] [channel 155] direct TCP/IP forwarding from 127.0.0.1:22 to 142.93.134.128:80 requested" results["s00-raw"]["crowdsecurity/non-syslog"][378].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][378].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][378].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][378].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][378].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][379].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][379].Evt.Parsed["message"] == "2022/05/06 16:41:59 [190.2.139.67:58629] [channel 155] input: \"GET /?requestid=90219 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s00-raw"]["crowdsecurity/non-syslog"][379].Evt.Parsed["program"] == "sshesame" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][379].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][379].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][379].Evt.Meta["datasource_path"] == "sshesame.log" +results["s00-raw"]["crowdsecurity/non-syslog"][379].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][380].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][380].Evt.Parsed["message"] == "2022/05/06 16:41:59 [190.2.139.67:58629] [channel 155] closed" results["s00-raw"]["crowdsecurity/non-syslog"][380].Evt.Parsed["program"] == "sshesame" -results["s00-raw"]["crowdsecurity/non-syslog"][380].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][380].Evt.Meta["datasource_path"]) == "sshesame.log" results["s00-raw"]["crowdsecurity/non-syslog"][380].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][380].Evt.Whitelisted == false len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 381 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false @@ -2290,17 +2671,18 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][380].Success == false len(results["s01-parse"]["thespad/sshesame-logs"]) == 381 results["s01-parse"]["thespad/sshesame-logs"][0].Success == false results["s01-parse"]["thespad/sshesame-logs"][1].Success == true -results["s01-parse"]["thespad/sshesame-logs"][1].Evt.Parsed["sshesame_input"] == "GET /?requestid=53219 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" -results["s01-parse"]["thespad/sshesame-logs"][1].Evt.Parsed["timestamp"] == "2022/05/06 04:53:57" results["s01-parse"]["thespad/sshesame-logs"][1].Evt.Parsed["message"] == "2022/05/06 04:53:57 [190.2.139.67:58629] [channel 106] input: \"GET /?requestid=53219 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][1].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][1].Evt.Parsed["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][1].Evt.Meta["service"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][1].Evt.Meta["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][1].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][1].Evt.Parsed["sshesame_input"] == "GET /?requestid=53219 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" +results["s01-parse"]["thespad/sshesame-logs"][1].Evt.Parsed["timestamp"] == "2022/05/06 04:53:57" +basename(results["s01-parse"]["thespad/sshesame-logs"][1].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][1].Evt.Meta["input"] == "GET /?requestid=53219 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][1].Evt.Meta["log_type"] == "sshesame_input" +results["s01-parse"]["thespad/sshesame-logs"][1].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][1].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][1].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][2].Success == false results["s01-parse"]["thespad/sshesame-logs"][3].Success == false results["s01-parse"]["thespad/sshesame-logs"][4].Success == true @@ -2309,12 +2691,13 @@ results["s01-parse"]["thespad/sshesame-logs"][4].Evt.Parsed["program"] == "sshes results["s01-parse"]["thespad/sshesame-logs"][4].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][4].Evt.Parsed["sshesame_input"] == "GET /?requestid=61619 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][4].Evt.Parsed["timestamp"] == "2022/05/06 04:58:33" -results["s01-parse"]["thespad/sshesame-logs"][4].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][4].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][4].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][4].Evt.Meta["input"] == "GET /?requestid=61619 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][4].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][4].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][4].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][4].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][5].Success == false results["s01-parse"]["thespad/sshesame-logs"][6].Success == false results["s01-parse"]["thespad/sshesame-logs"][7].Success == true @@ -2324,27 +2707,28 @@ results["s01-parse"]["thespad/sshesame-logs"][7].Evt.Parsed["source_ip"] == "195 results["s01-parse"]["thespad/sshesame-logs"][7].Evt.Parsed["sshesame_password"] == "aisadmin" results["s01-parse"]["thespad/sshesame-logs"][7].Evt.Parsed["sshesame_user"] == "admin" results["s01-parse"]["thespad/sshesame-logs"][7].Evt.Parsed["timestamp"] == "2022/05/06 05:10:03" +basename(results["s01-parse"]["thespad/sshesame-logs"][7].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][7].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][7].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][7].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][7].Evt.Meta["source_ip"] == "195.3.147.60" results["s01-parse"]["thespad/sshesame-logs"][7].Evt.Meta["target_user"] == "admin" -results["s01-parse"]["thespad/sshesame-logs"][7].Evt.Meta["username"] == "admin" -results["s01-parse"]["thespad/sshesame-logs"][7].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][7].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["thespad/sshesame-logs"][7].Evt.Meta["log_type"] == "sshesame_login" +results["s01-parse"]["thespad/sshesame-logs"][7].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][8].Success == false results["s01-parse"]["thespad/sshesame-logs"][9].Success == false results["s01-parse"]["thespad/sshesame-logs"][10].Success == true +results["s01-parse"]["thespad/sshesame-logs"][10].Evt.Parsed["message"] == "2022/05/06 05:10:03 [195.3.147.60:28696] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][10].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][10].Evt.Parsed["source_ip"] == "195.3.147.60" results["s01-parse"]["thespad/sshesame-logs"][10].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][10].Evt.Parsed["timestamp"] == "2022/05/06 05:10:03" -results["s01-parse"]["thespad/sshesame-logs"][10].Evt.Parsed["message"] == "2022/05/06 05:10:03 [195.3.147.60:28696] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s01-parse"]["thespad/sshesame-logs"][10].Evt.Meta["service"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][10].Evt.Meta["source_ip"] == "195.3.147.60" -results["s01-parse"]["thespad/sshesame-logs"][10].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][10].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][10].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][10].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][10].Evt.Meta["log_type"] == "sshesame_input" +results["s01-parse"]["thespad/sshesame-logs"][10].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][10].Evt.Meta["source_ip"] == "195.3.147.60" +results["s01-parse"]["thespad/sshesame-logs"][10].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][11].Success == false results["s01-parse"]["thespad/sshesame-logs"][12].Success == false results["s01-parse"]["thespad/sshesame-logs"][13].Success == true @@ -2353,93 +2737,96 @@ results["s01-parse"]["thespad/sshesame-logs"][13].Evt.Parsed["program"] == "sshe results["s01-parse"]["thespad/sshesame-logs"][13].Evt.Parsed["source_ip"] == "195.3.147.60" results["s01-parse"]["thespad/sshesame-logs"][13].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][13].Evt.Parsed["timestamp"] == "2022/05/06 05:10:03" +basename(results["s01-parse"]["thespad/sshesame-logs"][13].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][13].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][13].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][13].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][13].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][13].Evt.Meta["source_ip"] == "195.3.147.60" -results["s01-parse"]["thespad/sshesame-logs"][13].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][13].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["thespad/sshesame-logs"][13].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" +results["s01-parse"]["thespad/sshesame-logs"][13].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][14].Success == false results["s01-parse"]["thespad/sshesame-logs"][15].Success == false results["s01-parse"]["thespad/sshesame-logs"][16].Success == false results["s01-parse"]["thespad/sshesame-logs"][17].Success == true -results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Parsed["sshesame_password"] == "1" -results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Parsed["sshesame_user"] == "default" -results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Parsed["timestamp"] == "2022/05/06 05:11:02" results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Parsed["message"] == "2022/05/06 05:11:02 [185.131.12.144:60273] authentication for user \"default\" with password \"1\" accepted" results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Parsed["source_ip"] == "185.131.12.144" -results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Meta["source_ip"] == "185.131.12.144" -results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Meta["target_user"] == "default" -results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Meta["username"] == "default" -results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Parsed["sshesame_password"] == "1" +results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Parsed["sshesame_user"] == "default" +results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Parsed["timestamp"] == "2022/05/06 05:11:02" +basename(results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Meta["source_ip"] == "185.131.12.144" +results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Meta["target_user"] == "default" +results["s01-parse"]["thespad/sshesame-logs"][17].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][18].Success == false results["s01-parse"]["thespad/sshesame-logs"][19].Success == false results["s01-parse"]["thespad/sshesame-logs"][20].Success == false results["s01-parse"]["thespad/sshesame-logs"][21].Success == true +results["s01-parse"]["thespad/sshesame-logs"][21].Evt.Parsed["message"] == "2022/05/06 05:37:28 [165.232.183.156:55934] authentication for user \"xuexiaoman\" with password \"xuexiaoman\" accepted" +results["s01-parse"]["thespad/sshesame-logs"][21].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][21].Evt.Parsed["source_ip"] == "165.232.183.156" results["s01-parse"]["thespad/sshesame-logs"][21].Evt.Parsed["sshesame_password"] == "xuexiaoman" results["s01-parse"]["thespad/sshesame-logs"][21].Evt.Parsed["sshesame_user"] == "xuexiaoman" results["s01-parse"]["thespad/sshesame-logs"][21].Evt.Parsed["timestamp"] == "2022/05/06 05:37:28" -results["s01-parse"]["thespad/sshesame-logs"][21].Evt.Parsed["message"] == "2022/05/06 05:37:28 [165.232.183.156:55934] authentication for user \"xuexiaoman\" with password \"xuexiaoman\" accepted" -results["s01-parse"]["thespad/sshesame-logs"][21].Evt.Parsed["program"] == "sshesame" +basename(results["s01-parse"]["thespad/sshesame-logs"][21].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][21].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][21].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][21].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][21].Evt.Meta["source_ip"] == "165.232.183.156" results["s01-parse"]["thespad/sshesame-logs"][21].Evt.Meta["target_user"] == "xuexiaoman" -results["s01-parse"]["thespad/sshesame-logs"][21].Evt.Meta["username"] == "xuexiaoman" -results["s01-parse"]["thespad/sshesame-logs"][21].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][21].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][22].Success == false results["s01-parse"]["thespad/sshesame-logs"][23].Success == false results["s01-parse"]["thespad/sshesame-logs"][24].Success == true +results["s01-parse"]["thespad/sshesame-logs"][24].Evt.Parsed["message"] == "2022/05/06 05:37:28 [165.232.183.156:55934] [channel 0] command \"uname -s -v -n -r -m\" requested" +results["s01-parse"]["thespad/sshesame-logs"][24].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][24].Evt.Parsed["source_ip"] == "165.232.183.156" results["s01-parse"]["thespad/sshesame-logs"][24].Evt.Parsed["sshesame_cmd"] == "uname -s -v -n -r -m" results["s01-parse"]["thespad/sshesame-logs"][24].Evt.Parsed["timestamp"] == "2022/05/06 05:37:28" -results["s01-parse"]["thespad/sshesame-logs"][24].Evt.Parsed["message"] == "2022/05/06 05:37:28 [165.232.183.156:55934] [channel 0] command \"uname -s -v -n -r -m\" requested" -results["s01-parse"]["thespad/sshesame-logs"][24].Evt.Parsed["program"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][24].Evt.Meta["source_ip"] == "165.232.183.156" results["s01-parse"]["thespad/sshesame-logs"][24].Evt.Meta["command"] == "uname -s -v -n -r -m" -results["s01-parse"]["thespad/sshesame-logs"][24].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][24].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][24].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][24].Evt.Meta["log_type"] == "sshesame_cmd" results["s01-parse"]["thespad/sshesame-logs"][24].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][24].Evt.Meta["source_ip"] == "165.232.183.156" +results["s01-parse"]["thespad/sshesame-logs"][24].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][25].Success == false results["s01-parse"]["thespad/sshesame-logs"][26].Success == false results["s01-parse"]["thespad/sshesame-logs"][27].Success == false results["s01-parse"]["thespad/sshesame-logs"][28].Success == true +results["s01-parse"]["thespad/sshesame-logs"][28].Evt.Parsed["message"] == "2022/05/06 05:40:30 [186.78.209.242:47338] authentication for user \"pi\" with password \"raspberryraspberry993311\" accepted" results["s01-parse"]["thespad/sshesame-logs"][28].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][28].Evt.Parsed["source_ip"] == "186.78.209.242" results["s01-parse"]["thespad/sshesame-logs"][28].Evt.Parsed["sshesame_password"] == "raspberryraspberry993311" results["s01-parse"]["thespad/sshesame-logs"][28].Evt.Parsed["sshesame_user"] == "pi" results["s01-parse"]["thespad/sshesame-logs"][28].Evt.Parsed["timestamp"] == "2022/05/06 05:40:30" -results["s01-parse"]["thespad/sshesame-logs"][28].Evt.Parsed["message"] == "2022/05/06 05:40:30 [186.78.209.242:47338] authentication for user \"pi\" with password \"raspberryraspberry993311\" accepted" +basename(results["s01-parse"]["thespad/sshesame-logs"][28].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][28].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][28].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][28].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][28].Evt.Meta["source_ip"] == "186.78.209.242" results["s01-parse"]["thespad/sshesame-logs"][28].Evt.Meta["target_user"] == "pi" -results["s01-parse"]["thespad/sshesame-logs"][28].Evt.Meta["username"] == "pi" -results["s01-parse"]["thespad/sshesame-logs"][28].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][28].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["thespad/sshesame-logs"][28].Evt.Meta["log_type"] == "sshesame_login" +results["s01-parse"]["thespad/sshesame-logs"][28].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][29].Success == false results["s01-parse"]["thespad/sshesame-logs"][30].Success == false results["s01-parse"]["thespad/sshesame-logs"][31].Success == false results["s01-parse"]["thespad/sshesame-logs"][32].Success == false results["s01-parse"]["thespad/sshesame-logs"][33].Success == true +results["s01-parse"]["thespad/sshesame-logs"][33].Evt.Parsed["message"] == "2022/05/06 05:40:31 [186.78.209.242:47338] [channel 0] command \"scp -t /tmp/taCiyiIF\" requested" +results["s01-parse"]["thespad/sshesame-logs"][33].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][33].Evt.Parsed["source_ip"] == "186.78.209.242" results["s01-parse"]["thespad/sshesame-logs"][33].Evt.Parsed["sshesame_cmd"] == "scp -t /tmp/taCiyiIF" results["s01-parse"]["thespad/sshesame-logs"][33].Evt.Parsed["timestamp"] == "2022/05/06 05:40:31" -results["s01-parse"]["thespad/sshesame-logs"][33].Evt.Parsed["message"] == "2022/05/06 05:40:31 [186.78.209.242:47338] [channel 0] command \"scp -t /tmp/taCiyiIF\" requested" -results["s01-parse"]["thespad/sshesame-logs"][33].Evt.Parsed["program"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][33].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][33].Evt.Meta["command"] == "scp -t /tmp/taCiyiIF" +basename(results["s01-parse"]["thespad/sshesame-logs"][33].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][33].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][33].Evt.Meta["log_type"] == "sshesame_cmd" results["s01-parse"]["thespad/sshesame-logs"][33].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][33].Evt.Meta["source_ip"] == "186.78.209.242" -results["s01-parse"]["thespad/sshesame-logs"][33].Evt.Meta["command"] == "scp -t /tmp/taCiyiIF" +results["s01-parse"]["thespad/sshesame-logs"][33].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][34].Success == false results["s01-parse"]["thespad/sshesame-logs"][35].Success == false results["s01-parse"]["thespad/sshesame-logs"][36].Success == false @@ -2450,13 +2837,13 @@ results["s01-parse"]["thespad/sshesame-logs"][37].Evt.Parsed["source_ip"] == "18 results["s01-parse"]["thespad/sshesame-logs"][37].Evt.Parsed["sshesame_password"] == "raspberry" results["s01-parse"]["thespad/sshesame-logs"][37].Evt.Parsed["sshesame_user"] == "pi" results["s01-parse"]["thespad/sshesame-logs"][37].Evt.Parsed["timestamp"] == "2022/05/06 05:40:32" +basename(results["s01-parse"]["thespad/sshesame-logs"][37].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][37].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][37].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][37].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][37].Evt.Meta["source_ip"] == "186.78.209.242" results["s01-parse"]["thespad/sshesame-logs"][37].Evt.Meta["target_user"] == "pi" -results["s01-parse"]["thespad/sshesame-logs"][37].Evt.Meta["username"] == "pi" -results["s01-parse"]["thespad/sshesame-logs"][37].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][37].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][37].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][38].Success == false results["s01-parse"]["thespad/sshesame-logs"][39].Success == false results["s01-parse"]["thespad/sshesame-logs"][40].Success == false @@ -2467,12 +2854,13 @@ results["s01-parse"]["thespad/sshesame-logs"][42].Evt.Parsed["program"] == "sshe results["s01-parse"]["thespad/sshesame-logs"][42].Evt.Parsed["source_ip"] == "186.78.209.242" results["s01-parse"]["thespad/sshesame-logs"][42].Evt.Parsed["sshesame_cmd"] == "scp -t /tmp/taCiyiIF" results["s01-parse"]["thespad/sshesame-logs"][42].Evt.Parsed["timestamp"] == "2022/05/06 05:40:32" -results["s01-parse"]["thespad/sshesame-logs"][42].Evt.Meta["service"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][42].Evt.Meta["source_ip"] == "186.78.209.242" results["s01-parse"]["thespad/sshesame-logs"][42].Evt.Meta["command"] == "scp -t /tmp/taCiyiIF" -results["s01-parse"]["thespad/sshesame-logs"][42].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][42].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][42].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][42].Evt.Meta["log_type"] == "sshesame_cmd" +results["s01-parse"]["thespad/sshesame-logs"][42].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][42].Evt.Meta["source_ip"] == "186.78.209.242" +results["s01-parse"]["thespad/sshesame-logs"][42].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][43].Success == false results["s01-parse"]["thespad/sshesame-logs"][44].Success == false results["s01-parse"]["thespad/sshesame-logs"][45].Success == false @@ -2482,82 +2870,87 @@ results["s01-parse"]["thespad/sshesame-logs"][46].Evt.Parsed["program"] == "sshe results["s01-parse"]["thespad/sshesame-logs"][46].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][46].Evt.Parsed["sshesame_input"] == "GET /?requestid=78679 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][46].Evt.Parsed["timestamp"] == "2022/05/06 05:48:16" -results["s01-parse"]["thespad/sshesame-logs"][46].Evt.Meta["service"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][46].Evt.Meta["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][46].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][46].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][46].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][46].Evt.Meta["input"] == "GET /?requestid=78679 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][46].Evt.Meta["log_type"] == "sshesame_input" +results["s01-parse"]["thespad/sshesame-logs"][46].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][46].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][46].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][47].Success == false results["s01-parse"]["thespad/sshesame-logs"][48].Success == false results["s01-parse"]["thespad/sshesame-logs"][49].Success == true -results["s01-parse"]["thespad/sshesame-logs"][49].Evt.Parsed["sshesame_input"] == "GET /?requestid=16383 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" -results["s01-parse"]["thespad/sshesame-logs"][49].Evt.Parsed["timestamp"] == "2022/05/06 06:08:09" results["s01-parse"]["thespad/sshesame-logs"][49].Evt.Parsed["message"] == "2022/05/06 06:08:09 [190.2.139.67:7117] [channel 92] input: \"GET /?requestid=16383 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][49].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][49].Evt.Parsed["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][49].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][49].Evt.Parsed["sshesame_input"] == "GET /?requestid=16383 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" +results["s01-parse"]["thespad/sshesame-logs"][49].Evt.Parsed["timestamp"] == "2022/05/06 06:08:09" +basename(results["s01-parse"]["thespad/sshesame-logs"][49].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][49].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][49].Evt.Meta["input"] == "GET /?requestid=16383 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][49].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][49].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][49].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][49].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][50].Success == false results["s01-parse"]["thespad/sshesame-logs"][51].Success == false results["s01-parse"]["thespad/sshesame-logs"][52].Success == true +results["s01-parse"]["thespad/sshesame-logs"][52].Evt.Parsed["message"] == "2022/05/06 06:12:22 [190.2.139.67:58629] [channel 109] input: \"GET /?requestid=34743 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][52].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][52].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][52].Evt.Parsed["sshesame_input"] == "GET /?requestid=34743 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][52].Evt.Parsed["timestamp"] == "2022/05/06 06:12:22" -results["s01-parse"]["thespad/sshesame-logs"][52].Evt.Parsed["message"] == "2022/05/06 06:12:22 [190.2.139.67:58629] [channel 109] input: \"GET /?requestid=34743 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" +basename(results["s01-parse"]["thespad/sshesame-logs"][52].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][52].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][52].Evt.Meta["input"] == "GET /?requestid=34743 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][52].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][52].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][52].Evt.Meta["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][52].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][52].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["thespad/sshesame-logs"][52].Evt.Meta["input"] == "GET /?requestid=34743 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" +results["s01-parse"]["thespad/sshesame-logs"][52].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][53].Success == false results["s01-parse"]["thespad/sshesame-logs"][54].Success == false results["s01-parse"]["thespad/sshesame-logs"][55].Success == true -results["s01-parse"]["thespad/sshesame-logs"][55].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13\\r\\n\\r\\n" -results["s01-parse"]["thespad/sshesame-logs"][55].Evt.Parsed["timestamp"] == "2022/05/06 06:40:52" results["s01-parse"]["thespad/sshesame-logs"][55].Evt.Parsed["message"] == "2022/05/06 06:40:52 [45.82.65.44:42736] [channel 26] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][55].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][55].Evt.Parsed["source_ip"] == "45.82.65.44" -results["s01-parse"]["thespad/sshesame-logs"][55].Evt.Meta["source_ip"] == "45.82.65.44" -results["s01-parse"]["thespad/sshesame-logs"][55].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][55].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13\\r\\n\\r\\n" +results["s01-parse"]["thespad/sshesame-logs"][55].Evt.Parsed["timestamp"] == "2022/05/06 06:40:52" +basename(results["s01-parse"]["thespad/sshesame-logs"][55].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][55].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][55].Evt.Meta["input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][55].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][55].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][55].Evt.Meta["source_ip"] == "45.82.65.44" +results["s01-parse"]["thespad/sshesame-logs"][55].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][56].Success == true results["s01-parse"]["thespad/sshesame-logs"][56].Evt.Parsed["message"] == "2022/05/06 06:40:52 [45.82.65.44:42736] [channel 26] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][56].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][56].Evt.Parsed["source_ip"] == "45.82.65.44" results["s01-parse"]["thespad/sshesame-logs"][56].Evt.Parsed["sshesame_input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][56].Evt.Parsed["timestamp"] == "2022/05/06 06:40:52" -results["s01-parse"]["thespad/sshesame-logs"][56].Evt.Meta["service"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][56].Evt.Meta["source_ip"] == "45.82.65.44" -results["s01-parse"]["thespad/sshesame-logs"][56].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][56].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][56].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][56].Evt.Meta["input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][56].Evt.Meta["log_type"] == "sshesame_input" +results["s01-parse"]["thespad/sshesame-logs"][56].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][56].Evt.Meta["source_ip"] == "45.82.65.44" +results["s01-parse"]["thespad/sshesame-logs"][56].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][57].Success == false results["s01-parse"]["thespad/sshesame-logs"][58].Success == false results["s01-parse"]["thespad/sshesame-logs"][59].Success == true +results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Parsed["message"] == "2022/05/06 06:41:29 [111.70.9.198:39673] authentication for user \"default\" with password \"1\" accepted" +results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Parsed["source_ip"] == "111.70.9.198" results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Parsed["sshesame_password"] == "1" results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Parsed["sshesame_user"] == "default" results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Parsed["timestamp"] == "2022/05/06 06:41:29" -results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Parsed["message"] == "2022/05/06 06:41:29 [111.70.9.198:39673] authentication for user \"default\" with password \"1\" accepted" -results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Parsed["program"] == "sshesame" +basename(results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Meta["source_ip"] == "111.70.9.198" results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Meta["target_user"] == "default" -results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Meta["username"] == "default" -results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Meta["log_type"] == "sshesame_login" +results["s01-parse"]["thespad/sshesame-logs"][59].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][60].Success == false results["s01-parse"]["thespad/sshesame-logs"][61].Success == false results["s01-parse"]["thespad/sshesame-logs"][62].Success == false @@ -2565,17 +2958,18 @@ results["s01-parse"]["thespad/sshesame-logs"][63].Success == false results["s01-parse"]["thespad/sshesame-logs"][64].Success == false results["s01-parse"]["thespad/sshesame-logs"][65].Success == false results["s01-parse"]["thespad/sshesame-logs"][66].Success == true +results["s01-parse"]["thespad/sshesame-logs"][66].Evt.Parsed["message"] == "2022/05/06 06:43:10 [195.3.147.60:38745] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][66].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][66].Evt.Parsed["source_ip"] == "195.3.147.60" results["s01-parse"]["thespad/sshesame-logs"][66].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][66].Evt.Parsed["timestamp"] == "2022/05/06 06:43:10" -results["s01-parse"]["thespad/sshesame-logs"][66].Evt.Parsed["message"] == "2022/05/06 06:43:10 [195.3.147.60:38745] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" +basename(results["s01-parse"]["thespad/sshesame-logs"][66].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][66].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][66].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][66].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][66].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][66].Evt.Meta["source_ip"] == "195.3.147.60" -results["s01-parse"]["thespad/sshesame-logs"][66].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][66].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][67].Success == false results["s01-parse"]["thespad/sshesame-logs"][68].Success == false results["s01-parse"]["thespad/sshesame-logs"][69].Success == true @@ -2584,28 +2978,29 @@ results["s01-parse"]["thespad/sshesame-logs"][69].Evt.Parsed["program"] == "sshe results["s01-parse"]["thespad/sshesame-logs"][69].Evt.Parsed["source_ip"] == "195.3.147.60" results["s01-parse"]["thespad/sshesame-logs"][69].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][69].Evt.Parsed["timestamp"] == "2022/05/06 06:43:10" -results["s01-parse"]["thespad/sshesame-logs"][69].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][69].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][69].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][69].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][69].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][69].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][69].Evt.Meta["source_ip"] == "195.3.147.60" +results["s01-parse"]["thespad/sshesame-logs"][69].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][70].Success == false results["s01-parse"]["thespad/sshesame-logs"][71].Success == false results["s01-parse"]["thespad/sshesame-logs"][72].Success == true +results["s01-parse"]["thespad/sshesame-logs"][72].Evt.Parsed["message"] == "2022/05/06 07:05:23 [190.189.12.92:60614] authentication for user \"arjun\" with password \"arjun123\" accepted" results["s01-parse"]["thespad/sshesame-logs"][72].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][72].Evt.Parsed["source_ip"] == "190.189.12.92" results["s01-parse"]["thespad/sshesame-logs"][72].Evt.Parsed["sshesame_password"] == "arjun123" results["s01-parse"]["thespad/sshesame-logs"][72].Evt.Parsed["sshesame_user"] == "arjun" results["s01-parse"]["thespad/sshesame-logs"][72].Evt.Parsed["timestamp"] == "2022/05/06 07:05:23" -results["s01-parse"]["thespad/sshesame-logs"][72].Evt.Parsed["message"] == "2022/05/06 07:05:23 [190.189.12.92:60614] authentication for user \"arjun\" with password \"arjun123\" accepted" -results["s01-parse"]["thespad/sshesame-logs"][72].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][72].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][72].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][72].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][72].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][72].Evt.Meta["source_ip"] == "190.189.12.92" results["s01-parse"]["thespad/sshesame-logs"][72].Evt.Meta["target_user"] == "arjun" -results["s01-parse"]["thespad/sshesame-logs"][72].Evt.Meta["username"] == "arjun" +results["s01-parse"]["thespad/sshesame-logs"][72].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][73].Success == false results["s01-parse"]["thespad/sshesame-logs"][74].Success == true results["s01-parse"]["thespad/sshesame-logs"][74].Evt.Parsed["message"] == "2022/05/06 07:05:25 [190.189.12.92:32868] authentication for user \"nproc\" with password \"nproc\" accepted" @@ -2614,13 +3009,13 @@ results["s01-parse"]["thespad/sshesame-logs"][74].Evt.Parsed["source_ip"] == "19 results["s01-parse"]["thespad/sshesame-logs"][74].Evt.Parsed["sshesame_password"] == "nproc" results["s01-parse"]["thespad/sshesame-logs"][74].Evt.Parsed["sshesame_user"] == "nproc" results["s01-parse"]["thespad/sshesame-logs"][74].Evt.Parsed["timestamp"] == "2022/05/06 07:05:25" -results["s01-parse"]["thespad/sshesame-logs"][74].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][74].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][74].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][74].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][74].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][74].Evt.Meta["source_ip"] == "190.189.12.92" results["s01-parse"]["thespad/sshesame-logs"][74].Evt.Meta["target_user"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][74].Evt.Meta["username"] == "nproc" +results["s01-parse"]["thespad/sshesame-logs"][74].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][75].Success == false results["s01-parse"]["thespad/sshesame-logs"][76].Success == false results["s01-parse"]["thespad/sshesame-logs"][77].Success == false @@ -2628,31 +3023,33 @@ results["s01-parse"]["thespad/sshesame-logs"][78].Success == false results["s01-parse"]["thespad/sshesame-logs"][79].Success == false results["s01-parse"]["thespad/sshesame-logs"][80].Success == false results["s01-parse"]["thespad/sshesame-logs"][81].Success == true -results["s01-parse"]["thespad/sshesame-logs"][81].Evt.Parsed["timestamp"] == "2022/05/06 07:45:57" results["s01-parse"]["thespad/sshesame-logs"][81].Evt.Parsed["message"] == "2022/05/06 07:45:57 [190.2.139.67:58629] [channel 111] input: \"GET /?requestid=97339 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][81].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][81].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][81].Evt.Parsed["sshesame_input"] == "GET /?requestid=97339 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" +results["s01-parse"]["thespad/sshesame-logs"][81].Evt.Parsed["timestamp"] == "2022/05/06 07:45:57" +basename(results["s01-parse"]["thespad/sshesame-logs"][81].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][81].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][81].Evt.Meta["input"] == "GET /?requestid=97339 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][81].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][81].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][81].Evt.Meta["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][81].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][81].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][82].Success == false results["s01-parse"]["thespad/sshesame-logs"][83].Success == false results["s01-parse"]["thespad/sshesame-logs"][84].Success == true +results["s01-parse"]["thespad/sshesame-logs"][84].Evt.Parsed["message"] == "2022/05/06 07:51:27 [190.2.139.67:7117] [channel 104] input: \"GET /?requestid=32137 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][84].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][84].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][84].Evt.Parsed["sshesame_input"] == "GET /?requestid=32137 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][84].Evt.Parsed["timestamp"] == "2022/05/06 07:51:27" -results["s01-parse"]["thespad/sshesame-logs"][84].Evt.Parsed["message"] == "2022/05/06 07:51:27 [190.2.139.67:7117] [channel 104] input: \"GET /?requestid=32137 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s01-parse"]["thespad/sshesame-logs"][84].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][84].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][84].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][84].Evt.Meta["input"] == "GET /?requestid=32137 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][84].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][84].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][84].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][84].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][85].Success == false results["s01-parse"]["thespad/sshesame-logs"][86].Success == false results["s01-parse"]["thespad/sshesame-logs"][87].Success == true @@ -2661,54 +3058,58 @@ results["s01-parse"]["thespad/sshesame-logs"][87].Evt.Parsed["program"] == "sshe results["s01-parse"]["thespad/sshesame-logs"][87].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][87].Evt.Parsed["sshesame_input"] == "GET /?requestid=85851 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][87].Evt.Parsed["timestamp"] == "2022/05/06 07:54:02" -results["s01-parse"]["thespad/sshesame-logs"][87].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][87].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][87].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][87].Evt.Meta["input"] == "GET /?requestid=85851 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][87].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][87].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][87].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][87].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][88].Success == false results["s01-parse"]["thespad/sshesame-logs"][89].Success == false results["s01-parse"]["thespad/sshesame-logs"][90].Success == true -results["s01-parse"]["thespad/sshesame-logs"][90].Evt.Parsed["timestamp"] == "2022/05/06 08:01:27" results["s01-parse"]["thespad/sshesame-logs"][90].Evt.Parsed["message"] == "2022/05/06 08:01:27 [190.2.139.67:58629] [channel 115] input: \"GET /?requestid=36986 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][90].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][90].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][90].Evt.Parsed["sshesame_input"] == "GET /?requestid=36986 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" -results["s01-parse"]["thespad/sshesame-logs"][90].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][90].Evt.Parsed["timestamp"] == "2022/05/06 08:01:27" +basename(results["s01-parse"]["thespad/sshesame-logs"][90].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][90].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][90].Evt.Meta["input"] == "GET /?requestid=36986 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][90].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][90].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][90].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][90].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][91].Success == false results["s01-parse"]["thespad/sshesame-logs"][92].Success == false results["s01-parse"]["thespad/sshesame-logs"][93].Success == true -results["s01-parse"]["thespad/sshesame-logs"][93].Evt.Parsed["timestamp"] == "2022/05/06 08:06:24" results["s01-parse"]["thespad/sshesame-logs"][93].Evt.Parsed["message"] == "2022/05/06 08:06:24 [190.2.139.67:7117] [channel 106] input: \"GET /?requestid=61985 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][93].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][93].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][93].Evt.Parsed["sshesame_input"] == "GET /?requestid=61985 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" -results["s01-parse"]["thespad/sshesame-logs"][93].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][93].Evt.Parsed["timestamp"] == "2022/05/06 08:06:24" +basename(results["s01-parse"]["thespad/sshesame-logs"][93].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][93].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][93].Evt.Meta["input"] == "GET /?requestid=61985 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][93].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][93].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][93].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][93].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][94].Success == false results["s01-parse"]["thespad/sshesame-logs"][95].Success == false results["s01-parse"]["thespad/sshesame-logs"][96].Success == true +results["s01-parse"]["thespad/sshesame-logs"][96].Evt.Parsed["message"] == "2022/05/06 08:14:21 [190.2.139.67:58629] [channel 132] input: \"GET /?requestid=6514 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][96].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][96].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][96].Evt.Parsed["sshesame_input"] == "GET /?requestid=6514 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][96].Evt.Parsed["timestamp"] == "2022/05/06 08:14:21" -results["s01-parse"]["thespad/sshesame-logs"][96].Evt.Parsed["message"] == "2022/05/06 08:14:21 [190.2.139.67:58629] [channel 132] input: \"GET /?requestid=6514 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s01-parse"]["thespad/sshesame-logs"][96].Evt.Meta["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][96].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][96].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][96].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][96].Evt.Meta["input"] == "GET /?requestid=6514 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][96].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][96].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][96].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][96].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][97].Success == false results["s01-parse"]["thespad/sshesame-logs"][98].Success == false results["s01-parse"]["thespad/sshesame-logs"][99].Success == true @@ -2717,105 +3118,107 @@ results["s01-parse"]["thespad/sshesame-logs"][99].Evt.Parsed["program"] == "sshe results["s01-parse"]["thespad/sshesame-logs"][99].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][99].Evt.Parsed["sshesame_input"] == "GET /?requestid=12818 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][99].Evt.Parsed["timestamp"] == "2022/05/06 08:36:14" -results["s01-parse"]["thespad/sshesame-logs"][99].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][99].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][99].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][99].Evt.Meta["input"] == "GET /?requestid=12818 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][99].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][99].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][99].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][99].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][100].Success == false results["s01-parse"]["thespad/sshesame-logs"][101].Success == false results["s01-parse"]["thespad/sshesame-logs"][102].Success == true +results["s01-parse"]["thespad/sshesame-logs"][102].Evt.Parsed["message"] == "2022/05/06 08:57:43 [190.2.139.67:58629] [channel 135] input: \"GET /?requestid=65533 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][102].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][102].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][102].Evt.Parsed["sshesame_input"] == "GET /?requestid=65533 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][102].Evt.Parsed["timestamp"] == "2022/05/06 08:57:43" -results["s01-parse"]["thespad/sshesame-logs"][102].Evt.Parsed["message"] == "2022/05/06 08:57:43 [190.2.139.67:58629] [channel 135] input: \"GET /?requestid=65533 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s01-parse"]["thespad/sshesame-logs"][102].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][102].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][102].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][102].Evt.Meta["input"] == "GET /?requestid=65533 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][102].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][102].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][102].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][102].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][103].Success == false results["s01-parse"]["thespad/sshesame-logs"][104].Success == false results["s01-parse"]["thespad/sshesame-logs"][105].Success == true +results["s01-parse"]["thespad/sshesame-logs"][105].Evt.Parsed["message"] == "2022/05/06 09:14:09 [92.159.59.16:39498] authentication for user \"ubnt\" with password \"ubnt1\" accepted" +results["s01-parse"]["thespad/sshesame-logs"][105].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][105].Evt.Parsed["source_ip"] == "92.159.59.16" results["s01-parse"]["thespad/sshesame-logs"][105].Evt.Parsed["sshesame_password"] == "ubnt1" results["s01-parse"]["thespad/sshesame-logs"][105].Evt.Parsed["sshesame_user"] == "ubnt" results["s01-parse"]["thespad/sshesame-logs"][105].Evt.Parsed["timestamp"] == "2022/05/06 09:14:09" -results["s01-parse"]["thespad/sshesame-logs"][105].Evt.Parsed["message"] == "2022/05/06 09:14:09 [92.159.59.16:39498] authentication for user \"ubnt\" with password \"ubnt1\" accepted" -results["s01-parse"]["thespad/sshesame-logs"][105].Evt.Parsed["program"] == "sshesame" +basename(results["s01-parse"]["thespad/sshesame-logs"][105].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][105].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][105].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][105].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][105].Evt.Meta["source_ip"] == "92.159.59.16" results["s01-parse"]["thespad/sshesame-logs"][105].Evt.Meta["target_user"] == "ubnt" -results["s01-parse"]["thespad/sshesame-logs"][105].Evt.Meta["username"] == "ubnt" -results["s01-parse"]["thespad/sshesame-logs"][105].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][105].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][105].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][106].Success == false results["s01-parse"]["thespad/sshesame-logs"][107].Success == false results["s01-parse"]["thespad/sshesame-logs"][108].Success == true -results["s01-parse"]["thespad/sshesame-logs"][108].Evt.Parsed["sshesame_user"] == "roo" -results["s01-parse"]["thespad/sshesame-logs"][108].Evt.Parsed["timestamp"] == "2022/05/06 09:14:14" results["s01-parse"]["thespad/sshesame-logs"][108].Evt.Parsed["message"] == "2022/05/06 09:14:14 [15.207.177.208:41458] authentication for user \"roo\" with password \"123456\" accepted" results["s01-parse"]["thespad/sshesame-logs"][108].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][108].Evt.Parsed["source_ip"] == "15.207.177.208" results["s01-parse"]["thespad/sshesame-logs"][108].Evt.Parsed["sshesame_password"] == "123456" -results["s01-parse"]["thespad/sshesame-logs"][108].Evt.Meta["target_user"] == "roo" -results["s01-parse"]["thespad/sshesame-logs"][108].Evt.Meta["username"] == "roo" -results["s01-parse"]["thespad/sshesame-logs"][108].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][108].Evt.Parsed["sshesame_user"] == "roo" +results["s01-parse"]["thespad/sshesame-logs"][108].Evt.Parsed["timestamp"] == "2022/05/06 09:14:14" +basename(results["s01-parse"]["thespad/sshesame-logs"][108].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][108].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][108].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][108].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][108].Evt.Meta["source_ip"] == "15.207.177.208" +results["s01-parse"]["thespad/sshesame-logs"][108].Evt.Meta["target_user"] == "roo" +results["s01-parse"]["thespad/sshesame-logs"][108].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][109].Success == false results["s01-parse"]["thespad/sshesame-logs"][110].Success == false results["s01-parse"]["thespad/sshesame-logs"][111].Success == true -results["s01-parse"]["thespad/sshesame-logs"][111].Evt.Parsed["sshesame_password"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][111].Evt.Parsed["sshesame_user"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][111].Evt.Parsed["timestamp"] == "2022/05/06 09:14:16" results["s01-parse"]["thespad/sshesame-logs"][111].Evt.Parsed["message"] == "2022/05/06 09:14:16 [15.207.177.208:41708] authentication for user \"nproc\" with password \"nproc\" accepted" results["s01-parse"]["thespad/sshesame-logs"][111].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][111].Evt.Parsed["source_ip"] == "15.207.177.208" -results["s01-parse"]["thespad/sshesame-logs"][111].Evt.Meta["username"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][111].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][111].Evt.Parsed["sshesame_password"] == "nproc" +results["s01-parse"]["thespad/sshesame-logs"][111].Evt.Parsed["sshesame_user"] == "nproc" +results["s01-parse"]["thespad/sshesame-logs"][111].Evt.Parsed["timestamp"] == "2022/05/06 09:14:16" +basename(results["s01-parse"]["thespad/sshesame-logs"][111].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][111].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][111].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][111].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][111].Evt.Meta["source_ip"] == "15.207.177.208" results["s01-parse"]["thespad/sshesame-logs"][111].Evt.Meta["target_user"] == "nproc" +results["s01-parse"]["thespad/sshesame-logs"][111].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][112].Success == false results["s01-parse"]["thespad/sshesame-logs"][113].Success == false results["s01-parse"]["thespad/sshesame-logs"][114].Success == true +results["s01-parse"]["thespad/sshesame-logs"][114].Evt.Parsed["message"] == "2022/05/06 09:15:03 [3.16.59.158:43316] authentication for user \"root\" with password \"sr1234\" accepted" results["s01-parse"]["thespad/sshesame-logs"][114].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][114].Evt.Parsed["source_ip"] == "3.16.59.158" results["s01-parse"]["thespad/sshesame-logs"][114].Evt.Parsed["sshesame_password"] == "sr1234" results["s01-parse"]["thespad/sshesame-logs"][114].Evt.Parsed["sshesame_user"] == "root" results["s01-parse"]["thespad/sshesame-logs"][114].Evt.Parsed["timestamp"] == "2022/05/06 09:15:03" -results["s01-parse"]["thespad/sshesame-logs"][114].Evt.Parsed["message"] == "2022/05/06 09:15:03 [3.16.59.158:43316] authentication for user \"root\" with password \"sr1234\" accepted" -results["s01-parse"]["thespad/sshesame-logs"][114].Evt.Meta["source_ip"] == "3.16.59.158" -results["s01-parse"]["thespad/sshesame-logs"][114].Evt.Meta["target_user"] == "root" -results["s01-parse"]["thespad/sshesame-logs"][114].Evt.Meta["username"] == "root" -results["s01-parse"]["thespad/sshesame-logs"][114].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][114].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][114].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][114].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][114].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][114].Evt.Meta["source_ip"] == "3.16.59.158" +results["s01-parse"]["thespad/sshesame-logs"][114].Evt.Meta["target_user"] == "root" +results["s01-parse"]["thespad/sshesame-logs"][114].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][115].Success == false results["s01-parse"]["thespad/sshesame-logs"][116].Success == true +results["s01-parse"]["thespad/sshesame-logs"][116].Evt.Parsed["message"] == "2022/05/06 09:15:04 [3.16.59.158:43318] authentication for user \"knockknockwhosthere\" with password \"knockknockwhosthere\" accepted" results["s01-parse"]["thespad/sshesame-logs"][116].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][116].Evt.Parsed["source_ip"] == "3.16.59.158" results["s01-parse"]["thespad/sshesame-logs"][116].Evt.Parsed["sshesame_password"] == "knockknockwhosthere" results["s01-parse"]["thespad/sshesame-logs"][116].Evt.Parsed["sshesame_user"] == "knockknockwhosthere" results["s01-parse"]["thespad/sshesame-logs"][116].Evt.Parsed["timestamp"] == "2022/05/06 09:15:04" -results["s01-parse"]["thespad/sshesame-logs"][116].Evt.Parsed["message"] == "2022/05/06 09:15:04 [3.16.59.158:43318] authentication for user \"knockknockwhosthere\" with password \"knockknockwhosthere\" accepted" -results["s01-parse"]["thespad/sshesame-logs"][116].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][116].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][116].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][116].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][116].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][116].Evt.Meta["source_ip"] == "3.16.59.158" results["s01-parse"]["thespad/sshesame-logs"][116].Evt.Meta["target_user"] == "knockknockwhosthere" -results["s01-parse"]["thespad/sshesame-logs"][116].Evt.Meta["username"] == "knockknockwhosthere" +results["s01-parse"]["thespad/sshesame-logs"][116].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][117].Success == false results["s01-parse"]["thespad/sshesame-logs"][118].Success == false results["s01-parse"]["thespad/sshesame-logs"][119].Success == false @@ -2826,28 +3229,28 @@ results["s01-parse"]["thespad/sshesame-logs"][120].Evt.Parsed["source_ip"] == "3 results["s01-parse"]["thespad/sshesame-logs"][120].Evt.Parsed["sshesame_password"] == "1212" results["s01-parse"]["thespad/sshesame-logs"][120].Evt.Parsed["sshesame_user"] == "root" results["s01-parse"]["thespad/sshesame-logs"][120].Evt.Parsed["timestamp"] == "2022/05/06 09:17:10" -results["s01-parse"]["thespad/sshesame-logs"][120].Evt.Meta["username"] == "root" -results["s01-parse"]["thespad/sshesame-logs"][120].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][120].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][120].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][120].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][120].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][120].Evt.Meta["source_ip"] == "3.16.59.158" results["s01-parse"]["thespad/sshesame-logs"][120].Evt.Meta["target_user"] == "root" +results["s01-parse"]["thespad/sshesame-logs"][120].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][121].Success == false results["s01-parse"]["thespad/sshesame-logs"][122].Success == true -results["s01-parse"]["thespad/sshesame-logs"][122].Evt.Parsed["sshesame_user"] == "knockknockwhosthere" -results["s01-parse"]["thespad/sshesame-logs"][122].Evt.Parsed["timestamp"] == "2022/05/06 09:17:11" results["s01-parse"]["thespad/sshesame-logs"][122].Evt.Parsed["message"] == "2022/05/06 09:17:11 [3.16.59.158:43420] authentication for user \"knockknockwhosthere\" with password \"knockknockwhosthere\" accepted" results["s01-parse"]["thespad/sshesame-logs"][122].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][122].Evt.Parsed["source_ip"] == "3.16.59.158" results["s01-parse"]["thespad/sshesame-logs"][122].Evt.Parsed["sshesame_password"] == "knockknockwhosthere" -results["s01-parse"]["thespad/sshesame-logs"][122].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][122].Evt.Parsed["sshesame_user"] == "knockknockwhosthere" +results["s01-parse"]["thespad/sshesame-logs"][122].Evt.Parsed["timestamp"] == "2022/05/06 09:17:11" +basename(results["s01-parse"]["thespad/sshesame-logs"][122].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][122].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][122].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][122].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][122].Evt.Meta["source_ip"] == "3.16.59.158" results["s01-parse"]["thespad/sshesame-logs"][122].Evt.Meta["target_user"] == "knockknockwhosthere" -results["s01-parse"]["thespad/sshesame-logs"][122].Evt.Meta["username"] == "knockknockwhosthere" +results["s01-parse"]["thespad/sshesame-logs"][122].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][123].Success == false results["s01-parse"]["thespad/sshesame-logs"][124].Success == false results["s01-parse"]["thespad/sshesame-logs"][125].Success == false @@ -2858,12 +3261,13 @@ results["s01-parse"]["thespad/sshesame-logs"][127].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][127].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][127].Evt.Parsed["sshesame_input"] == "GET /?requestid=11658 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][127].Evt.Parsed["timestamp"] == "2022/05/06 09:21:27" +basename(results["s01-parse"]["thespad/sshesame-logs"][127].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][127].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][127].Evt.Meta["input"] == "GET /?requestid=11658 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][127].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][127].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][127].Evt.Meta["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][127].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][127].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["thespad/sshesame-logs"][127].Evt.Meta["input"] == "GET /?requestid=11658 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" +results["s01-parse"]["thespad/sshesame-logs"][127].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][128].Success == false results["s01-parse"]["thespad/sshesame-logs"][129].Success == false results["s01-parse"]["thespad/sshesame-logs"][130].Success == true @@ -2872,38 +3276,41 @@ results["s01-parse"]["thespad/sshesame-logs"][130].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][130].Evt.Parsed["source_ip"] == "45.82.65.44" results["s01-parse"]["thespad/sshesame-logs"][130].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.642.0 Chrome/10.0.642.0 Safari/534.16\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][130].Evt.Parsed["timestamp"] == "2022/05/06 09:23:00" -results["s01-parse"]["thespad/sshesame-logs"][130].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][130].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][130].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][130].Evt.Meta["input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.642.0 Chrome/10.0.642.0 Safari/534.16\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][130].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][130].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][130].Evt.Meta["source_ip"] == "45.82.65.44" +results["s01-parse"]["thespad/sshesame-logs"][130].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][131].Success == true +results["s01-parse"]["thespad/sshesame-logs"][131].Evt.Parsed["message"] == "2022/05/06 09:23:01 [45.82.65.44:42736] [channel 27] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.642.0 Chrome/10.0.642.0 Safari/534.16\\r\\n\\r\\n\"" +results["s01-parse"]["thespad/sshesame-logs"][131].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][131].Evt.Parsed["source_ip"] == "45.82.65.44" results["s01-parse"]["thespad/sshesame-logs"][131].Evt.Parsed["sshesame_input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.642.0 Chrome/10.0.642.0 Safari/534.16\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][131].Evt.Parsed["timestamp"] == "2022/05/06 09:23:01" -results["s01-parse"]["thespad/sshesame-logs"][131].Evt.Parsed["message"] == "2022/05/06 09:23:01 [45.82.65.44:42736] [channel 27] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.642.0 Chrome/10.0.642.0 Safari/534.16\\r\\n\\r\\n\"" -results["s01-parse"]["thespad/sshesame-logs"][131].Evt.Parsed["program"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][131].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][131].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][131].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][131].Evt.Meta["input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.642.0 Chrome/10.0.642.0 Safari/534.16\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][131].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][131].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][131].Evt.Meta["source_ip"] == "45.82.65.44" +results["s01-parse"]["thespad/sshesame-logs"][131].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][132].Success == false results["s01-parse"]["thespad/sshesame-logs"][133].Success == false results["s01-parse"]["thespad/sshesame-logs"][134].Success == true -results["s01-parse"]["thespad/sshesame-logs"][134].Evt.Parsed["timestamp"] == "2022/05/06 09:27:47" results["s01-parse"]["thespad/sshesame-logs"][134].Evt.Parsed["message"] == "2022/05/06 09:27:47 [190.2.139.67:7117] [channel 132] input: \"GET /?requestid=58465 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][134].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][134].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][134].Evt.Parsed["sshesame_input"] == "GET /?requestid=58465 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" -results["s01-parse"]["thespad/sshesame-logs"][134].Evt.Meta["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][134].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][134].Evt.Parsed["timestamp"] == "2022/05/06 09:27:47" +basename(results["s01-parse"]["thespad/sshesame-logs"][134].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][134].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][134].Evt.Meta["input"] == "GET /?requestid=58465 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][134].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][134].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][134].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][134].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][135].Success == false results["s01-parse"]["thespad/sshesame-logs"][136].Success == false results["s01-parse"]["thespad/sshesame-logs"][137].Success == true @@ -2912,43 +3319,46 @@ results["s01-parse"]["thespad/sshesame-logs"][137].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][137].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][137].Evt.Parsed["sshesame_input"] == "GET /?requestid=17483 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][137].Evt.Parsed["timestamp"] == "2022/05/06 09:36:45" +basename(results["s01-parse"]["thespad/sshesame-logs"][137].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][137].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][137].Evt.Meta["input"] == "GET /?requestid=17483 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][137].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][137].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][137].Evt.Meta["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][137].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][137].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][138].Success == false results["s01-parse"]["thespad/sshesame-logs"][139].Success == false results["s01-parse"]["thespad/sshesame-logs"][140].Success == false results["s01-parse"]["thespad/sshesame-logs"][141].Success == false results["s01-parse"]["thespad/sshesame-logs"][142].Success == false results["s01-parse"]["thespad/sshesame-logs"][143].Success == true +results["s01-parse"]["thespad/sshesame-logs"][143].Evt.Parsed["message"] == "2022/05/06 09:39:53 [195.3.147.60:48037] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" +results["s01-parse"]["thespad/sshesame-logs"][143].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][143].Evt.Parsed["source_ip"] == "195.3.147.60" results["s01-parse"]["thespad/sshesame-logs"][143].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][143].Evt.Parsed["timestamp"] == "2022/05/06 09:39:53" -results["s01-parse"]["thespad/sshesame-logs"][143].Evt.Parsed["message"] == "2022/05/06 09:39:53 [195.3.147.60:48037] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s01-parse"]["thespad/sshesame-logs"][143].Evt.Parsed["program"] == "sshesame" +basename(results["s01-parse"]["thespad/sshesame-logs"][143].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][143].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][143].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][143].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][143].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][143].Evt.Meta["source_ip"] == "195.3.147.60" -results["s01-parse"]["thespad/sshesame-logs"][143].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][143].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][144].Success == false results["s01-parse"]["thespad/sshesame-logs"][145].Success == false results["s01-parse"]["thespad/sshesame-logs"][146].Success == true -results["s01-parse"]["thespad/sshesame-logs"][146].Evt.Parsed["timestamp"] == "2022/05/06 09:39:53" results["s01-parse"]["thespad/sshesame-logs"][146].Evt.Parsed["message"] == "2022/05/06 09:39:53 [195.3.147.60:48037] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][146].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][146].Evt.Parsed["source_ip"] == "195.3.147.60" results["s01-parse"]["thespad/sshesame-logs"][146].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" +results["s01-parse"]["thespad/sshesame-logs"][146].Evt.Parsed["timestamp"] == "2022/05/06 09:39:53" +basename(results["s01-parse"]["thespad/sshesame-logs"][146].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][146].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][146].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][146].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][146].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][146].Evt.Meta["source_ip"] == "195.3.147.60" -results["s01-parse"]["thespad/sshesame-logs"][146].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][146].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][146].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][147].Success == false results["s01-parse"]["thespad/sshesame-logs"][148].Success == false results["s01-parse"]["thespad/sshesame-logs"][149].Success == true @@ -2958,94 +3368,95 @@ results["s01-parse"]["thespad/sshesame-logs"][149].Evt.Parsed["source_ip"] == "1 results["s01-parse"]["thespad/sshesame-logs"][149].Evt.Parsed["sshesame_password"] == "1234!@#$" results["s01-parse"]["thespad/sshesame-logs"][149].Evt.Parsed["sshesame_user"] == "root" results["s01-parse"]["thespad/sshesame-logs"][149].Evt.Parsed["timestamp"] == "2022/05/06 09:44:27" -results["s01-parse"]["thespad/sshesame-logs"][149].Evt.Meta["target_user"] == "root" -results["s01-parse"]["thespad/sshesame-logs"][149].Evt.Meta["username"] == "root" -results["s01-parse"]["thespad/sshesame-logs"][149].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][149].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][149].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][149].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][149].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][149].Evt.Meta["source_ip"] == "190.123.44.157" +results["s01-parse"]["thespad/sshesame-logs"][149].Evt.Meta["target_user"] == "root" +results["s01-parse"]["thespad/sshesame-logs"][149].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][150].Success == false results["s01-parse"]["thespad/sshesame-logs"][151].Success == true -results["s01-parse"]["thespad/sshesame-logs"][151].Evt.Parsed["timestamp"] == "2022/05/06 09:44:29" results["s01-parse"]["thespad/sshesame-logs"][151].Evt.Parsed["message"] == "2022/05/06 09:44:29 [190.123.44.157:51298] authentication for user \"nproc\" with password \"nproc\" accepted" results["s01-parse"]["thespad/sshesame-logs"][151].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][151].Evt.Parsed["source_ip"] == "190.123.44.157" results["s01-parse"]["thespad/sshesame-logs"][151].Evt.Parsed["sshesame_password"] == "nproc" results["s01-parse"]["thespad/sshesame-logs"][151].Evt.Parsed["sshesame_user"] == "nproc" +results["s01-parse"]["thespad/sshesame-logs"][151].Evt.Parsed["timestamp"] == "2022/05/06 09:44:29" +basename(results["s01-parse"]["thespad/sshesame-logs"][151].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][151].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][151].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][151].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][151].Evt.Meta["source_ip"] == "190.123.44.157" results["s01-parse"]["thespad/sshesame-logs"][151].Evt.Meta["target_user"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][151].Evt.Meta["username"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][151].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][151].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][151].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][152].Success == false results["s01-parse"]["thespad/sshesame-logs"][153].Success == false results["s01-parse"]["thespad/sshesame-logs"][154].Success == false results["s01-parse"]["thespad/sshesame-logs"][155].Success == false results["s01-parse"]["thespad/sshesame-logs"][156].Success == false results["s01-parse"]["thespad/sshesame-logs"][157].Success == true -results["s01-parse"]["thespad/sshesame-logs"][157].Evt.Parsed["sshesame_password"] == "tareq" -results["s01-parse"]["thespad/sshesame-logs"][157].Evt.Parsed["sshesame_user"] == "tareq" -results["s01-parse"]["thespad/sshesame-logs"][157].Evt.Parsed["timestamp"] == "2022/05/06 09:46:12" results["s01-parse"]["thespad/sshesame-logs"][157].Evt.Parsed["message"] == "2022/05/06 09:46:12 [92.38.176.30:58548] authentication for user \"tareq\" with password \"tareq\" accepted" results["s01-parse"]["thespad/sshesame-logs"][157].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][157].Evt.Parsed["source_ip"] == "92.38.176.30" -results["s01-parse"]["thespad/sshesame-logs"][157].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][157].Evt.Parsed["sshesame_password"] == "tareq" +results["s01-parse"]["thespad/sshesame-logs"][157].Evt.Parsed["sshesame_user"] == "tareq" +results["s01-parse"]["thespad/sshesame-logs"][157].Evt.Parsed["timestamp"] == "2022/05/06 09:46:12" +basename(results["s01-parse"]["thespad/sshesame-logs"][157].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][157].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][157].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][157].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][157].Evt.Meta["source_ip"] == "92.38.176.30" results["s01-parse"]["thespad/sshesame-logs"][157].Evt.Meta["target_user"] == "tareq" -results["s01-parse"]["thespad/sshesame-logs"][157].Evt.Meta["username"] == "tareq" +results["s01-parse"]["thespad/sshesame-logs"][157].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][158].Success == false results["s01-parse"]["thespad/sshesame-logs"][159].Success == false results["s01-parse"]["thespad/sshesame-logs"][160].Success == true -results["s01-parse"]["thespad/sshesame-logs"][160].Evt.Parsed["sshesame_user"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][160].Evt.Parsed["timestamp"] == "2022/05/06 09:46:13" results["s01-parse"]["thespad/sshesame-logs"][160].Evt.Parsed["message"] == "2022/05/06 09:46:13 [92.38.176.30:58768] authentication for user \"nproc\" with password \"nproc\" accepted" results["s01-parse"]["thespad/sshesame-logs"][160].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][160].Evt.Parsed["source_ip"] == "92.38.176.30" results["s01-parse"]["thespad/sshesame-logs"][160].Evt.Parsed["sshesame_password"] == "nproc" +results["s01-parse"]["thespad/sshesame-logs"][160].Evt.Parsed["sshesame_user"] == "nproc" +results["s01-parse"]["thespad/sshesame-logs"][160].Evt.Parsed["timestamp"] == "2022/05/06 09:46:13" +basename(results["s01-parse"]["thespad/sshesame-logs"][160].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][160].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][160].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][160].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][160].Evt.Meta["source_ip"] == "92.38.176.30" results["s01-parse"]["thespad/sshesame-logs"][160].Evt.Meta["target_user"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][160].Evt.Meta["username"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][160].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][160].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][161].Success == false results["s01-parse"]["thespad/sshesame-logs"][162].Success == false results["s01-parse"]["thespad/sshesame-logs"][163].Success == false results["s01-parse"]["thespad/sshesame-logs"][164].Success == true +results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Parsed["message"] == "2022/05/06 09:52:11 [165.232.183.156:46374] authentication for user \"zhaodandan\" with password \"zhaodandan\" accepted" +results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Parsed["source_ip"] == "165.232.183.156" results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Parsed["sshesame_password"] == "zhaodandan" results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Parsed["sshesame_user"] == "zhaodandan" results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Parsed["timestamp"] == "2022/05/06 09:52:11" -results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Parsed["message"] == "2022/05/06 09:52:11 [165.232.183.156:46374] authentication for user \"zhaodandan\" with password \"zhaodandan\" accepted" -results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Parsed["program"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Meta["source_ip"] == "165.232.183.156" -results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Meta["target_user"] == "zhaodandan" -results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Meta["username"] == "zhaodandan" -results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Meta["source_ip"] == "165.232.183.156" +results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Meta["target_user"] == "zhaodandan" +results["s01-parse"]["thespad/sshesame-logs"][164].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][165].Success == false results["s01-parse"]["thespad/sshesame-logs"][166].Success == false results["s01-parse"]["thespad/sshesame-logs"][167].Success == true +results["s01-parse"]["thespad/sshesame-logs"][167].Evt.Parsed["message"] == "2022/05/06 09:52:12 [165.232.183.156:46374] [channel 0] command \"uname -s -v -n -r -m\" requested" +results["s01-parse"]["thespad/sshesame-logs"][167].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][167].Evt.Parsed["source_ip"] == "165.232.183.156" results["s01-parse"]["thespad/sshesame-logs"][167].Evt.Parsed["sshesame_cmd"] == "uname -s -v -n -r -m" results["s01-parse"]["thespad/sshesame-logs"][167].Evt.Parsed["timestamp"] == "2022/05/06 09:52:12" -results["s01-parse"]["thespad/sshesame-logs"][167].Evt.Parsed["message"] == "2022/05/06 09:52:12 [165.232.183.156:46374] [channel 0] command \"uname -s -v -n -r -m\" requested" -results["s01-parse"]["thespad/sshesame-logs"][167].Evt.Parsed["program"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][167].Evt.Meta["command"] == "uname -s -v -n -r -m" +basename(results["s01-parse"]["thespad/sshesame-logs"][167].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][167].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][167].Evt.Meta["log_type"] == "sshesame_cmd" results["s01-parse"]["thespad/sshesame-logs"][167].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][167].Evt.Meta["source_ip"] == "165.232.183.156" -results["s01-parse"]["thespad/sshesame-logs"][167].Evt.Meta["command"] == "uname -s -v -n -r -m" -results["s01-parse"]["thespad/sshesame-logs"][167].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][167].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][168].Success == false results["s01-parse"]["thespad/sshesame-logs"][169].Success == false results["s01-parse"]["thespad/sshesame-logs"][170].Success == true @@ -3055,13 +3466,13 @@ results["s01-parse"]["thespad/sshesame-logs"][170].Evt.Parsed["source_ip"] == "1 results["s01-parse"]["thespad/sshesame-logs"][170].Evt.Parsed["sshesame_password"] == "Qq@12345" results["s01-parse"]["thespad/sshesame-logs"][170].Evt.Parsed["sshesame_user"] == "root" results["s01-parse"]["thespad/sshesame-logs"][170].Evt.Parsed["timestamp"] == "2022/05/06 10:01:04" -results["s01-parse"]["thespad/sshesame-logs"][170].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][170].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][170].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][170].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][170].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][170].Evt.Meta["source_ip"] == "133.18.236.86" results["s01-parse"]["thespad/sshesame-logs"][170].Evt.Meta["target_user"] == "root" -results["s01-parse"]["thespad/sshesame-logs"][170].Evt.Meta["username"] == "root" +results["s01-parse"]["thespad/sshesame-logs"][170].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][171].Success == false results["s01-parse"]["thespad/sshesame-logs"][172].Success == true results["s01-parse"]["thespad/sshesame-logs"][172].Evt.Parsed["message"] == "2022/05/06 10:01:07 [133.18.236.86:43334] authentication for user \"nproc\" with password \"nproc\" accepted" @@ -3070,13 +3481,13 @@ results["s01-parse"]["thespad/sshesame-logs"][172].Evt.Parsed["source_ip"] == "1 results["s01-parse"]["thespad/sshesame-logs"][172].Evt.Parsed["sshesame_password"] == "nproc" results["s01-parse"]["thespad/sshesame-logs"][172].Evt.Parsed["sshesame_user"] == "nproc" results["s01-parse"]["thespad/sshesame-logs"][172].Evt.Parsed["timestamp"] == "2022/05/06 10:01:07" +basename(results["s01-parse"]["thespad/sshesame-logs"][172].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][172].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][172].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][172].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][172].Evt.Meta["source_ip"] == "133.18.236.86" results["s01-parse"]["thespad/sshesame-logs"][172].Evt.Meta["target_user"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][172].Evt.Meta["username"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][172].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][172].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][173].Success == false results["s01-parse"]["thespad/sshesame-logs"][174].Success == false results["s01-parse"]["thespad/sshesame-logs"][175].Success == false @@ -3089,12 +3500,13 @@ results["s01-parse"]["thespad/sshesame-logs"][179].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][179].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][179].Evt.Parsed["sshesame_input"] == "GET /?requestid=76082 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][179].Evt.Parsed["timestamp"] == "2022/05/06 10:06:35" +basename(results["s01-parse"]["thespad/sshesame-logs"][179].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][179].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][179].Evt.Meta["input"] == "GET /?requestid=76082 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][179].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][179].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][179].Evt.Meta["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][179].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][179].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["thespad/sshesame-logs"][179].Evt.Meta["input"] == "GET /?requestid=76082 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" +results["s01-parse"]["thespad/sshesame-logs"][179].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][180].Success == false results["s01-parse"]["thespad/sshesame-logs"][181].Success == false results["s01-parse"]["thespad/sshesame-logs"][182].Success == true @@ -3104,27 +3516,28 @@ results["s01-parse"]["thespad/sshesame-logs"][182].Evt.Parsed["source_ip"] == "1 results["s01-parse"]["thespad/sshesame-logs"][182].Evt.Parsed["sshesame_password"] == "aisadmin" results["s01-parse"]["thespad/sshesame-logs"][182].Evt.Parsed["sshesame_user"] == "admin" results["s01-parse"]["thespad/sshesame-logs"][182].Evt.Parsed["timestamp"] == "2022/05/06 10:28:45" -results["s01-parse"]["thespad/sshesame-logs"][182].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][182].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][182].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][182].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][182].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][182].Evt.Meta["source_ip"] == "193.105.134.95" results["s01-parse"]["thespad/sshesame-logs"][182].Evt.Meta["target_user"] == "admin" -results["s01-parse"]["thespad/sshesame-logs"][182].Evt.Meta["username"] == "admin" +results["s01-parse"]["thespad/sshesame-logs"][182].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][183].Success == false results["s01-parse"]["thespad/sshesame-logs"][184].Success == false results["s01-parse"]["thespad/sshesame-logs"][185].Success == true -results["s01-parse"]["thespad/sshesame-logs"][185].Evt.Parsed["timestamp"] == "2022/05/06 10:28:45" results["s01-parse"]["thespad/sshesame-logs"][185].Evt.Parsed["message"] == "2022/05/06 10:28:45 [193.105.134.95:20411] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][185].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][185].Evt.Parsed["source_ip"] == "193.105.134.95" results["s01-parse"]["thespad/sshesame-logs"][185].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" +results["s01-parse"]["thespad/sshesame-logs"][185].Evt.Parsed["timestamp"] == "2022/05/06 10:28:45" +basename(results["s01-parse"]["thespad/sshesame-logs"][185].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][185].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][185].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][185].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][185].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][185].Evt.Meta["source_ip"] == "193.105.134.95" -results["s01-parse"]["thespad/sshesame-logs"][185].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][185].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][186].Success == false results["s01-parse"]["thespad/sshesame-logs"][187].Success == false results["s01-parse"]["thespad/sshesame-logs"][188].Success == true @@ -3133,12 +3546,13 @@ results["s01-parse"]["thespad/sshesame-logs"][188].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][188].Evt.Parsed["source_ip"] == "193.105.134.95" results["s01-parse"]["thespad/sshesame-logs"][188].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][188].Evt.Parsed["timestamp"] == "2022/05/06 10:28:45" -results["s01-parse"]["thespad/sshesame-logs"][188].Evt.Meta["service"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][188].Evt.Meta["source_ip"] == "193.105.134.95" -results["s01-parse"]["thespad/sshesame-logs"][188].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][188].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][188].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][188].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][188].Evt.Meta["log_type"] == "sshesame_input" +results["s01-parse"]["thespad/sshesame-logs"][188].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][188].Evt.Meta["source_ip"] == "193.105.134.95" +results["s01-parse"]["thespad/sshesame-logs"][188].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][189].Success == false results["s01-parse"]["thespad/sshesame-logs"][190].Success == false results["s01-parse"]["thespad/sshesame-logs"][191].Success == false @@ -3148,41 +3562,44 @@ results["s01-parse"]["thespad/sshesame-logs"][192].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][192].Evt.Parsed["source_ip"] == "45.82.65.44" results["s01-parse"]["thespad/sshesame-logs"][192].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.600.0 Safari/534.14\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][192].Evt.Parsed["timestamp"] == "2022/05/06 10:39:28" -results["s01-parse"]["thespad/sshesame-logs"][192].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][192].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][192].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][192].Evt.Meta["input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.600.0 Safari/534.14\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][192].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][192].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][192].Evt.Meta["source_ip"] == "45.82.65.44" +results["s01-parse"]["thespad/sshesame-logs"][192].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][193].Success == true results["s01-parse"]["thespad/sshesame-logs"][193].Evt.Parsed["message"] == "2022/05/06 10:39:28 [45.82.65.44:42736] [channel 28] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.600.0 Safari/534.14\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][193].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][193].Evt.Parsed["source_ip"] == "45.82.65.44" results["s01-parse"]["thespad/sshesame-logs"][193].Evt.Parsed["sshesame_input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.600.0 Safari/534.14\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][193].Evt.Parsed["timestamp"] == "2022/05/06 10:39:28" -results["s01-parse"]["thespad/sshesame-logs"][193].Evt.Meta["service"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][193].Evt.Meta["source_ip"] == "45.82.65.44" -results["s01-parse"]["thespad/sshesame-logs"][193].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][193].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][193].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][193].Evt.Meta["input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.600.0 Safari/534.14\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][193].Evt.Meta["log_type"] == "sshesame_input" +results["s01-parse"]["thespad/sshesame-logs"][193].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][193].Evt.Meta["source_ip"] == "45.82.65.44" +results["s01-parse"]["thespad/sshesame-logs"][193].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][194].Success == false results["s01-parse"]["thespad/sshesame-logs"][195].Success == false results["s01-parse"]["thespad/sshesame-logs"][196].Success == false results["s01-parse"]["thespad/sshesame-logs"][197].Success == false results["s01-parse"]["thespad/sshesame-logs"][198].Success == false results["s01-parse"]["thespad/sshesame-logs"][199].Success == true -results["s01-parse"]["thespad/sshesame-logs"][199].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" -results["s01-parse"]["thespad/sshesame-logs"][199].Evt.Parsed["timestamp"] == "2022/05/06 10:43:18" results["s01-parse"]["thespad/sshesame-logs"][199].Evt.Parsed["message"] == "2022/05/06 10:43:18 [193.105.134.95:46780] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][199].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][199].Evt.Parsed["source_ip"] == "193.105.134.95" -results["s01-parse"]["thespad/sshesame-logs"][199].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][199].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" +results["s01-parse"]["thespad/sshesame-logs"][199].Evt.Parsed["timestamp"] == "2022/05/06 10:43:18" +basename(results["s01-parse"]["thespad/sshesame-logs"][199].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][199].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][199].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][199].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][199].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][199].Evt.Meta["source_ip"] == "193.105.134.95" +results["s01-parse"]["thespad/sshesame-logs"][199].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][200].Success == false results["s01-parse"]["thespad/sshesame-logs"][201].Success == false results["s01-parse"]["thespad/sshesame-logs"][202].Success == true @@ -3191,29 +3608,30 @@ results["s01-parse"]["thespad/sshesame-logs"][202].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][202].Evt.Parsed["source_ip"] == "193.105.134.95" results["s01-parse"]["thespad/sshesame-logs"][202].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][202].Evt.Parsed["timestamp"] == "2022/05/06 10:43:19" -results["s01-parse"]["thespad/sshesame-logs"][202].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][202].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][202].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][202].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][202].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][202].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][202].Evt.Meta["source_ip"] == "193.105.134.95" +results["s01-parse"]["thespad/sshesame-logs"][202].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][203].Success == false results["s01-parse"]["thespad/sshesame-logs"][204].Success == false results["s01-parse"]["thespad/sshesame-logs"][205].Success == false results["s01-parse"]["thespad/sshesame-logs"][206].Success == true -results["s01-parse"]["thespad/sshesame-logs"][206].Evt.Parsed["sshesame_user"] == "ubnt" -results["s01-parse"]["thespad/sshesame-logs"][206].Evt.Parsed["timestamp"] == "2022/05/06 10:44:31" results["s01-parse"]["thespad/sshesame-logs"][206].Evt.Parsed["message"] == "2022/05/06 10:44:31 [202.153.33.62:26354] authentication for user \"ubnt\" with password \"ubnt1\" accepted" results["s01-parse"]["thespad/sshesame-logs"][206].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][206].Evt.Parsed["source_ip"] == "202.153.33.62" results["s01-parse"]["thespad/sshesame-logs"][206].Evt.Parsed["sshesame_password"] == "ubnt1" -results["s01-parse"]["thespad/sshesame-logs"][206].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][206].Evt.Parsed["sshesame_user"] == "ubnt" +results["s01-parse"]["thespad/sshesame-logs"][206].Evt.Parsed["timestamp"] == "2022/05/06 10:44:31" +basename(results["s01-parse"]["thespad/sshesame-logs"][206].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][206].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][206].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][206].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][206].Evt.Meta["source_ip"] == "202.153.33.62" results["s01-parse"]["thespad/sshesame-logs"][206].Evt.Meta["target_user"] == "ubnt" -results["s01-parse"]["thespad/sshesame-logs"][206].Evt.Meta["username"] == "ubnt" +results["s01-parse"]["thespad/sshesame-logs"][206].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][207].Success == false results["s01-parse"]["thespad/sshesame-logs"][208].Success == false results["s01-parse"]["thespad/sshesame-logs"][209].Success == false @@ -3223,12 +3641,13 @@ results["s01-parse"]["thespad/sshesame-logs"][210].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][210].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][210].Evt.Parsed["sshesame_input"] == "GET /?requestid=3381 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][210].Evt.Parsed["timestamp"] == "2022/05/06 11:06:40" +basename(results["s01-parse"]["thespad/sshesame-logs"][210].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][210].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][210].Evt.Meta["input"] == "GET /?requestid=3381 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][210].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][210].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][210].Evt.Meta["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][210].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][210].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["thespad/sshesame-logs"][210].Evt.Meta["input"] == "GET /?requestid=3381 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" +results["s01-parse"]["thespad/sshesame-logs"][210].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][211].Success == false results["s01-parse"]["thespad/sshesame-logs"][212].Success == true results["s01-parse"]["thespad/sshesame-logs"][212].Evt.Parsed["message"] == "2022/05/06 11:44:51 [65.108.254.29:39240] authentication for user \"root\" with password \"Subby123123\" accepted" @@ -3237,44 +3656,45 @@ results["s01-parse"]["thespad/sshesame-logs"][212].Evt.Parsed["source_ip"] == "6 results["s01-parse"]["thespad/sshesame-logs"][212].Evt.Parsed["sshesame_password"] == "Subby123123" results["s01-parse"]["thespad/sshesame-logs"][212].Evt.Parsed["sshesame_user"] == "root" results["s01-parse"]["thespad/sshesame-logs"][212].Evt.Parsed["timestamp"] == "2022/05/06 11:44:51" -results["s01-parse"]["thespad/sshesame-logs"][212].Evt.Meta["username"] == "root" -results["s01-parse"]["thespad/sshesame-logs"][212].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][212].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][212].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][212].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][212].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][212].Evt.Meta["source_ip"] == "65.108.254.29" results["s01-parse"]["thespad/sshesame-logs"][212].Evt.Meta["target_user"] == "root" +results["s01-parse"]["thespad/sshesame-logs"][212].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][213].Success == false results["s01-parse"]["thespad/sshesame-logs"][214].Success == false results["s01-parse"]["thespad/sshesame-logs"][215].Success == true -results["s01-parse"]["thespad/sshesame-logs"][215].Evt.Parsed["sshesame_user"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][215].Evt.Parsed["timestamp"] == "2022/05/06 11:44:51" results["s01-parse"]["thespad/sshesame-logs"][215].Evt.Parsed["message"] == "2022/05/06 11:44:51 [65.108.254.29:39858] authentication for user \"nproc\" with password \"nproc\" accepted" results["s01-parse"]["thespad/sshesame-logs"][215].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][215].Evt.Parsed["source_ip"] == "65.108.254.29" results["s01-parse"]["thespad/sshesame-logs"][215].Evt.Parsed["sshesame_password"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][215].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][215].Evt.Parsed["sshesame_user"] == "nproc" +results["s01-parse"]["thespad/sshesame-logs"][215].Evt.Parsed["timestamp"] == "2022/05/06 11:44:51" +basename(results["s01-parse"]["thespad/sshesame-logs"][215].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][215].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][215].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][215].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][215].Evt.Meta["source_ip"] == "65.108.254.29" results["s01-parse"]["thespad/sshesame-logs"][215].Evt.Meta["target_user"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][215].Evt.Meta["username"] == "nproc" +results["s01-parse"]["thespad/sshesame-logs"][215].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][216].Success == false results["s01-parse"]["thespad/sshesame-logs"][217].Success == false results["s01-parse"]["thespad/sshesame-logs"][218].Success == false results["s01-parse"]["thespad/sshesame-logs"][219].Success == true -results["s01-parse"]["thespad/sshesame-logs"][219].Evt.Parsed["timestamp"] == "2022/05/06 11:44:56" results["s01-parse"]["thespad/sshesame-logs"][219].Evt.Parsed["message"] == "2022/05/06 11:44:56 [190.2.139.67:58629] [channel 140] input: \"GET /?requestid=54995 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][219].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][219].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][219].Evt.Parsed["sshesame_input"] == "GET /?requestid=54995 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" -results["s01-parse"]["thespad/sshesame-logs"][219].Evt.Meta["service"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][219].Evt.Meta["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][219].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][219].Evt.Parsed["timestamp"] == "2022/05/06 11:44:56" +basename(results["s01-parse"]["thespad/sshesame-logs"][219].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][219].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][219].Evt.Meta["input"] == "GET /?requestid=54995 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][219].Evt.Meta["log_type"] == "sshesame_input" +results["s01-parse"]["thespad/sshesame-logs"][219].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][219].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][219].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][220].Success == false results["s01-parse"]["thespad/sshesame-logs"][221].Success == true results["s01-parse"]["thespad/sshesame-logs"][221].Evt.Parsed["message"] == "2022/05/06 11:47:01 [217.95.152.37:62602] authentication for user \"sales\" with password \"sales123\" accepted" @@ -3283,13 +3703,13 @@ results["s01-parse"]["thespad/sshesame-logs"][221].Evt.Parsed["source_ip"] == "2 results["s01-parse"]["thespad/sshesame-logs"][221].Evt.Parsed["sshesame_password"] == "sales123" results["s01-parse"]["thespad/sshesame-logs"][221].Evt.Parsed["sshesame_user"] == "sales" results["s01-parse"]["thespad/sshesame-logs"][221].Evt.Parsed["timestamp"] == "2022/05/06 11:47:01" -results["s01-parse"]["thespad/sshesame-logs"][221].Evt.Meta["username"] == "sales" -results["s01-parse"]["thespad/sshesame-logs"][221].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][221].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][221].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][221].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][221].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][221].Evt.Meta["source_ip"] == "217.95.152.37" results["s01-parse"]["thespad/sshesame-logs"][221].Evt.Meta["target_user"] == "sales" +results["s01-parse"]["thespad/sshesame-logs"][221].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][222].Success == false results["s01-parse"]["thespad/sshesame-logs"][223].Success == true results["s01-parse"]["thespad/sshesame-logs"][223].Evt.Parsed["message"] == "2022/05/06 11:47:02 [217.95.152.37:33514] authentication for user \"nproc\" with password \"nproc\" accepted" @@ -3298,13 +3718,13 @@ results["s01-parse"]["thespad/sshesame-logs"][223].Evt.Parsed["source_ip"] == "2 results["s01-parse"]["thespad/sshesame-logs"][223].Evt.Parsed["sshesame_password"] == "nproc" results["s01-parse"]["thespad/sshesame-logs"][223].Evt.Parsed["sshesame_user"] == "nproc" results["s01-parse"]["thespad/sshesame-logs"][223].Evt.Parsed["timestamp"] == "2022/05/06 11:47:02" -results["s01-parse"]["thespad/sshesame-logs"][223].Evt.Meta["username"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][223].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][223].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][223].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][223].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][223].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][223].Evt.Meta["source_ip"] == "217.95.152.37" results["s01-parse"]["thespad/sshesame-logs"][223].Evt.Meta["target_user"] == "nproc" +results["s01-parse"]["thespad/sshesame-logs"][223].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][224].Success == false results["s01-parse"]["thespad/sshesame-logs"][225].Success == false results["s01-parse"]["thespad/sshesame-logs"][226].Success == false @@ -3312,17 +3732,18 @@ results["s01-parse"]["thespad/sshesame-logs"][227].Success == false results["s01-parse"]["thespad/sshesame-logs"][228].Success == false results["s01-parse"]["thespad/sshesame-logs"][229].Success == false results["s01-parse"]["thespad/sshesame-logs"][230].Success == true +results["s01-parse"]["thespad/sshesame-logs"][230].Evt.Parsed["message"] == "2022/05/06 11:53:48 [45.82.65.44:42736] [channel 29] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.107 Safari/535.1\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][230].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][230].Evt.Parsed["source_ip"] == "45.82.65.44" results["s01-parse"]["thespad/sshesame-logs"][230].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.107 Safari/535.1\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][230].Evt.Parsed["timestamp"] == "2022/05/06 11:53:48" -results["s01-parse"]["thespad/sshesame-logs"][230].Evt.Parsed["message"] == "2022/05/06 11:53:48 [45.82.65.44:42736] [channel 29] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.107 Safari/535.1\\r\\n\\r\\n\"" -results["s01-parse"]["thespad/sshesame-logs"][230].Evt.Meta["service"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][230].Evt.Meta["source_ip"] == "45.82.65.44" -results["s01-parse"]["thespad/sshesame-logs"][230].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][230].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][230].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][230].Evt.Meta["input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.107 Safari/535.1\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][230].Evt.Meta["log_type"] == "sshesame_input" +results["s01-parse"]["thespad/sshesame-logs"][230].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][230].Evt.Meta["source_ip"] == "45.82.65.44" +results["s01-parse"]["thespad/sshesame-logs"][230].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][231].Success == false results["s01-parse"]["thespad/sshesame-logs"][232].Success == false results["s01-parse"]["thespad/sshesame-logs"][233].Success == true @@ -3331,27 +3752,28 @@ results["s01-parse"]["thespad/sshesame-logs"][233].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][233].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][233].Evt.Parsed["sshesame_input"] == "GET /?requestid=13796 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][233].Evt.Parsed["timestamp"] == "2022/05/06 12:11:39" +basename(results["s01-parse"]["thespad/sshesame-logs"][233].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][233].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][233].Evt.Meta["input"] == "GET /?requestid=13796 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][233].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][233].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][233].Evt.Meta["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][233].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][233].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["thespad/sshesame-logs"][233].Evt.Meta["input"] == "GET /?requestid=13796 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" +results["s01-parse"]["thespad/sshesame-logs"][233].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][234].Success == false results["s01-parse"]["thespad/sshesame-logs"][235].Success == true -results["s01-parse"]["thespad/sshesame-logs"][235].Evt.Parsed["timestamp"] == "2022/05/06 12:25:39" results["s01-parse"]["thespad/sshesame-logs"][235].Evt.Parsed["message"] == "2022/05/06 12:25:39 [188.255.62.33:48649] authentication for user \"root\" with password \"root\" accepted" results["s01-parse"]["thespad/sshesame-logs"][235].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][235].Evt.Parsed["source_ip"] == "188.255.62.33" results["s01-parse"]["thespad/sshesame-logs"][235].Evt.Parsed["sshesame_password"] == "root" results["s01-parse"]["thespad/sshesame-logs"][235].Evt.Parsed["sshesame_user"] == "root" -results["s01-parse"]["thespad/sshesame-logs"][235].Evt.Meta["source_ip"] == "188.255.62.33" -results["s01-parse"]["thespad/sshesame-logs"][235].Evt.Meta["target_user"] == "root" -results["s01-parse"]["thespad/sshesame-logs"][235].Evt.Meta["username"] == "root" -results["s01-parse"]["thespad/sshesame-logs"][235].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][235].Evt.Parsed["timestamp"] == "2022/05/06 12:25:39" +basename(results["s01-parse"]["thespad/sshesame-logs"][235].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][235].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][235].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][235].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][235].Evt.Meta["source_ip"] == "188.255.62.33" +results["s01-parse"]["thespad/sshesame-logs"][235].Evt.Meta["target_user"] == "root" +results["s01-parse"]["thespad/sshesame-logs"][235].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][236].Success == false results["s01-parse"]["thespad/sshesame-logs"][237].Success == false results["s01-parse"]["thespad/sshesame-logs"][238].Success == true @@ -3361,25 +3783,27 @@ results["s01-parse"]["thespad/sshesame-logs"][238].Evt.Parsed["source_ip"] == "1 results["s01-parse"]["thespad/sshesame-logs"][238].Evt.Parsed["sshesame_cmd"] == "/ip cloud print" results["s01-parse"]["thespad/sshesame-logs"][238].Evt.Parsed["timestamp"] == "2022/05/06 12:25:39" results["s01-parse"]["thespad/sshesame-logs"][238].Evt.Meta["command"] == "/ip cloud print" -results["s01-parse"]["thespad/sshesame-logs"][238].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][238].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][238].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][238].Evt.Meta["log_type"] == "sshesame_cmd" results["s01-parse"]["thespad/sshesame-logs"][238].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][238].Evt.Meta["source_ip"] == "188.255.62.33" +results["s01-parse"]["thespad/sshesame-logs"][238].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][239].Success == false results["s01-parse"]["thespad/sshesame-logs"][240].Success == false results["s01-parse"]["thespad/sshesame-logs"][241].Success == true -results["s01-parse"]["thespad/sshesame-logs"][241].Evt.Parsed["sshesame_cmd"] == "ifconfig" -results["s01-parse"]["thespad/sshesame-logs"][241].Evt.Parsed["timestamp"] == "2022/05/06 12:25:39" results["s01-parse"]["thespad/sshesame-logs"][241].Evt.Parsed["message"] == "2022/05/06 12:25:39 [188.255.62.33:48649] [channel 1] command \"ifconfig\" requested" results["s01-parse"]["thespad/sshesame-logs"][241].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][241].Evt.Parsed["source_ip"] == "188.255.62.33" +results["s01-parse"]["thespad/sshesame-logs"][241].Evt.Parsed["sshesame_cmd"] == "ifconfig" +results["s01-parse"]["thespad/sshesame-logs"][241].Evt.Parsed["timestamp"] == "2022/05/06 12:25:39" +results["s01-parse"]["thespad/sshesame-logs"][241].Evt.Meta["command"] == "ifconfig" +basename(results["s01-parse"]["thespad/sshesame-logs"][241].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][241].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][241].Evt.Meta["log_type"] == "sshesame_cmd" results["s01-parse"]["thespad/sshesame-logs"][241].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][241].Evt.Meta["source_ip"] == "188.255.62.33" -results["s01-parse"]["thespad/sshesame-logs"][241].Evt.Meta["command"] == "ifconfig" -results["s01-parse"]["thespad/sshesame-logs"][241].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][241].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][242].Success == false results["s01-parse"]["thespad/sshesame-logs"][243].Success == false results["s01-parse"]["thespad/sshesame-logs"][244].Success == true @@ -3389,13 +3813,13 @@ results["s01-parse"]["thespad/sshesame-logs"][244].Evt.Parsed["source_ip"] == "1 results["s01-parse"]["thespad/sshesame-logs"][244].Evt.Parsed["sshesame_password"] == "12345678" results["s01-parse"]["thespad/sshesame-logs"][244].Evt.Parsed["sshesame_user"] == "sam" results["s01-parse"]["thespad/sshesame-logs"][244].Evt.Parsed["timestamp"] == "2022/05/06 12:33:29" -results["s01-parse"]["thespad/sshesame-logs"][244].Evt.Meta["target_user"] == "sam" -results["s01-parse"]["thespad/sshesame-logs"][244].Evt.Meta["username"] == "sam" -results["s01-parse"]["thespad/sshesame-logs"][244].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][244].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][244].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][244].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][244].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][244].Evt.Meta["source_ip"] == "154.86.27.24" +results["s01-parse"]["thespad/sshesame-logs"][244].Evt.Meta["target_user"] == "sam" +results["s01-parse"]["thespad/sshesame-logs"][244].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][245].Success == false results["s01-parse"]["thespad/sshesame-logs"][246].Success == false results["s01-parse"]["thespad/sshesame-logs"][247].Success == true @@ -3405,13 +3829,13 @@ results["s01-parse"]["thespad/sshesame-logs"][247].Evt.Parsed["source_ip"] == "1 results["s01-parse"]["thespad/sshesame-logs"][247].Evt.Parsed["sshesame_password"] == "nproc" results["s01-parse"]["thespad/sshesame-logs"][247].Evt.Parsed["sshesame_user"] == "nproc" results["s01-parse"]["thespad/sshesame-logs"][247].Evt.Parsed["timestamp"] == "2022/05/06 12:33:31" +basename(results["s01-parse"]["thespad/sshesame-logs"][247].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][247].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][247].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][247].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][247].Evt.Meta["source_ip"] == "154.86.27.24" results["s01-parse"]["thespad/sshesame-logs"][247].Evt.Meta["target_user"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][247].Evt.Meta["username"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][247].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][247].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][248].Success == false results["s01-parse"]["thespad/sshesame-logs"][249].Success == false results["s01-parse"]["thespad/sshesame-logs"][250].Success == false @@ -3422,41 +3846,43 @@ results["s01-parse"]["thespad/sshesame-logs"][251].Evt.Parsed["source_ip"] == "1 results["s01-parse"]["thespad/sshesame-logs"][251].Evt.Parsed["sshesame_password"] == "aisadmin" results["s01-parse"]["thespad/sshesame-logs"][251].Evt.Parsed["sshesame_user"] == "admin" results["s01-parse"]["thespad/sshesame-logs"][251].Evt.Parsed["timestamp"] == "2022/05/06 12:39:33" +basename(results["s01-parse"]["thespad/sshesame-logs"][251].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][251].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][251].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][251].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][251].Evt.Meta["source_ip"] == "195.3.147.60" results["s01-parse"]["thespad/sshesame-logs"][251].Evt.Meta["target_user"] == "admin" -results["s01-parse"]["thespad/sshesame-logs"][251].Evt.Meta["username"] == "admin" -results["s01-parse"]["thespad/sshesame-logs"][251].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][251].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][251].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][252].Success == false results["s01-parse"]["thespad/sshesame-logs"][253].Success == false results["s01-parse"]["thespad/sshesame-logs"][254].Success == true +results["s01-parse"]["thespad/sshesame-logs"][254].Evt.Parsed["message"] == "2022/05/06 12:39:33 [195.3.147.60:9217] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][254].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][254].Evt.Parsed["source_ip"] == "195.3.147.60" results["s01-parse"]["thespad/sshesame-logs"][254].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][254].Evt.Parsed["timestamp"] == "2022/05/06 12:39:33" -results["s01-parse"]["thespad/sshesame-logs"][254].Evt.Parsed["message"] == "2022/05/06 12:39:33 [195.3.147.60:9217] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s01-parse"]["thespad/sshesame-logs"][254].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][254].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][254].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][254].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][254].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][254].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][254].Evt.Meta["source_ip"] == "195.3.147.60" +results["s01-parse"]["thespad/sshesame-logs"][254].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][255].Success == false results["s01-parse"]["thespad/sshesame-logs"][256].Success == false results["s01-parse"]["thespad/sshesame-logs"][257].Success == true -results["s01-parse"]["thespad/sshesame-logs"][257].Evt.Parsed["timestamp"] == "2022/05/06 12:39:33" results["s01-parse"]["thespad/sshesame-logs"][257].Evt.Parsed["message"] == "2022/05/06 12:39:33 [195.3.147.60:9217] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][257].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][257].Evt.Parsed["source_ip"] == "195.3.147.60" results["s01-parse"]["thespad/sshesame-logs"][257].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" -results["s01-parse"]["thespad/sshesame-logs"][257].Evt.Meta["source_ip"] == "195.3.147.60" -results["s01-parse"]["thespad/sshesame-logs"][257].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][257].Evt.Parsed["timestamp"] == "2022/05/06 12:39:33" +basename(results["s01-parse"]["thespad/sshesame-logs"][257].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][257].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][257].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][257].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][257].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][257].Evt.Meta["source_ip"] == "195.3.147.60" +results["s01-parse"]["thespad/sshesame-logs"][257].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][258].Success == false results["s01-parse"]["thespad/sshesame-logs"][259].Success == false results["s01-parse"]["thespad/sshesame-logs"][260].Success == false @@ -3466,38 +3892,41 @@ results["s01-parse"]["thespad/sshesame-logs"][261].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][261].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][261].Evt.Parsed["sshesame_input"] == "GET /?requestid=72371 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][261].Evt.Parsed["timestamp"] == "2022/05/06 12:58:50" -results["s01-parse"]["thespad/sshesame-logs"][261].Evt.Meta["service"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][261].Evt.Meta["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][261].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][261].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][261].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][261].Evt.Meta["input"] == "GET /?requestid=72371 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][261].Evt.Meta["log_type"] == "sshesame_input" +results["s01-parse"]["thespad/sshesame-logs"][261].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][261].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][261].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][262].Success == false results["s01-parse"]["thespad/sshesame-logs"][263].Success == false results["s01-parse"]["thespad/sshesame-logs"][264].Success == true +results["s01-parse"]["thespad/sshesame-logs"][264].Evt.Parsed["message"] == "2022/05/06 12:59:04 [45.82.65.44:42736] [channel 30] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][264].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][264].Evt.Parsed["source_ip"] == "45.82.65.44" results["s01-parse"]["thespad/sshesame-logs"][264].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][264].Evt.Parsed["timestamp"] == "2022/05/06 12:59:04" -results["s01-parse"]["thespad/sshesame-logs"][264].Evt.Parsed["message"] == "2022/05/06 12:59:04 [45.82.65.44:42736] [channel 30] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14\\r\\n\\r\\n\"" -results["s01-parse"]["thespad/sshesame-logs"][264].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][264].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][264].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][264].Evt.Meta["input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][264].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][264].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][264].Evt.Meta["source_ip"] == "45.82.65.44" +results["s01-parse"]["thespad/sshesame-logs"][264].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][265].Success == true results["s01-parse"]["thespad/sshesame-logs"][265].Evt.Parsed["message"] == "2022/05/06 12:59:05 [45.82.65.44:42736] [channel 30] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][265].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][265].Evt.Parsed["source_ip"] == "45.82.65.44" results["s01-parse"]["thespad/sshesame-logs"][265].Evt.Parsed["sshesame_input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][265].Evt.Parsed["timestamp"] == "2022/05/06 12:59:05" -results["s01-parse"]["thespad/sshesame-logs"][265].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][265].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][265].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][265].Evt.Meta["input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][265].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][265].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][265].Evt.Meta["source_ip"] == "45.82.65.44" +results["s01-parse"]["thespad/sshesame-logs"][265].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][266].Success == false results["s01-parse"]["thespad/sshesame-logs"][267].Success == false results["s01-parse"]["thespad/sshesame-logs"][268].Success == true @@ -3506,26 +3935,28 @@ results["s01-parse"]["thespad/sshesame-logs"][268].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][268].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][268].Evt.Parsed["sshesame_input"] == "GET /?requestid=12627 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][268].Evt.Parsed["timestamp"] == "2022/05/06 13:09:34" -results["s01-parse"]["thespad/sshesame-logs"][268].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][268].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][268].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][268].Evt.Meta["input"] == "GET /?requestid=12627 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][268].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][268].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][268].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][268].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][269].Success == false results["s01-parse"]["thespad/sshesame-logs"][270].Success == false results["s01-parse"]["thespad/sshesame-logs"][271].Success == true +results["s01-parse"]["thespad/sshesame-logs"][271].Evt.Parsed["message"] == "2022/05/06 13:12:20 [190.2.139.67:58629] [channel 145] input: \"GET /?requestid=88211 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" +results["s01-parse"]["thespad/sshesame-logs"][271].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][271].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][271].Evt.Parsed["sshesame_input"] == "GET /?requestid=88211 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][271].Evt.Parsed["timestamp"] == "2022/05/06 13:12:20" -results["s01-parse"]["thespad/sshesame-logs"][271].Evt.Parsed["message"] == "2022/05/06 13:12:20 [190.2.139.67:58629] [channel 145] input: \"GET /?requestid=88211 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s01-parse"]["thespad/sshesame-logs"][271].Evt.Parsed["program"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][271].Evt.Meta["service"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][271].Evt.Meta["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][271].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][271].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][271].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][271].Evt.Meta["input"] == "GET /?requestid=88211 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][271].Evt.Meta["log_type"] == "sshesame_input" +results["s01-parse"]["thespad/sshesame-logs"][271].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][271].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][271].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][272].Success == false results["s01-parse"]["thespad/sshesame-logs"][273].Success == false results["s01-parse"]["thespad/sshesame-logs"][274].Success == false @@ -3537,12 +3968,13 @@ results["s01-parse"]["thespad/sshesame-logs"][277].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][277].Evt.Parsed["source_ip"] == "193.105.134.95" results["s01-parse"]["thespad/sshesame-logs"][277].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][277].Evt.Parsed["timestamp"] == "2022/05/06 13:18:31" -results["s01-parse"]["thespad/sshesame-logs"][277].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][277].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][277].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][277].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][277].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][277].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][277].Evt.Meta["source_ip"] == "193.105.134.95" +results["s01-parse"]["thespad/sshesame-logs"][277].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][278].Success == false results["s01-parse"]["thespad/sshesame-logs"][279].Success == false results["s01-parse"]["thespad/sshesame-logs"][280].Success == true @@ -3551,61 +3983,63 @@ results["s01-parse"]["thespad/sshesame-logs"][280].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][280].Evt.Parsed["source_ip"] == "193.105.134.95" results["s01-parse"]["thespad/sshesame-logs"][280].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][280].Evt.Parsed["timestamp"] == "2022/05/06 13:18:31" -results["s01-parse"]["thespad/sshesame-logs"][280].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][280].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][280].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][280].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][280].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][280].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][280].Evt.Meta["source_ip"] == "193.105.134.95" +results["s01-parse"]["thespad/sshesame-logs"][280].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][281].Success == false results["s01-parse"]["thespad/sshesame-logs"][282].Success == false results["s01-parse"]["thespad/sshesame-logs"][283].Success == false results["s01-parse"]["thespad/sshesame-logs"][284].Success == true -results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Parsed["sshesame_user"] == "admin" -results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Parsed["timestamp"] == "2022/05/06 13:25:40" results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Parsed["message"] == "2022/05/06 13:25:40 [144.22.213.51:55710] authentication for user \"admin\" with password \"1234567\" accepted" results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Parsed["source_ip"] == "144.22.213.51" results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Parsed["sshesame_password"] == "1234567" -results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Meta["source_ip"] == "144.22.213.51" -results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Meta["target_user"] == "admin" -results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Meta["username"] == "admin" -results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Parsed["sshesame_user"] == "admin" +results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Parsed["timestamp"] == "2022/05/06 13:25:40" +basename(results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Meta["source_ip"] == "144.22.213.51" +results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["thespad/sshesame-logs"][284].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][285].Success == false results["s01-parse"]["thespad/sshesame-logs"][286].Success == false results["s01-parse"]["thespad/sshesame-logs"][287].Success == false results["s01-parse"]["thespad/sshesame-logs"][288].Success == false results["s01-parse"]["thespad/sshesame-logs"][289].Success == true -results["s01-parse"]["thespad/sshesame-logs"][289].Evt.Parsed["sshesame_password"] == "aisadmin" -results["s01-parse"]["thespad/sshesame-logs"][289].Evt.Parsed["sshesame_user"] == "admin" -results["s01-parse"]["thespad/sshesame-logs"][289].Evt.Parsed["timestamp"] == "2022/05/06 13:48:37" results["s01-parse"]["thespad/sshesame-logs"][289].Evt.Parsed["message"] == "2022/05/06 13:48:37 [193.105.134.95:49178] authentication for user \"admin\" with password \"aisadmin\" accepted" results["s01-parse"]["thespad/sshesame-logs"][289].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][289].Evt.Parsed["source_ip"] == "193.105.134.95" -results["s01-parse"]["thespad/sshesame-logs"][289].Evt.Meta["username"] == "admin" -results["s01-parse"]["thespad/sshesame-logs"][289].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][289].Evt.Parsed["sshesame_password"] == "aisadmin" +results["s01-parse"]["thespad/sshesame-logs"][289].Evt.Parsed["sshesame_user"] == "admin" +results["s01-parse"]["thespad/sshesame-logs"][289].Evt.Parsed["timestamp"] == "2022/05/06 13:48:37" +basename(results["s01-parse"]["thespad/sshesame-logs"][289].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][289].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][289].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][289].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][289].Evt.Meta["source_ip"] == "193.105.134.95" results["s01-parse"]["thespad/sshesame-logs"][289].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["thespad/sshesame-logs"][289].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][290].Success == false results["s01-parse"]["thespad/sshesame-logs"][291].Success == false results["s01-parse"]["thespad/sshesame-logs"][292].Success == true -results["s01-parse"]["thespad/sshesame-logs"][292].Evt.Parsed["timestamp"] == "2022/05/06 13:48:37" results["s01-parse"]["thespad/sshesame-logs"][292].Evt.Parsed["message"] == "2022/05/06 13:48:37 [193.105.134.95:49178] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][292].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][292].Evt.Parsed["source_ip"] == "193.105.134.95" results["s01-parse"]["thespad/sshesame-logs"][292].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" -results["s01-parse"]["thespad/sshesame-logs"][292].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][292].Evt.Parsed["timestamp"] == "2022/05/06 13:48:37" +basename(results["s01-parse"]["thespad/sshesame-logs"][292].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][292].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][292].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][292].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][292].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][292].Evt.Meta["source_ip"] == "193.105.134.95" +results["s01-parse"]["thespad/sshesame-logs"][292].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][293].Success == false results["s01-parse"]["thespad/sshesame-logs"][294].Success == false results["s01-parse"]["thespad/sshesame-logs"][295].Success == true @@ -3614,12 +4048,13 @@ results["s01-parse"]["thespad/sshesame-logs"][295].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][295].Evt.Parsed["source_ip"] == "193.105.134.95" results["s01-parse"]["thespad/sshesame-logs"][295].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][295].Evt.Parsed["timestamp"] == "2022/05/06 13:48:37" -results["s01-parse"]["thespad/sshesame-logs"][295].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][295].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][295].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][295].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][295].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][295].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][295].Evt.Meta["source_ip"] == "193.105.134.95" +results["s01-parse"]["thespad/sshesame-logs"][295].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][296].Success == false results["s01-parse"]["thespad/sshesame-logs"][297].Success == false results["s01-parse"]["thespad/sshesame-logs"][298].Success == false @@ -3629,12 +4064,13 @@ results["s01-parse"]["thespad/sshesame-logs"][299].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][299].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][299].Evt.Parsed["sshesame_input"] == "GET /?requestid=40353 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][299].Evt.Parsed["timestamp"] == "2022/05/06 13:55:12" +basename(results["s01-parse"]["thespad/sshesame-logs"][299].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][299].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][299].Evt.Meta["input"] == "GET /?requestid=40353 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][299].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][299].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][299].Evt.Meta["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][299].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][299].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["thespad/sshesame-logs"][299].Evt.Meta["input"] == "GET /?requestid=40353 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" +results["s01-parse"]["thespad/sshesame-logs"][299].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][300].Success == false results["s01-parse"]["thespad/sshesame-logs"][301].Success == false results["s01-parse"]["thespad/sshesame-logs"][302].Success == true @@ -3643,42 +4079,43 @@ results["s01-parse"]["thespad/sshesame-logs"][302].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][302].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][302].Evt.Parsed["sshesame_input"] == "GET /?requestid=27608 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][302].Evt.Parsed["timestamp"] == "2022/05/06 13:59:17" -results["s01-parse"]["thespad/sshesame-logs"][302].Evt.Meta["service"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][302].Evt.Meta["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][302].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][302].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][302].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][302].Evt.Meta["input"] == "GET /?requestid=27608 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][302].Evt.Meta["log_type"] == "sshesame_input" +results["s01-parse"]["thespad/sshesame-logs"][302].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][302].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][302].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][303].Success == false results["s01-parse"]["thespad/sshesame-logs"][304].Success == true -results["s01-parse"]["thespad/sshesame-logs"][304].Evt.Parsed["sshesame_password"] == "xiaoming" -results["s01-parse"]["thespad/sshesame-logs"][304].Evt.Parsed["sshesame_user"] == "root" -results["s01-parse"]["thespad/sshesame-logs"][304].Evt.Parsed["timestamp"] == "2022/05/06 14:28:01" results["s01-parse"]["thespad/sshesame-logs"][304].Evt.Parsed["message"] == "2022/05/06 14:28:01 [43.154.53.163:58300] authentication for user \"root\" with password \"xiaoming\" accepted" results["s01-parse"]["thespad/sshesame-logs"][304].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][304].Evt.Parsed["source_ip"] == "43.154.53.163" +results["s01-parse"]["thespad/sshesame-logs"][304].Evt.Parsed["sshesame_password"] == "xiaoming" +results["s01-parse"]["thespad/sshesame-logs"][304].Evt.Parsed["sshesame_user"] == "root" +results["s01-parse"]["thespad/sshesame-logs"][304].Evt.Parsed["timestamp"] == "2022/05/06 14:28:01" +basename(results["s01-parse"]["thespad/sshesame-logs"][304].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][304].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][304].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][304].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][304].Evt.Meta["source_ip"] == "43.154.53.163" results["s01-parse"]["thespad/sshesame-logs"][304].Evt.Meta["target_user"] == "root" -results["s01-parse"]["thespad/sshesame-logs"][304].Evt.Meta["username"] == "root" -results["s01-parse"]["thespad/sshesame-logs"][304].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][304].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][305].Success == false results["s01-parse"]["thespad/sshesame-logs"][306].Success == true +results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Parsed["message"] == "2022/05/06 14:28:04 [43.154.53.163:58868] authentication for user \"nproc\" with password \"nproc\" accepted" +results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Parsed["source_ip"] == "43.154.53.163" results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Parsed["sshesame_password"] == "nproc" results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Parsed["sshesame_user"] == "nproc" results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Parsed["timestamp"] == "2022/05/06 14:28:04" -results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Parsed["message"] == "2022/05/06 14:28:04 [43.154.53.163:58868] authentication for user \"nproc\" with password \"nproc\" accepted" -results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Parsed["program"] == "sshesame" +basename(results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Meta["source_ip"] == "43.154.53.163" results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Meta["target_user"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Meta["username"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Meta["log_type"] == "sshesame_login" +results["s01-parse"]["thespad/sshesame-logs"][306].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][307].Success == false results["s01-parse"]["thespad/sshesame-logs"][308].Success == false results["s01-parse"]["thespad/sshesame-logs"][309].Success == false @@ -3691,62 +4128,62 @@ results["s01-parse"]["thespad/sshesame-logs"][312].Evt.Parsed["source_ip"] == "8 results["s01-parse"]["thespad/sshesame-logs"][312].Evt.Parsed["sshesame_password"] == "Password321" results["s01-parse"]["thespad/sshesame-logs"][312].Evt.Parsed["sshesame_user"] == "root" results["s01-parse"]["thespad/sshesame-logs"][312].Evt.Parsed["timestamp"] == "2022/05/06 14:28:15" -results["s01-parse"]["thespad/sshesame-logs"][312].Evt.Meta["source_ip"] == "87.121.6.204" -results["s01-parse"]["thespad/sshesame-logs"][312].Evt.Meta["target_user"] == "root" -results["s01-parse"]["thespad/sshesame-logs"][312].Evt.Meta["username"] == "root" -results["s01-parse"]["thespad/sshesame-logs"][312].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][312].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][312].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][312].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][312].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][312].Evt.Meta["source_ip"] == "87.121.6.204" +results["s01-parse"]["thespad/sshesame-logs"][312].Evt.Meta["target_user"] == "root" +results["s01-parse"]["thespad/sshesame-logs"][312].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][313].Success == false results["s01-parse"]["thespad/sshesame-logs"][314].Success == true -results["s01-parse"]["thespad/sshesame-logs"][314].Evt.Parsed["timestamp"] == "2022/05/06 14:28:15" results["s01-parse"]["thespad/sshesame-logs"][314].Evt.Parsed["message"] == "2022/05/06 14:28:15 [87.121.6.204:49568] authentication for user \"nproc\" with password \"nproc\" accepted" results["s01-parse"]["thespad/sshesame-logs"][314].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][314].Evt.Parsed["source_ip"] == "87.121.6.204" results["s01-parse"]["thespad/sshesame-logs"][314].Evt.Parsed["sshesame_password"] == "nproc" results["s01-parse"]["thespad/sshesame-logs"][314].Evt.Parsed["sshesame_user"] == "nproc" +results["s01-parse"]["thespad/sshesame-logs"][314].Evt.Parsed["timestamp"] == "2022/05/06 14:28:15" +basename(results["s01-parse"]["thespad/sshesame-logs"][314].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][314].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][314].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][314].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][314].Evt.Meta["source_ip"] == "87.121.6.204" results["s01-parse"]["thespad/sshesame-logs"][314].Evt.Meta["target_user"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][314].Evt.Meta["username"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][314].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][314].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["thespad/sshesame-logs"][314].Evt.Meta["log_type"] == "sshesame_login" +results["s01-parse"]["thespad/sshesame-logs"][314].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][315].Success == false results["s01-parse"]["thespad/sshesame-logs"][316].Success == false results["s01-parse"]["thespad/sshesame-logs"][317].Success == false results["s01-parse"]["thespad/sshesame-logs"][318].Success == false results["s01-parse"]["thespad/sshesame-logs"][319].Success == false results["s01-parse"]["thespad/sshesame-logs"][320].Success == true -results["s01-parse"]["thespad/sshesame-logs"][320].Evt.Parsed["timestamp"] == "2022/05/06 14:30:02" results["s01-parse"]["thespad/sshesame-logs"][320].Evt.Parsed["message"] == "2022/05/06 14:30:02 [45.239.216.250:45336] authentication for user \"root\" with password \"root#1234\" accepted" results["s01-parse"]["thespad/sshesame-logs"][320].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][320].Evt.Parsed["source_ip"] == "45.239.216.250" results["s01-parse"]["thespad/sshesame-logs"][320].Evt.Parsed["sshesame_password"] == "root#1234" results["s01-parse"]["thespad/sshesame-logs"][320].Evt.Parsed["sshesame_user"] == "root" -results["s01-parse"]["thespad/sshesame-logs"][320].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][320].Evt.Parsed["timestamp"] == "2022/05/06 14:30:02" +basename(results["s01-parse"]["thespad/sshesame-logs"][320].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][320].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][320].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][320].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][320].Evt.Meta["source_ip"] == "45.239.216.250" results["s01-parse"]["thespad/sshesame-logs"][320].Evt.Meta["target_user"] == "root" -results["s01-parse"]["thespad/sshesame-logs"][320].Evt.Meta["username"] == "root" +results["s01-parse"]["thespad/sshesame-logs"][320].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][321].Success == false results["s01-parse"]["thespad/sshesame-logs"][322].Success == true -results["s01-parse"]["thespad/sshesame-logs"][322].Evt.Parsed["sshesame_password"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][322].Evt.Parsed["sshesame_user"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][322].Evt.Parsed["timestamp"] == "2022/05/06 14:30:05" results["s01-parse"]["thespad/sshesame-logs"][322].Evt.Parsed["message"] == "2022/05/06 14:30:05 [45.239.216.250:46226] authentication for user \"nproc\" with password \"nproc\" accepted" results["s01-parse"]["thespad/sshesame-logs"][322].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][322].Evt.Parsed["source_ip"] == "45.239.216.250" -results["s01-parse"]["thespad/sshesame-logs"][322].Evt.Meta["username"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][322].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][322].Evt.Parsed["sshesame_password"] == "nproc" +results["s01-parse"]["thespad/sshesame-logs"][322].Evt.Parsed["sshesame_user"] == "nproc" +results["s01-parse"]["thespad/sshesame-logs"][322].Evt.Parsed["timestamp"] == "2022/05/06 14:30:05" +basename(results["s01-parse"]["thespad/sshesame-logs"][322].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][322].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][322].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][322].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][322].Evt.Meta["source_ip"] == "45.239.216.250" results["s01-parse"]["thespad/sshesame-logs"][322].Evt.Meta["target_user"] == "nproc" +results["s01-parse"]["thespad/sshesame-logs"][322].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][323].Success == false results["s01-parse"]["thespad/sshesame-logs"][324].Success == false results["s01-parse"]["thespad/sshesame-logs"][325].Success == false @@ -3754,46 +4191,48 @@ results["s01-parse"]["thespad/sshesame-logs"][326].Success == false results["s01-parse"]["thespad/sshesame-logs"][327].Success == false results["s01-parse"]["thespad/sshesame-logs"][328].Success == false results["s01-parse"]["thespad/sshesame-logs"][329].Success == true -results["s01-parse"]["thespad/sshesame-logs"][329].Evt.Parsed["sshesame_user"] == "admin" -results["s01-parse"]["thespad/sshesame-logs"][329].Evt.Parsed["timestamp"] == "2022/05/06 14:56:35" results["s01-parse"]["thespad/sshesame-logs"][329].Evt.Parsed["message"] == "2022/05/06 14:56:35 [1.7.180.245:44604] authentication for user \"admin\" with password \"1234567\" accepted" results["s01-parse"]["thespad/sshesame-logs"][329].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][329].Evt.Parsed["source_ip"] == "1.7.180.245" results["s01-parse"]["thespad/sshesame-logs"][329].Evt.Parsed["sshesame_password"] == "1234567" -results["s01-parse"]["thespad/sshesame-logs"][329].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][329].Evt.Parsed["sshesame_user"] == "admin" +results["s01-parse"]["thespad/sshesame-logs"][329].Evt.Parsed["timestamp"] == "2022/05/06 14:56:35" +basename(results["s01-parse"]["thespad/sshesame-logs"][329].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][329].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][329].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][329].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][329].Evt.Meta["source_ip"] == "1.7.180.245" results["s01-parse"]["thespad/sshesame-logs"][329].Evt.Meta["target_user"] == "admin" -results["s01-parse"]["thespad/sshesame-logs"][329].Evt.Meta["username"] == "admin" +results["s01-parse"]["thespad/sshesame-logs"][329].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][330].Success == false results["s01-parse"]["thespad/sshesame-logs"][331].Success == false results["s01-parse"]["thespad/sshesame-logs"][332].Success == false results["s01-parse"]["thespad/sshesame-logs"][333].Success == true -results["s01-parse"]["thespad/sshesame-logs"][333].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20091218 Firefox 3.6b5\\r\\n\\r\\n" -results["s01-parse"]["thespad/sshesame-logs"][333].Evt.Parsed["timestamp"] == "2022/05/06 15:35:00" results["s01-parse"]["thespad/sshesame-logs"][333].Evt.Parsed["message"] == "2022/05/06 15:35:00 [45.82.65.44:42736] [channel 31] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20091218 Firefox 3.6b5\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][333].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][333].Evt.Parsed["source_ip"] == "45.82.65.44" +results["s01-parse"]["thespad/sshesame-logs"][333].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20091218 Firefox 3.6b5\\r\\n\\r\\n" +results["s01-parse"]["thespad/sshesame-logs"][333].Evt.Parsed["timestamp"] == "2022/05/06 15:35:00" +basename(results["s01-parse"]["thespad/sshesame-logs"][333].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][333].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][333].Evt.Meta["input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20091218 Firefox 3.6b5\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][333].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][333].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][333].Evt.Meta["source_ip"] == "45.82.65.44" -results["s01-parse"]["thespad/sshesame-logs"][333].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][333].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][333].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][334].Success == true +results["s01-parse"]["thespad/sshesame-logs"][334].Evt.Parsed["message"] == "2022/05/06 15:35:00 [45.82.65.44:42736] [channel 31] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20091218 Firefox 3.6b5\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][334].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][334].Evt.Parsed["source_ip"] == "45.82.65.44" results["s01-parse"]["thespad/sshesame-logs"][334].Evt.Parsed["sshesame_input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20091218 Firefox 3.6b5\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][334].Evt.Parsed["timestamp"] == "2022/05/06 15:35:00" -results["s01-parse"]["thespad/sshesame-logs"][334].Evt.Parsed["message"] == "2022/05/06 15:35:00 [45.82.65.44:42736] [channel 31] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20091218 Firefox 3.6b5\\r\\n\\r\\n\"" -results["s01-parse"]["thespad/sshesame-logs"][334].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][334].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][334].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][334].Evt.Meta["input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20091218 Firefox 3.6b5\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][334].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][334].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][334].Evt.Meta["source_ip"] == "45.82.65.44" +results["s01-parse"]["thespad/sshesame-logs"][334].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][335].Success == false results["s01-parse"]["thespad/sshesame-logs"][336].Success == false results["s01-parse"]["thespad/sshesame-logs"][337].Success == false @@ -3805,57 +4244,59 @@ results["s01-parse"]["thespad/sshesame-logs"][340].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][340].Evt.Parsed["source_ip"] == "195.3.147.60" results["s01-parse"]["thespad/sshesame-logs"][340].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][340].Evt.Parsed["timestamp"] == "2022/05/06 15:38:52" +basename(results["s01-parse"]["thespad/sshesame-logs"][340].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][340].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][340].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][340].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][340].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][340].Evt.Meta["source_ip"] == "195.3.147.60" -results["s01-parse"]["thespad/sshesame-logs"][340].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][340].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][341].Success == false results["s01-parse"]["thespad/sshesame-logs"][342].Success == false results["s01-parse"]["thespad/sshesame-logs"][343].Success == true +results["s01-parse"]["thespad/sshesame-logs"][343].Evt.Parsed["message"] == "2022/05/06 15:38:52 [195.3.147.60:39075] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" +results["s01-parse"]["thespad/sshesame-logs"][343].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][343].Evt.Parsed["source_ip"] == "195.3.147.60" results["s01-parse"]["thespad/sshesame-logs"][343].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][343].Evt.Parsed["timestamp"] == "2022/05/06 15:38:52" -results["s01-parse"]["thespad/sshesame-logs"][343].Evt.Parsed["message"] == "2022/05/06 15:38:52 [195.3.147.60:39075] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s01-parse"]["thespad/sshesame-logs"][343].Evt.Parsed["program"] == "sshesame" +basename(results["s01-parse"]["thespad/sshesame-logs"][343].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][343].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][343].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][343].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][343].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][343].Evt.Meta["source_ip"] == "195.3.147.60" -results["s01-parse"]["thespad/sshesame-logs"][343].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][343].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["thespad/sshesame-logs"][343].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" +results["s01-parse"]["thespad/sshesame-logs"][343].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][344].Success == false results["s01-parse"]["thespad/sshesame-logs"][345].Success == false results["s01-parse"]["thespad/sshesame-logs"][346].Success == true +results["s01-parse"]["thespad/sshesame-logs"][346].Evt.Parsed["message"] == "2022/05/06 15:40:33 [65.108.254.28:39092] authentication for user \"root\" with password \"1234qwer\" accepted" +results["s01-parse"]["thespad/sshesame-logs"][346].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][346].Evt.Parsed["source_ip"] == "65.108.254.28" results["s01-parse"]["thespad/sshesame-logs"][346].Evt.Parsed["sshesame_password"] == "1234qwer" results["s01-parse"]["thespad/sshesame-logs"][346].Evt.Parsed["sshesame_user"] == "root" results["s01-parse"]["thespad/sshesame-logs"][346].Evt.Parsed["timestamp"] == "2022/05/06 15:40:33" -results["s01-parse"]["thespad/sshesame-logs"][346].Evt.Parsed["message"] == "2022/05/06 15:40:33 [65.108.254.28:39092] authentication for user \"root\" with password \"1234qwer\" accepted" -results["s01-parse"]["thespad/sshesame-logs"][346].Evt.Parsed["program"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][346].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][346].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][346].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][346].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][346].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][346].Evt.Meta["source_ip"] == "65.108.254.28" results["s01-parse"]["thespad/sshesame-logs"][346].Evt.Meta["target_user"] == "root" -results["s01-parse"]["thespad/sshesame-logs"][346].Evt.Meta["username"] == "root" +results["s01-parse"]["thespad/sshesame-logs"][346].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][347].Success == false results["s01-parse"]["thespad/sshesame-logs"][348].Success == true -results["s01-parse"]["thespad/sshesame-logs"][348].Evt.Parsed["timestamp"] == "2022/05/06 15:40:33" results["s01-parse"]["thespad/sshesame-logs"][348].Evt.Parsed["message"] == "2022/05/06 15:40:33 [65.108.254.28:39098] authentication for user \"nproc\" with password \"nproc\" accepted" results["s01-parse"]["thespad/sshesame-logs"][348].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][348].Evt.Parsed["source_ip"] == "65.108.254.28" results["s01-parse"]["thespad/sshesame-logs"][348].Evt.Parsed["sshesame_password"] == "nproc" results["s01-parse"]["thespad/sshesame-logs"][348].Evt.Parsed["sshesame_user"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][348].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][348].Evt.Parsed["timestamp"] == "2022/05/06 15:40:33" +basename(results["s01-parse"]["thespad/sshesame-logs"][348].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][348].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][348].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][348].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][348].Evt.Meta["source_ip"] == "65.108.254.28" results["s01-parse"]["thespad/sshesame-logs"][348].Evt.Meta["target_user"] == "nproc" -results["s01-parse"]["thespad/sshesame-logs"][348].Evt.Meta["username"] == "nproc" +results["s01-parse"]["thespad/sshesame-logs"][348].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][349].Success == false results["s01-parse"]["thespad/sshesame-logs"][350].Success == false results["s01-parse"]["thespad/sshesame-logs"][351].Success == false @@ -3869,27 +4310,28 @@ results["s01-parse"]["thespad/sshesame-logs"][355].Evt.Parsed["source_ip"] == "1 results["s01-parse"]["thespad/sshesame-logs"][355].Evt.Parsed["sshesame_password"] == "aisadmin" results["s01-parse"]["thespad/sshesame-logs"][355].Evt.Parsed["sshesame_user"] == "admin" results["s01-parse"]["thespad/sshesame-logs"][355].Evt.Parsed["timestamp"] == "2022/05/06 15:41:33" +basename(results["s01-parse"]["thespad/sshesame-logs"][355].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][355].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][355].Evt.Meta["log_type"] == "sshesame_login" results["s01-parse"]["thespad/sshesame-logs"][355].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][355].Evt.Meta["source_ip"] == "195.3.147.60" results["s01-parse"]["thespad/sshesame-logs"][355].Evt.Meta["target_user"] == "admin" -results["s01-parse"]["thespad/sshesame-logs"][355].Evt.Meta["username"] == "admin" -results["s01-parse"]["thespad/sshesame-logs"][355].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][355].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["thespad/sshesame-logs"][355].Evt.Meta["log_type"] == "sshesame_login" +results["s01-parse"]["thespad/sshesame-logs"][355].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][356].Success == false results["s01-parse"]["thespad/sshesame-logs"][357].Success == false results["s01-parse"]["thespad/sshesame-logs"][358].Success == true +results["s01-parse"]["thespad/sshesame-logs"][358].Evt.Parsed["message"] == "2022/05/06 15:41:33 [195.3.147.60:33414] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" +results["s01-parse"]["thespad/sshesame-logs"][358].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][358].Evt.Parsed["source_ip"] == "195.3.147.60" results["s01-parse"]["thespad/sshesame-logs"][358].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][358].Evt.Parsed["timestamp"] == "2022/05/06 15:41:33" -results["s01-parse"]["thespad/sshesame-logs"][358].Evt.Parsed["message"] == "2022/05/06 15:41:33 [195.3.147.60:33414] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s01-parse"]["thespad/sshesame-logs"][358].Evt.Parsed["program"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][358].Evt.Meta["service"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][358].Evt.Meta["source_ip"] == "195.3.147.60" -results["s01-parse"]["thespad/sshesame-logs"][358].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][358].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][358].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][358].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][358].Evt.Meta["log_type"] == "sshesame_input" +results["s01-parse"]["thespad/sshesame-logs"][358].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][358].Evt.Meta["source_ip"] == "195.3.147.60" +results["s01-parse"]["thespad/sshesame-logs"][358].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][359].Success == false results["s01-parse"]["thespad/sshesame-logs"][360].Success == false results["s01-parse"]["thespad/sshesame-logs"][361].Success == true @@ -3898,12 +4340,13 @@ results["s01-parse"]["thespad/sshesame-logs"][361].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][361].Evt.Parsed["source_ip"] == "195.3.147.60" results["s01-parse"]["thespad/sshesame-logs"][361].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][361].Evt.Parsed["timestamp"] == "2022/05/06 15:41:33" -results["s01-parse"]["thespad/sshesame-logs"][361].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][361].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][361].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][361].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][361].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][361].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][361].Evt.Meta["source_ip"] == "195.3.147.60" +results["s01-parse"]["thespad/sshesame-logs"][361].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][362].Success == false results["s01-parse"]["thespad/sshesame-logs"][363].Success == false results["s01-parse"]["thespad/sshesame-logs"][364].Success == false @@ -3913,38 +4356,41 @@ results["s01-parse"]["thespad/sshesame-logs"][365].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][365].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][365].Evt.Parsed["sshesame_input"] == "GET /?requestid=57232 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][365].Evt.Parsed["timestamp"] == "2022/05/06 15:44:30" -results["s01-parse"]["thespad/sshesame-logs"][365].Evt.Meta["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][365].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][365].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][365].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][365].Evt.Meta["input"] == "GET /?requestid=57232 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][365].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][365].Evt.Meta["service"] == "sshesame" +results["s01-parse"]["thespad/sshesame-logs"][365].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][365].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][366].Success == false results["s01-parse"]["thespad/sshesame-logs"][367].Success == false results["s01-parse"]["thespad/sshesame-logs"][368].Success == true -results["s01-parse"]["thespad/sshesame-logs"][368].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/13.0.782.41 Chrome/13.0.782.41 Safari/535.1\\r\\n\\r\\n" -results["s01-parse"]["thespad/sshesame-logs"][368].Evt.Parsed["timestamp"] == "2022/05/06 16:16:45" results["s01-parse"]["thespad/sshesame-logs"][368].Evt.Parsed["message"] == "2022/05/06 16:16:45 [45.82.65.44:42736] [channel 32] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/13.0.782.41 Chrome/13.0.782.41 Safari/535.1\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][368].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][368].Evt.Parsed["source_ip"] == "45.82.65.44" +results["s01-parse"]["thespad/sshesame-logs"][368].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/13.0.782.41 Chrome/13.0.782.41 Safari/535.1\\r\\n\\r\\n" +results["s01-parse"]["thespad/sshesame-logs"][368].Evt.Parsed["timestamp"] == "2022/05/06 16:16:45" +basename(results["s01-parse"]["thespad/sshesame-logs"][368].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][368].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][368].Evt.Meta["input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/13.0.782.41 Chrome/13.0.782.41 Safari/535.1\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][368].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][368].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][368].Evt.Meta["source_ip"] == "45.82.65.44" -results["s01-parse"]["thespad/sshesame-logs"][368].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][368].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][368].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][369].Success == true +results["s01-parse"]["thespad/sshesame-logs"][369].Evt.Parsed["message"] == "2022/05/06 16:16:45 [45.82.65.44:42736] [channel 32] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/13.0.782.41 Chrome/13.0.782.41 Safari/535.1\\r\\n\\r\\n\"" +results["s01-parse"]["thespad/sshesame-logs"][369].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][369].Evt.Parsed["source_ip"] == "45.82.65.44" results["s01-parse"]["thespad/sshesame-logs"][369].Evt.Parsed["sshesame_input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/13.0.782.41 Chrome/13.0.782.41 Safari/535.1\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][369].Evt.Parsed["timestamp"] == "2022/05/06 16:16:45" -results["s01-parse"]["thespad/sshesame-logs"][369].Evt.Parsed["message"] == "2022/05/06 16:16:45 [45.82.65.44:42736] [channel 32] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/13.0.782.41 Chrome/13.0.782.41 Safari/535.1\\r\\n\\r\\n\"" -results["s01-parse"]["thespad/sshesame-logs"][369].Evt.Parsed["program"] == "sshesame" +basename(results["s01-parse"]["thespad/sshesame-logs"][369].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][369].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["thespad/sshesame-logs"][369].Evt.Meta["input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/13.0.782.41 Chrome/13.0.782.41 Safari/535.1\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][369].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][369].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][369].Evt.Meta["source_ip"] == "45.82.65.44" -results["s01-parse"]["thespad/sshesame-logs"][369].Evt.Meta["datasource_path"] == "sshesame.log" -results["s01-parse"]["thespad/sshesame-logs"][369].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["thespad/sshesame-logs"][369].Evt.Meta["input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/13.0.782.41 Chrome/13.0.782.41 Safari/535.1\\r\\n\\r\\n" +results["s01-parse"]["thespad/sshesame-logs"][369].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][370].Success == false results["s01-parse"]["thespad/sshesame-logs"][371].Success == false results["s01-parse"]["thespad/sshesame-logs"][372].Success == true @@ -3953,38 +4399,41 @@ results["s01-parse"]["thespad/sshesame-logs"][372].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][372].Evt.Parsed["source_ip"] == "45.82.65.44" results["s01-parse"]["thespad/sshesame-logs"][372].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.698.0 Safari/534.24\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][372].Evt.Parsed["timestamp"] == "2022/05/06 16:28:03" -results["s01-parse"]["thespad/sshesame-logs"][372].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][372].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][372].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][372].Evt.Meta["input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.698.0 Safari/534.24\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][372].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][372].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][372].Evt.Meta["source_ip"] == "45.82.65.44" +results["s01-parse"]["thespad/sshesame-logs"][372].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][373].Success == true results["s01-parse"]["thespad/sshesame-logs"][373].Evt.Parsed["message"] == "2022/05/06 16:28:03 [45.82.65.44:42736] [channel 33] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.698.0 Safari/534.24\\r\\n\\r\\n\"" results["s01-parse"]["thespad/sshesame-logs"][373].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][373].Evt.Parsed["source_ip"] == "45.82.65.44" results["s01-parse"]["thespad/sshesame-logs"][373].Evt.Parsed["sshesame_input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.698.0 Safari/534.24\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][373].Evt.Parsed["timestamp"] == "2022/05/06 16:28:03" -results["s01-parse"]["thespad/sshesame-logs"][373].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][373].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][373].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][373].Evt.Meta["input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.698.0 Safari/534.24\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][373].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][373].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][373].Evt.Meta["source_ip"] == "45.82.65.44" +results["s01-parse"]["thespad/sshesame-logs"][373].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][374].Success == false results["s01-parse"]["thespad/sshesame-logs"][375].Success == false results["s01-parse"]["thespad/sshesame-logs"][376].Success == true +results["s01-parse"]["thespad/sshesame-logs"][376].Evt.Parsed["message"] == "2022/05/06 16:33:02 [190.2.139.67:58629] [channel 153] input: \"GET /?requestid=44562 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" +results["s01-parse"]["thespad/sshesame-logs"][376].Evt.Parsed["program"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][376].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][376].Evt.Parsed["sshesame_input"] == "GET /?requestid=44562 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][376].Evt.Parsed["timestamp"] == "2022/05/06 16:33:02" -results["s01-parse"]["thespad/sshesame-logs"][376].Evt.Parsed["message"] == "2022/05/06 16:33:02 [190.2.139.67:58629] [channel 153] input: \"GET /?requestid=44562 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s01-parse"]["thespad/sshesame-logs"][376].Evt.Parsed["program"] == "sshesame" -results["s01-parse"]["thespad/sshesame-logs"][376].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s01-parse"]["thespad/sshesame-logs"][376].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][376].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][376].Evt.Meta["input"] == "GET /?requestid=44562 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][376].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][376].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][376].Evt.Meta["source_ip"] == "190.2.139.67" +results["s01-parse"]["thespad/sshesame-logs"][376].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][377].Success == false results["s01-parse"]["thespad/sshesame-logs"][378].Success == false results["s01-parse"]["thespad/sshesame-logs"][379].Success == true @@ -3993,21 +4442,22 @@ results["s01-parse"]["thespad/sshesame-logs"][379].Evt.Parsed["program"] == "ssh results["s01-parse"]["thespad/sshesame-logs"][379].Evt.Parsed["source_ip"] == "190.2.139.67" results["s01-parse"]["thespad/sshesame-logs"][379].Evt.Parsed["sshesame_input"] == "GET /?requestid=90219 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][379].Evt.Parsed["timestamp"] == "2022/05/06 16:41:59" +basename(results["s01-parse"]["thespad/sshesame-logs"][379].Evt.Meta["datasource_path"]) == "sshesame.log" results["s01-parse"]["thespad/sshesame-logs"][379].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["thespad/sshesame-logs"][379].Evt.Meta["input"] == "GET /?requestid=90219 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s01-parse"]["thespad/sshesame-logs"][379].Evt.Meta["log_type"] == "sshesame_input" results["s01-parse"]["thespad/sshesame-logs"][379].Evt.Meta["service"] == "sshesame" results["s01-parse"]["thespad/sshesame-logs"][379].Evt.Meta["source_ip"] == "190.2.139.67" -results["s01-parse"]["thespad/sshesame-logs"][379].Evt.Meta["datasource_path"] == "sshesame.log" +results["s01-parse"]["thespad/sshesame-logs"][379].Evt.Whitelisted == false results["s01-parse"]["thespad/sshesame-logs"][380].Success == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 113 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2022/05/06 04:53:57 [190.2.139.67:58629] [channel 106] input: \"GET /?requestid=53219 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["sshesame_input"] == "GET /?requestid=53219 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2022/05/06 04:53:57" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2022/05/06 04:53:57 [190.2.139.67:58629] [channel 106] input: \"GET /?requestid=53219 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["input"] == "GET /?requestid=53219 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "sshesame_input" @@ -4015,20 +4465,22 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] = results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-05-06T04:53:57Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-05-06T04:53:57Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "2022/05/06 04:58:33 [190.2.139.67:7117] [channel 63] input: \"GET /?requestid=61619 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["sshesame_input"] == "GET /?requestid=61619 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2022/05/06 04:58:33" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "190.2.139.67" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-05-06T04:58:33Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["input"] == "GET /?requestid=61619 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "sshesame_input" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "190.2.139.67" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-05-06T04:58:33Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-05-06T04:58:33Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "2022/05/06 05:10:03 [195.3.147.60:28696] authentication for user \"admin\" with password \"aisadmin\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "sshesame" @@ -4036,119 +4488,123 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["sshesame_password"] == "aisadmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["sshesame_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "2022/05/06 05:10:03" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2022-05-06T05:10:03Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2022-05-06T05:10:03Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "2022/05/06 05:10:03 [195.3.147.60:28696] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "2022/05/06 05:10:03" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2022-05-06T05:10:03Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2022-05-06T05:10:03Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "2022/05/06 05:10:03 [195.3.147.60:28696] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "2022/05/06 05:10:03" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "2022/05/06 05:10:03 [195.3.147.60:28696] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "195.3.147.60" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2022-05-06T05:10:03Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "195.3.147.60" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2022-05-06T05:10:03Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2022-05-06T05:10:03Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["sshesame_user"] == "default" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "2022/05/06 05:11:02" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "2022/05/06 05:11:02 [185.131.12.144:60273] authentication for user \"default\" with password \"1\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "185.131.12.144" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["sshesame_password"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_user"] == "default" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2022-05-06T05:11:02Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["username"] == "default" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["sshesame_user"] == "default" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "2022/05/06 05:11:02" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "185.131.12.144" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_user"] == "default" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2022-05-06T05:11:02Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2022-05-06T05:11:02Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "2022/05/06 05:37:28 [165.232.183.156:55934] authentication for user \"xuexiaoman\" with password \"xuexiaoman\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_ip"] == "165.232.183.156" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["sshesame_password"] == "xuexiaoman" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["sshesame_user"] == "xuexiaoman" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["timestamp"] == "2022/05/06 05:37:28" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "2022/05/06 05:37:28 [165.232.183.156:55934] authentication for user \"xuexiaoman\" with password \"xuexiaoman\" accepted" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "165.232.183.156" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["target_user"] == "xuexiaoman" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2022-05-06T05:37:28Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["username"] == "xuexiaoman" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2022-05-06T05:37:28Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["timestamp"] == "2022/05/06 05:37:28" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "2022/05/06 05:37:28 [165.232.183.156:55934] [channel 0] command \"uname -s -v -n -r -m\" requested" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_ip"] == "165.232.183.156" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["sshesame_cmd"] == "uname -s -v -n -r -m" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2022-05-06T05:37:28Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["timestamp"] == "2022/05/06 05:37:28" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["command"] == "uname -s -v -n -r -m" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "sshesame_cmd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "165.232.183.156" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2022-05-06T05:37:28Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2022-05-06T05:37:28Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["sshesame_password"] == "raspberryraspberry993311" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["sshesame_user"] == "pi" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["timestamp"] == "2022/05/06 05:40:30" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["message"] == "2022/05/06 05:40:30 [186.78.209.242:47338] authentication for user \"pi\" with password \"raspberryraspberry993311\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["source_ip"] == "186.78.209.242" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2022-05-06T05:40:30Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["username"] == "pi" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["sshesame_password"] == "raspberryraspberry993311" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["sshesame_user"] == "pi" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["timestamp"] == "2022/05/06 05:40:30" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "186.78.209.242" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["target_user"] == "pi" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2022-05-06T05:40:30Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Enriched["MarshaledTime"] == "2022-05-06T05:40:30Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["message"] == "2022/05/06 05:40:31 [186.78.209.242:47338] [channel 0] command \"scp -t /tmp/taCiyiIF\" requested" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_ip"] == "186.78.209.242" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["sshesame_cmd"] == "scp -t /tmp/taCiyiIF" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["timestamp"] == "2022/05/06 05:40:31" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["command"] == "scp -t /tmp/taCiyiIF" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_type"] == "sshesame_cmd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "186.78.209.242" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2022-05-06T05:40:31Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["command"] == "scp -t /tmp/taCiyiIF" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Enriched["MarshaledTime"] == "2022-05-06T05:40:31Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["message"] == "2022/05/06 05:40:32 [186.78.209.242:47346] authentication for user \"pi\" with password \"raspberry\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["program"] == "sshesame" @@ -4156,78 +4612,82 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["sshesame_password"] == "raspberry" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["sshesame_user"] == "pi" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["timestamp"] == "2022/05/06 05:40:32" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["source_ip"] == "186.78.209.242" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["target_user"] == "pi" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["timestamp"] == "2022-05-06T05:40:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["username"] == "pi" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Enriched["MarshaledTime"] == "2022-05-06T05:40:32Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["timestamp"] == "2022/05/06 05:40:32" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["message"] == "2022/05/06 05:40:32 [186.78.209.242:47346] [channel 0] command \"scp -t /tmp/taCiyiIF\" requested" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["source_ip"] == "186.78.209.242" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["sshesame_cmd"] == "scp -t /tmp/taCiyiIF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["service"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_ip"] == "186.78.209.242" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["timestamp"] == "2022-05-06T05:40:32Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["timestamp"] == "2022/05/06 05:40:32" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["command"] == "scp -t /tmp/taCiyiIF" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["log_type"] == "sshesame_cmd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_ip"] == "186.78.209.242" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["timestamp"] == "2022-05-06T05:40:32Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Enriched["MarshaledTime"] == "2022-05-06T05:40:32Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["message"] == "2022/05/06 05:48:16 [190.2.139.67:7117] [channel 76] input: \"GET /?requestid=78679 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["sshesame_input"] == "GET /?requestid=78679 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["timestamp"] == "2022/05/06 05:48:16" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["message"] == "2022/05/06 05:48:16 [190.2.139.67:7117] [channel 76] input: \"GET /?requestid=78679 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["program"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["service"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["source_ip"] == "190.2.139.67" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["timestamp"] == "2022-05-06T05:48:16Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["input"] == "GET /?requestid=78679 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["log_type"] == "sshesame_input" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["source_ip"] == "190.2.139.67" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["timestamp"] == "2022-05-06T05:48:16Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Enriched["MarshaledTime"] == "2022-05-06T05:48:16Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["message"] == "2022/05/06 06:08:09 [190.2.139.67:7117] [channel 92] input: \"GET /?requestid=16383 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["sshesame_input"] == "GET /?requestid=16383 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["timestamp"] == "2022/05/06 06:08:09" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["message"] == "2022/05/06 06:08:09 [190.2.139.67:7117] [channel 92] input: \"GET /?requestid=16383 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["source_ip"] == "190.2.139.67" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["timestamp"] == "2022-05-06T06:08:09Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["input"] == "GET /?requestid=16383 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["source_ip"] == "190.2.139.67" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["timestamp"] == "2022-05-06T06:08:09Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Enriched["MarshaledTime"] == "2022-05-06T06:08:09Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["message"] == "2022/05/06 06:12:22 [190.2.139.67:58629] [channel 109] input: \"GET /?requestid=34743 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["sshesame_input"] == "GET /?requestid=34743 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["timestamp"] == "2022/05/06 06:12:22" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["message"] == "2022/05/06 06:12:22 [190.2.139.67:58629] [channel 109] input: \"GET /?requestid=34743 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["input"] == "GET /?requestid=34743 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["timestamp"] == "2022-05-06T06:12:22Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_path"] == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Enriched["MarshaledTime"] == "2022-05-06T06:12:22Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["message"] == "2022/05/06 06:40:52 [45.82.65.44:42736] [channel 26] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["source_ip"] == "45.82.65.44" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["timestamp"] == "2022/05/06 06:40:52" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["message"] == "2022/05/06 06:40:52 [45.82.65.44:42736] [channel 26] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13\\r\\n\\r\\n\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["log_type"] == "sshesame_input" @@ -4235,29 +4695,30 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["service"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["source_ip"] == "45.82.65.44" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["timestamp"] == "2022-05-06T06:40:52Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Enriched["MarshaledTime"] == "2022-05-06T06:40:52Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["message"] == "2022/05/06 06:40:52 [45.82.65.44:42736] [channel 26] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13\\r\\n\\r\\n\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["source_ip"] == "45.82.65.44" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["sshesame_input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["timestamp"] == "2022/05/06 06:40:52" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["message"] == "2022/05/06 06:40:52 [45.82.65.44:42736] [channel 26] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13\\r\\n\\r\\n\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["program"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["service"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["source_ip"] == "45.82.65.44" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["timestamp"] == "2022-05-06T06:40:52Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["log_type"] == "sshesame_input" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["source_ip"] == "45.82.65.44" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["timestamp"] == "2022-05-06T06:40:52Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Enriched["MarshaledTime"] == "2022-05-06T06:40:52Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["message"] == "2022/05/06 06:41:29 [111.70.9.198:39673] authentication for user \"default\" with password \"1\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["source_ip"] == "111.70.9.198" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["sshesame_password"] == "1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["sshesame_user"] == "default" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["timestamp"] == "2022/05/06 06:41:29" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["message"] == "2022/05/06 06:41:29 [111.70.9.198:39673] authentication for user \"default\" with password \"1\" accepted" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["username"] == "default" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["service"] == "sshesame" @@ -4265,34 +4726,37 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["source_ip" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["target_user"] == "default" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["timestamp"] == "2022-05-06T06:41:29Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Enriched["MarshaledTime"] == "2022-05-06T06:41:29Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["message"] == "2022/05/06 06:43:10 [195.3.147.60:38745] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["timestamp"] == "2022/05/06 06:43:10" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["timestamp"] == "2022-05-06T06:43:10Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Enriched["MarshaledTime"] == "2022-05-06T06:43:10Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["message"] == "2022/05/06 06:43:10 [195.3.147.60:38745] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["timestamp"] == "2022/05/06 06:43:10" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["timestamp"] == "2022-05-06T06:43:10Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Enriched["MarshaledTime"] == "2022-05-06T06:43:10Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["message"] == "2022/05/06 07:05:23 [190.189.12.92:60614] authentication for user \"arjun\" with password \"arjun123\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["program"] == "sshesame" @@ -4300,94 +4764,98 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["sshesame_password"] == "arjun123" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["sshesame_user"] == "arjun" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["timestamp"] == "2022/05/06 07:05:23" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["target_user"] == "arjun" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["timestamp"] == "2022-05-06T07:05:23Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["username"] == "arjun" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["source_ip"] == "190.189.12.92" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["target_user"] == "arjun" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["timestamp"] == "2022-05-06T07:05:23Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Enriched["MarshaledTime"] == "2022-05-06T07:05:23Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["timestamp"] == "2022/05/06 07:05:25" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["message"] == "2022/05/06 07:05:25 [190.189.12.92:32868] authentication for user \"nproc\" with password \"nproc\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["source_ip"] == "190.189.12.92" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["sshesame_password"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["sshesame_user"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["target_user"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["timestamp"] == "2022-05-06T07:05:25Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["username"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["timestamp"] == "2022/05/06 07:05:25" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["source_ip"] == "190.189.12.92" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["target_user"] == "nproc" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["timestamp"] == "2022-05-06T07:05:25Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Enriched["MarshaledTime"] == "2022-05-06T07:05:25Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["message"] == "2022/05/06 07:45:57 [190.2.139.67:58629] [channel 111] input: \"GET /?requestid=97339 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["sshesame_input"] == "GET /?requestid=97339 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["timestamp"] == "2022/05/06 07:45:57" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["timestamp"] == "2022-05-06T07:45:57Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["input"] == "GET /?requestid=97339 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["source_ip"] == "190.2.139.67" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["timestamp"] == "2022-05-06T07:45:57Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Enriched["MarshaledTime"] == "2022-05-06T07:45:57Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["sshesame_input"] == "GET /?requestid=32137 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["timestamp"] == "2022/05/06 07:51:27" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["message"] == "2022/05/06 07:51:27 [190.2.139.67:7117] [channel 104] input: \"GET /?requestid=32137 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["source_ip"] == "190.2.139.67" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["timestamp"] == "2022-05-06T07:51:27Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["sshesame_input"] == "GET /?requestid=32137 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["timestamp"] == "2022/05/06 07:51:27" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["input"] == "GET /?requestid=32137 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["source_ip"] == "190.2.139.67" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["timestamp"] == "2022-05-06T07:51:27Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Enriched["MarshaledTime"] == "2022-05-06T07:51:27Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Parsed["message"] == "2022/05/06 07:54:02 [190.2.139.67:58629] [channel 113] input: \"GET /?requestid=85851 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Parsed["sshesame_input"] == "GET /?requestid=85851 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Parsed["timestamp"] == "2022/05/06 07:54:02" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["input"] == "GET /?requestid=85851 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["timestamp"] == "2022-05-06T07:54:02Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Enriched["MarshaledTime"] == "2022-05-06T07:54:02Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Parsed["message"] == "2022/05/06 08:01:27 [190.2.139.67:58629] [channel 115] input: \"GET /?requestid=36986 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Parsed["sshesame_input"] == "GET /?requestid=36986 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Parsed["timestamp"] == "2022/05/06 08:01:27" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["timestamp"] == "2022-05-06T08:01:27Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["input"] == "GET /?requestid=36986 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["source_ip"] == "190.2.139.67" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["timestamp"] == "2022-05-06T08:01:27Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Enriched["MarshaledTime"] == "2022-05-06T08:01:27Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Parsed["message"] == "2022/05/06 08:06:24 [190.2.139.67:7117] [channel 106] input: \"GET /?requestid=61985 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Parsed["sshesame_input"] == "GET /?requestid=61985 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Parsed["timestamp"] == "2022/05/06 08:06:24" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["input"] == "GET /?requestid=61985 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["log_type"] == "sshesame_input" @@ -4395,13 +4863,14 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["service"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["timestamp"] == "2022-05-06T08:06:24Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Enriched["MarshaledTime"] == "2022-05-06T08:06:24Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Parsed["timestamp"] == "2022/05/06 08:14:21" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Parsed["message"] == "2022/05/06 08:14:21 [190.2.139.67:58629] [channel 132] input: \"GET /?requestid=6514 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Parsed["sshesame_input"] == "GET /?requestid=6514 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Parsed["timestamp"] == "2022/05/06 08:14:21" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["input"] == "GET /?requestid=6514 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["log_type"] == "sshesame_input" @@ -4409,13 +4878,14 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["service"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["timestamp"] == "2022-05-06T08:14:21Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Enriched["MarshaledTime"] == "2022-05-06T08:14:21Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["message"] == "2022/05/06 08:36:14 [190.2.139.67:7117] [channel 108] input: \"GET /?requestid=12818 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["sshesame_input"] == "GET /?requestid=12818 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["timestamp"] == "2022/05/06 08:36:14" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["message"] == "2022/05/06 08:36:14 [190.2.139.67:7117] [channel 108] input: \"GET /?requestid=12818 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["program"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["input"] == "GET /?requestid=12818 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["log_type"] == "sshesame_input" @@ -4423,36 +4893,38 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["service"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["timestamp"] == "2022-05-06T08:36:14Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Enriched["MarshaledTime"] == "2022-05-06T08:36:14Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Parsed["message"] == "2022/05/06 08:57:43 [190.2.139.67:58629] [channel 135] input: \"GET /?requestid=65533 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Parsed["sshesame_input"] == "GET /?requestid=65533 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Parsed["timestamp"] == "2022/05/06 08:57:43" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Parsed["message"] == "2022/05/06 08:57:43 [190.2.139.67:58629] [channel 135] input: \"GET /?requestid=65533 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["service"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["source_ip"] == "190.2.139.67" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["timestamp"] == "2022-05-06T08:57:43Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["input"] == "GET /?requestid=65533 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["log_type"] == "sshesame_input" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["source_ip"] == "190.2.139.67" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["timestamp"] == "2022-05-06T08:57:43Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Enriched["MarshaledTime"] == "2022-05-06T08:57:43Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["sshesame_user"] == "ubnt" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["timestamp"] == "2022/05/06 09:14:09" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["message"] == "2022/05/06 09:14:09 [92.159.59.16:39498] authentication for user \"ubnt\" with password \"ubnt1\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["source_ip"] == "92.159.59.16" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["sshesame_password"] == "ubnt1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["source_ip"] == "92.159.59.16" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["target_user"] == "ubnt" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["timestamp"] == "2022-05-06T09:14:09Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["username"] == "ubnt" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["sshesame_user"] == "ubnt" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["timestamp"] == "2022/05/06 09:14:09" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["source_ip"] == "92.159.59.16" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["target_user"] == "ubnt" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["timestamp"] == "2022-05-06T09:14:09Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:14:09Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["message"] == "2022/05/06 09:14:14 [15.207.177.208:41458] authentication for user \"roo\" with password \"123456\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["program"] == "sshesame" @@ -4460,31 +4932,31 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["sshesame_password"] == "123456" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["sshesame_user"] == "roo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["timestamp"] == "2022/05/06 09:14:14" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["target_user"] == "roo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["timestamp"] == "2022-05-06T09:14:14Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["username"] == "roo" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["source_ip"] == "15.207.177.208" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["target_user"] == "roo" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["timestamp"] == "2022-05-06T09:14:14Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:14:14Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Parsed["message"] == "2022/05/06 09:14:16 [15.207.177.208:41708] authentication for user \"nproc\" with password \"nproc\" accepted" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Parsed["source_ip"] == "15.207.177.208" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Parsed["sshesame_password"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Parsed["sshesame_user"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Parsed["timestamp"] == "2022/05/06 09:14:16" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Parsed["message"] == "2022/05/06 09:14:16 [15.207.177.208:41708] authentication for user \"nproc\" with password \"nproc\" accepted" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Parsed["program"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Meta["target_user"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Meta["timestamp"] == "2022-05-06T09:14:16Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Meta["username"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Meta["source_ip"] == "15.207.177.208" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Meta["target_user"] == "nproc" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Meta["timestamp"] == "2022-05-06T09:14:16Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:14:16Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][32].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Parsed["message"] == "2022/05/06 09:15:03 [3.16.59.158:43316] authentication for user \"root\" with password \"sr1234\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Parsed["program"] == "sshesame" @@ -4492,126 +4964,130 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Parsed["sshesame_password"] == "sr1234" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Parsed["sshesame_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Parsed["timestamp"] == "2022/05/06 09:15:03" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Meta["target_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Meta["timestamp"] == "2022-05-06T09:15:03Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Meta["username"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Meta["source_ip"] == "3.16.59.158" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Meta["target_user"] == "root" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Meta["timestamp"] == "2022-05-06T09:15:03Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:15:03Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][33].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Parsed["sshesame_user"] == "knockknockwhosthere" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Parsed["timestamp"] == "2022/05/06 09:15:04" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Parsed["message"] == "2022/05/06 09:15:04 [3.16.59.158:43318] authentication for user \"knockknockwhosthere\" with password \"knockknockwhosthere\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Parsed["source_ip"] == "3.16.59.158" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Parsed["sshesame_password"] == "knockknockwhosthere" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Parsed["sshesame_user"] == "knockknockwhosthere" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Parsed["timestamp"] == "2022/05/06 09:15:04" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Meta["source_ip"] == "3.16.59.158" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Meta["target_user"] == "knockknockwhosthere" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Meta["timestamp"] == "2022-05-06T09:15:04Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Meta["username"] == "knockknockwhosthere" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:15:04Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][34].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Parsed["message"] == "2022/05/06 09:17:10 [3.16.59.158:43418] authentication for user \"root\" with password \"1212\" accepted" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Parsed["source_ip"] == "3.16.59.158" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Parsed["sshesame_password"] == "1212" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Parsed["sshesame_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Parsed["timestamp"] == "2022/05/06 09:17:10" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Parsed["message"] == "2022/05/06 09:17:10 [3.16.59.158:43418] authentication for user \"root\" with password \"1212\" accepted" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Parsed["program"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Meta["timestamp"] == "2022-05-06T09:17:10Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Meta["username"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Meta["source_ip"] == "3.16.59.158" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Meta["target_user"] == "root" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Meta["timestamp"] == "2022-05-06T09:17:10Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:17:10Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][35].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Parsed["sshesame_user"] == "knockknockwhosthere" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Parsed["timestamp"] == "2022/05/06 09:17:11" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Parsed["message"] == "2022/05/06 09:17:11 [3.16.59.158:43420] authentication for user \"knockknockwhosthere\" with password \"knockknockwhosthere\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Parsed["source_ip"] == "3.16.59.158" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Parsed["sshesame_password"] == "knockknockwhosthere" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Meta["timestamp"] == "2022-05-06T09:17:11Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Meta["username"] == "knockknockwhosthere" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Parsed["sshesame_user"] == "knockknockwhosthere" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Parsed["timestamp"] == "2022/05/06 09:17:11" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Meta["source_ip"] == "3.16.59.158" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Meta["target_user"] == "knockknockwhosthere" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Meta["timestamp"] == "2022-05-06T09:17:11Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:17:11Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][36].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][37].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][37].Evt.Parsed["message"] == "2022/05/06 09:21:27 [190.2.139.67:7117] [channel 127] input: \"GET /?requestid=11658 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][37].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][37].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][37].Evt.Parsed["sshesame_input"] == "GET /?requestid=11658 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][37].Evt.Parsed["timestamp"] == "2022/05/06 09:21:27" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][37].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][37].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][37].Evt.Meta["input"] == "GET /?requestid=11658 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][37].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][37].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][37].Evt.Meta["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][37].Evt.Meta["timestamp"] == "2022-05-06T09:21:27Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][37].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][37].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][37].Evt.Meta["input"] == "GET /?requestid=11658 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][37].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:21:27Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][37].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Evt.Parsed["message"] == "2022/05/06 09:23:00 [45.82.65.44:42736] [channel 27] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.642.0 Chrome/10.0.642.0 Safari/534.16\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Evt.Parsed["source_ip"] == "45.82.65.44" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.642.0 Chrome/10.0.642.0 Safari/534.16\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Evt.Parsed["timestamp"] == "2022/05/06 09:23:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Evt.Parsed["message"] == "2022/05/06 09:23:00 [45.82.65.44:42736] [channel 27] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.642.0 Chrome/10.0.642.0 Safari/534.16\\r\\n\\r\\n\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Evt.Meta["source_ip"] == "45.82.65.44" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Evt.Meta["timestamp"] == "2022-05-06T09:23:00Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Evt.Meta["input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.642.0 Chrome/10.0.642.0 Safari/534.16\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Evt.Meta["source_ip"] == "45.82.65.44" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Evt.Meta["timestamp"] == "2022-05-06T09:23:00Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:23:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][38].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Parsed["timestamp"] == "2022/05/06 09:23:01" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Parsed["message"] == "2022/05/06 09:23:01 [45.82.65.44:42736] [channel 27] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.642.0 Chrome/10.0.642.0 Safari/534.16\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Parsed["source_ip"] == "45.82.65.44" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Parsed["sshesame_input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.642.0 Chrome/10.0.642.0 Safari/534.16\\r\\n\\r\\n" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Meta["service"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Meta["source_ip"] == "45.82.65.44" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Meta["timestamp"] == "2022-05-06T09:23:01Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Parsed["timestamp"] == "2022/05/06 09:23:01" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Meta["input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.642.0 Chrome/10.0.642.0 Safari/534.16\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Meta["log_type"] == "sshesame_input" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Meta["source_ip"] == "45.82.65.44" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Meta["timestamp"] == "2022-05-06T09:23:01Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:23:01Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][39].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Evt.Parsed["timestamp"] == "2022/05/06 09:27:47" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Evt.Parsed["message"] == "2022/05/06 09:27:47 [190.2.139.67:7117] [channel 132] input: \"GET /?requestid=58465 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Evt.Parsed["sshesame_input"] == "GET /?requestid=58465 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Evt.Parsed["timestamp"] == "2022/05/06 09:27:47" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Evt.Meta["input"] == "GET /?requestid=58465 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Evt.Meta["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Evt.Meta["timestamp"] == "2022-05-06T09:27:47Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Evt.Meta["input"] == "GET /?requestid=58465 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:27:47Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][40].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][41].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][41].Evt.Parsed["message"] == "2022/05/06 09:36:45 [190.2.139.67:7117] [channel 134] input: \"GET /?requestid=17483 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][41].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][41].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][41].Evt.Parsed["sshesame_input"] == "GET /?requestid=17483 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][41].Evt.Parsed["timestamp"] == "2022/05/06 09:36:45" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][41].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][41].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][41].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][41].Evt.Meta["input"] == "GET /?requestid=17483 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][41].Evt.Meta["log_type"] == "sshesame_input" @@ -4619,13 +5095,14 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][41].Evt.Meta["service"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][41].Evt.Meta["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][41].Evt.Meta["timestamp"] == "2022-05-06T09:36:45Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][41].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:36:45Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][41].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][42].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][42].Evt.Parsed["message"] == "2022/05/06 09:39:53 [195.3.147.60:48037] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][42].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][42].Evt.Parsed["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][42].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][42].Evt.Parsed["timestamp"] == "2022/05/06 09:39:53" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][42].Evt.Parsed["message"] == "2022/05/06 09:39:53 [195.3.147.60:48037] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][42].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][42].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][42].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][42].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][42].Evt.Meta["log_type"] == "sshesame_input" @@ -4633,29 +5110,30 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][42].Evt.Meta["service"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][42].Evt.Meta["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][42].Evt.Meta["timestamp"] == "2022-05-06T09:39:53Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][42].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:39:53Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][42].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][43].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][43].Evt.Parsed["message"] == "2022/05/06 09:39:53 [195.3.147.60:48037] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][43].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][43].Evt.Parsed["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][43].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][43].Evt.Parsed["timestamp"] == "2022/05/06 09:39:53" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][43].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][43].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][43].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][43].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][43].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][43].Evt.Meta["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][43].Evt.Meta["timestamp"] == "2022-05-06T09:39:53Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][43].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][43].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][43].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][43].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:39:53Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][43].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Evt.Parsed["message"] == "2022/05/06 09:44:27 [190.123.44.157:50934] authentication for user \"root\" with password \"1234!@#$\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Evt.Parsed["source_ip"] == "190.123.44.157" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Evt.Parsed["sshesame_password"] == "1234!@#$" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Evt.Parsed["sshesame_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Evt.Parsed["timestamp"] == "2022/05/06 09:44:27" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Evt.Parsed["message"] == "2022/05/06 09:44:27 [190.123.44.157:50934] authentication for user \"root\" with password \"1234!@#$\" accepted" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Evt.Meta["username"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Evt.Meta["service"] == "sshesame" @@ -4663,38 +5141,39 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Evt.Meta["source_ip" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Evt.Meta["target_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Evt.Meta["timestamp"] == "2022-05-06T09:44:27Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:44:27Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][44].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Parsed["sshesame_user"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Parsed["timestamp"] == "2022/05/06 09:44:29" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Parsed["message"] == "2022/05/06 09:44:29 [190.123.44.157:51298] authentication for user \"nproc\" with password \"nproc\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Parsed["source_ip"] == "190.123.44.157" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Parsed["sshesame_password"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Parsed["sshesame_user"] == "nproc" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Parsed["timestamp"] == "2022/05/06 09:44:29" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Meta["source_ip"] == "190.123.44.157" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Meta["target_user"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Meta["timestamp"] == "2022-05-06T09:44:29Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Meta["username"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:44:29Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][45].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Parsed["sshesame_password"] == "tareq" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Parsed["sshesame_user"] == "tareq" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Parsed["timestamp"] == "2022/05/06 09:46:12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Parsed["message"] == "2022/05/06 09:46:12 [92.38.176.30:58548] authentication for user \"tareq\" with password \"tareq\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Parsed["source_ip"] == "92.38.176.30" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Parsed["sshesame_password"] == "tareq" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Parsed["sshesame_user"] == "tareq" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Parsed["timestamp"] == "2022/05/06 09:46:12" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Meta["source_ip"] == "92.38.176.30" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Meta["target_user"] == "tareq" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Meta["timestamp"] == "2022-05-06T09:46:12Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Meta["username"] == "tareq" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:46:12Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][46].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Parsed["message"] == "2022/05/06 09:46:13 [92.38.176.30:58768] authentication for user \"nproc\" with password \"nproc\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Parsed["program"] == "sshesame" @@ -4702,24 +5181,23 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Parsed["sshesame_password"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Parsed["sshesame_user"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Parsed["timestamp"] == "2022/05/06 09:46:13" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Meta["target_user"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Meta["timestamp"] == "2022-05-06T09:46:13Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Meta["username"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Meta["source_ip"] == "92.38.176.30" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Meta["target_user"] == "nproc" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Meta["timestamp"] == "2022-05-06T09:46:13Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:46:13Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][47].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Parsed["message"] == "2022/05/06 09:52:11 [165.232.183.156:46374] authentication for user \"zhaodandan\" with password \"zhaodandan\" accepted" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Parsed["source_ip"] == "165.232.183.156" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Parsed["sshesame_password"] == "zhaodandan" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Parsed["sshesame_user"] == "zhaodandan" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Parsed["timestamp"] == "2022/05/06 09:52:11" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Parsed["message"] == "2022/05/06 09:52:11 [165.232.183.156:46374] authentication for user \"zhaodandan\" with password \"zhaodandan\" accepted" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Parsed["program"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Meta["username"] == "zhaodandan" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Meta["service"] == "sshesame" @@ -4727,20 +5205,22 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Meta["source_ip" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Meta["target_user"] == "zhaodandan" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Meta["timestamp"] == "2022-05-06T09:52:11Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:52:11Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][48].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][49].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][49].Evt.Parsed["message"] == "2022/05/06 09:52:12 [165.232.183.156:46374] [channel 0] command \"uname -s -v -n -r -m\" requested" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][49].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][49].Evt.Parsed["source_ip"] == "165.232.183.156" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][49].Evt.Parsed["sshesame_cmd"] == "uname -s -v -n -r -m" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][49].Evt.Parsed["timestamp"] == "2022/05/06 09:52:12" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][49].Evt.Meta["command"] == "uname -s -v -n -r -m" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][49].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][49].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][49].Evt.Meta["log_type"] == "sshesame_cmd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][49].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][49].Evt.Meta["source_ip"] == "165.232.183.156" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][49].Evt.Meta["timestamp"] == "2022-05-06T09:52:12Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][49].Evt.Meta["command"] == "uname -s -v -n -r -m" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][49].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][49].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][49].Evt.Enriched["MarshaledTime"] == "2022-05-06T09:52:12Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][49].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Parsed["message"] == "2022/05/06 10:01:04 [133.18.236.86:43326] authentication for user \"root\" with password \"Qq@12345\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Parsed["program"] == "sshesame" @@ -4748,145 +5228,152 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Parsed["sshesame_password"] == "Qq@12345" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Parsed["sshesame_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Parsed["timestamp"] == "2022/05/06 10:01:04" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Meta["source_ip"] == "133.18.236.86" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Meta["target_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Meta["timestamp"] == "2022-05-06T10:01:04Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Meta["username"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Meta["source_ip"] == "133.18.236.86" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Meta["target_user"] == "root" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Meta["timestamp"] == "2022-05-06T10:01:04Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Enriched["MarshaledTime"] == "2022-05-06T10:01:04Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][50].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Parsed["sshesame_password"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Parsed["sshesame_user"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Parsed["timestamp"] == "2022/05/06 10:01:07" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Parsed["message"] == "2022/05/06 10:01:07 [133.18.236.86:43334] authentication for user \"nproc\" with password \"nproc\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Parsed["source_ip"] == "133.18.236.86" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Meta["timestamp"] == "2022-05-06T10:01:07Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Meta["username"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Parsed["sshesame_password"] == "nproc" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Parsed["sshesame_user"] == "nproc" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Parsed["timestamp"] == "2022/05/06 10:01:07" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Meta["source_ip"] == "133.18.236.86" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Meta["target_user"] == "nproc" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Meta["timestamp"] == "2022-05-06T10:01:07Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Enriched["MarshaledTime"] == "2022-05-06T10:01:07Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][51].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][52].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][52].Evt.Parsed["message"] == "2022/05/06 10:06:35 [190.2.139.67:58629] [channel 137] input: \"GET /?requestid=76082 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][52].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][52].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][52].Evt.Parsed["sshesame_input"] == "GET /?requestid=76082 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][52].Evt.Parsed["timestamp"] == "2022/05/06 10:06:35" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][52].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][52].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][52].Evt.Meta["input"] == "GET /?requestid=76082 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][52].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][52].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][52].Evt.Meta["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][52].Evt.Meta["timestamp"] == "2022-05-06T10:06:35Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][52].Evt.Meta["datasource_path"] == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][52].Evt.Enriched["MarshaledTime"] == "2022-05-06T10:06:35Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][52].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Evt.Parsed["timestamp"] == "2022/05/06 10:28:45" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Evt.Parsed["message"] == "2022/05/06 10:28:45 [193.105.134.95:20411] authentication for user \"admin\" with password \"aisadmin\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Evt.Parsed["source_ip"] == "193.105.134.95" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Evt.Parsed["sshesame_password"] == "aisadmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Evt.Parsed["sshesame_user"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Evt.Parsed["timestamp"] == "2022/05/06 10:28:45" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Evt.Meta["source_ip"] == "193.105.134.95" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Evt.Meta["timestamp"] == "2022-05-06T10:28:45Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Evt.Meta["username"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Evt.Enriched["MarshaledTime"] == "2022-05-06T10:28:45Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][53].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Parsed["timestamp"] == "2022/05/06 10:28:45" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Parsed["message"] == "2022/05/06 10:28:45 [193.105.134.95:20411] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Parsed["source_ip"] == "193.105.134.95" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Parsed["timestamp"] == "2022/05/06 10:28:45" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Meta["source_ip"] == "193.105.134.95" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Meta["timestamp"] == "2022-05-06T10:28:45Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Enriched["MarshaledTime"] == "2022-05-06T10:28:45Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][54].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][55].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][55].Evt.Parsed["message"] == "2022/05/06 10:28:45 [193.105.134.95:20411] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][55].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][55].Evt.Parsed["source_ip"] == "193.105.134.95" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][55].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][55].Evt.Parsed["timestamp"] == "2022/05/06 10:28:45" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][55].Evt.Parsed["message"] == "2022/05/06 10:28:45 [193.105.134.95:20411] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][55].Evt.Meta["timestamp"] == "2022-05-06T10:28:45Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][55].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][55].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][55].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][55].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][55].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][55].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][55].Evt.Meta["source_ip"] == "193.105.134.95" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][55].Evt.Meta["timestamp"] == "2022-05-06T10:28:45Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][55].Evt.Enriched["MarshaledTime"] == "2022-05-06T10:28:45Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][55].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Parsed["message"] == "2022/05/06 10:39:28 [45.82.65.44:42736] [channel 28] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.600.0 Safari/534.14\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Parsed["source_ip"] == "45.82.65.44" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.600.0 Safari/534.14\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Parsed["timestamp"] == "2022/05/06 10:39:28" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Parsed["message"] == "2022/05/06 10:39:28 [45.82.65.44:42736] [channel 28] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.600.0 Safari/534.14\\r\\n\\r\\n\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Meta["service"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Meta["source_ip"] == "45.82.65.44" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Meta["timestamp"] == "2022-05-06T10:39:28Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Meta["input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.600.0 Safari/534.14\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Meta["log_type"] == "sshesame_input" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Meta["source_ip"] == "45.82.65.44" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Meta["timestamp"] == "2022-05-06T10:39:28Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Enriched["MarshaledTime"] == "2022-05-06T10:39:28Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][56].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Evt.Parsed["message"] == "2022/05/06 10:39:28 [45.82.65.44:42736] [channel 28] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.600.0 Safari/534.14\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Evt.Parsed["source_ip"] == "45.82.65.44" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Evt.Parsed["sshesame_input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.600.0 Safari/534.14\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Evt.Parsed["timestamp"] == "2022/05/06 10:39:28" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Evt.Meta["service"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Evt.Meta["source_ip"] == "45.82.65.44" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Evt.Meta["timestamp"] == "2022-05-06T10:39:28Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Evt.Meta["input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.600.0 Safari/534.14\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Evt.Meta["log_type"] == "sshesame_input" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Evt.Meta["source_ip"] == "45.82.65.44" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Evt.Meta["timestamp"] == "2022-05-06T10:39:28Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Evt.Enriched["MarshaledTime"] == "2022-05-06T10:39:28Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][57].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][58].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][58].Evt.Parsed["message"] == "2022/05/06 10:43:18 [193.105.134.95:46780] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][58].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][58].Evt.Parsed["source_ip"] == "193.105.134.95" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][58].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][58].Evt.Parsed["timestamp"] == "2022/05/06 10:43:18" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][58].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][58].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][58].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][58].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][58].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][58].Evt.Meta["source_ip"] == "193.105.134.95" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][58].Evt.Meta["timestamp"] == "2022-05-06T10:43:18Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][58].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][58].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][58].Evt.Enriched["MarshaledTime"] == "2022-05-06T10:43:18Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][58].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Parsed["timestamp"] == "2022/05/06 10:43:19" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Parsed["message"] == "2022/05/06 10:43:19 [193.105.134.95:46780] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Parsed["source_ip"] == "193.105.134.95" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Parsed["timestamp"] == "2022/05/06 10:43:19" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Meta["source_ip"] == "193.105.134.95" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Meta["timestamp"] == "2022-05-06T10:43:19Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Enriched["MarshaledTime"] == "2022-05-06T10:43:19Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][59].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][60].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][60].Evt.Parsed["message"] == "2022/05/06 10:44:31 [202.153.33.62:26354] authentication for user \"ubnt\" with password \"ubnt1\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][60].Evt.Parsed["program"] == "sshesame" @@ -4894,29 +5381,30 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][60].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][60].Evt.Parsed["sshesame_password"] == "ubnt1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][60].Evt.Parsed["sshesame_user"] == "ubnt" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][60].Evt.Parsed["timestamp"] == "2022/05/06 10:44:31" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][60].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][60].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][60].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][60].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][60].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][60].Evt.Meta["source_ip"] == "202.153.33.62" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][60].Evt.Meta["target_user"] == "ubnt" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][60].Evt.Meta["timestamp"] == "2022-05-06T10:44:31Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][60].Evt.Meta["username"] == "ubnt" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][60].Evt.Enriched["MarshaledTime"] == "2022-05-06T10:44:31Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][60].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][61].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][61].Evt.Parsed["message"] == "2022/05/06 11:06:40 [190.2.139.67:7117] [channel 136] input: \"GET /?requestid=3381 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][61].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][61].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][61].Evt.Parsed["sshesame_input"] == "GET /?requestid=3381 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][61].Evt.Parsed["timestamp"] == "2022/05/06 11:06:40" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][61].Evt.Meta["source_ip"] == "190.2.139.67" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][61].Evt.Meta["timestamp"] == "2022-05-06T11:06:40Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][61].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][61].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][61].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][61].Evt.Meta["input"] == "GET /?requestid=3381 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][61].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][61].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][61].Evt.Meta["source_ip"] == "190.2.139.67" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][61].Evt.Meta["timestamp"] == "2022-05-06T11:06:40Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][61].Evt.Enriched["MarshaledTime"] == "2022-05-06T11:06:40Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][61].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Parsed["message"] == "2022/05/06 11:44:51 [65.108.254.29:39240] authentication for user \"root\" with password \"Subby123123\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Parsed["program"] == "sshesame" @@ -4924,149 +5412,154 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Parsed["sshesame_password"] == "Subby123123" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Parsed["sshesame_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Parsed["timestamp"] == "2022/05/06 11:44:51" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Meta["source_ip"] == "65.108.254.29" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Meta["target_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Meta["timestamp"] == "2022-05-06T11:44:51Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Meta["username"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Enriched["MarshaledTime"] == "2022-05-06T11:44:51Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][62].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Parsed["message"] == "2022/05/06 11:44:51 [65.108.254.29:39858] authentication for user \"nproc\" with password \"nproc\" accepted" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Parsed["source_ip"] == "65.108.254.29" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Parsed["sshesame_password"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Parsed["sshesame_user"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Parsed["timestamp"] == "2022/05/06 11:44:51" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Parsed["message"] == "2022/05/06 11:44:51 [65.108.254.29:39858] authentication for user \"nproc\" with password \"nproc\" accepted" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Parsed["program"] == "sshesame" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Meta["source_ip"] == "65.108.254.29" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Meta["target_user"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Meta["timestamp"] == "2022-05-06T11:44:51Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Meta["username"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Enriched["MarshaledTime"] == "2022-05-06T11:44:51Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][63].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Evt.Parsed["sshesame_input"] == "GET /?requestid=54995 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Evt.Parsed["timestamp"] == "2022/05/06 11:44:56" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Evt.Parsed["message"] == "2022/05/06 11:44:56 [190.2.139.67:58629] [channel 140] input: \"GET /?requestid=54995 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Evt.Parsed["source_ip"] == "190.2.139.67" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Evt.Parsed["sshesame_input"] == "GET /?requestid=54995 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Evt.Parsed["timestamp"] == "2022/05/06 11:44:56" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Evt.Meta["input"] == "GET /?requestid=54995 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Evt.Meta["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Evt.Meta["timestamp"] == "2022-05-06T11:44:56Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Evt.Enriched["MarshaledTime"] == "2022-05-06T11:44:56Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][64].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Parsed["message"] == "2022/05/06 11:47:01 [217.95.152.37:62602] authentication for user \"sales\" with password \"sales123\" accepted" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Parsed["source_ip"] == "217.95.152.37" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Parsed["sshesame_password"] == "sales123" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Parsed["sshesame_user"] == "sales" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Parsed["timestamp"] == "2022/05/06 11:47:01" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Parsed["message"] == "2022/05/06 11:47:01 [217.95.152.37:62602] authentication for user \"sales\" with password \"sales123\" accepted" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Parsed["program"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Meta["target_user"] == "sales" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Meta["timestamp"] == "2022-05-06T11:47:01Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Meta["username"] == "sales" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Meta["source_ip"] == "217.95.152.37" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Meta["target_user"] == "sales" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Meta["timestamp"] == "2022-05-06T11:47:01Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Enriched["MarshaledTime"] == "2022-05-06T11:47:01Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][65].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Parsed["sshesame_user"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Parsed["timestamp"] == "2022/05/06 11:47:02" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Parsed["message"] == "2022/05/06 11:47:02 [217.95.152.37:33514] authentication for user \"nproc\" with password \"nproc\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Parsed["source_ip"] == "217.95.152.37" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Parsed["sshesame_password"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Parsed["sshesame_user"] == "nproc" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Parsed["timestamp"] == "2022/05/06 11:47:02" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Meta["source_ip"] == "217.95.152.37" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Meta["target_user"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Meta["timestamp"] == "2022-05-06T11:47:02Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Meta["username"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Enriched["MarshaledTime"] == "2022-05-06T11:47:02Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][66].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Parsed["message"] == "2022/05/06 11:53:48 [45.82.65.44:42736] [channel 29] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.107 Safari/535.1\\r\\n\\r\\n\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Parsed["source_ip"] == "45.82.65.44" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.107 Safari/535.1\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Parsed["timestamp"] == "2022/05/06 11:53:48" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Parsed["message"] == "2022/05/06 11:53:48 [45.82.65.44:42736] [channel 29] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.107 Safari/535.1\\r\\n\\r\\n\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Parsed["program"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Meta["service"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Meta["source_ip"] == "45.82.65.44" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Meta["timestamp"] == "2022-05-06T11:53:48Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Meta["input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.107 Safari/535.1\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Meta["log_type"] == "sshesame_input" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Meta["source_ip"] == "45.82.65.44" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Meta["timestamp"] == "2022-05-06T11:53:48Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Enriched["MarshaledTime"] == "2022-05-06T11:53:48Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][67].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][68].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][68].Evt.Parsed["message"] == "2022/05/06 12:11:39 [190.2.139.67:7117] [channel 138] input: \"GET /?requestid=13796 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][68].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][68].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][68].Evt.Parsed["sshesame_input"] == "GET /?requestid=13796 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][68].Evt.Parsed["timestamp"] == "2022/05/06 12:11:39" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][68].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][68].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][68].Evt.Meta["input"] == "GET /?requestid=13796 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][68].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][68].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][68].Evt.Meta["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][68].Evt.Meta["timestamp"] == "2022-05-06T12:11:39Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][68].Evt.Meta["datasource_path"] == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][68].Evt.Enriched["MarshaledTime"] == "2022-05-06T12:11:39Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][68].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Evt.Parsed["message"] == "2022/05/06 12:25:39 [188.255.62.33:48649] authentication for user \"root\" with password \"root\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Evt.Parsed["source_ip"] == "188.255.62.33" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Evt.Parsed["sshesame_password"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Evt.Parsed["sshesame_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Evt.Parsed["timestamp"] == "2022/05/06 12:25:39" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Evt.Parsed["message"] == "2022/05/06 12:25:39 [188.255.62.33:48649] authentication for user \"root\" with password \"root\" accepted" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Evt.Meta["source_ip"] == "188.255.62.33" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Evt.Meta["target_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Evt.Meta["timestamp"] == "2022-05-06T12:25:39Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Evt.Meta["username"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Evt.Meta["datasource_path"] == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Evt.Enriched["MarshaledTime"] == "2022-05-06T12:25:39Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][69].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Parsed["message"] == "2022/05/06 12:25:39 [188.255.62.33:48649] [channel 0] command \"/ip cloud print\" requested" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Parsed["source_ip"] == "188.255.62.33" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Parsed["sshesame_cmd"] == "/ip cloud print" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Parsed["timestamp"] == "2022/05/06 12:25:39" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Parsed["message"] == "2022/05/06 12:25:39 [188.255.62.33:48649] [channel 0] command \"/ip cloud print\" requested" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Parsed["program"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Meta["source_ip"] == "188.255.62.33" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Meta["timestamp"] == "2022-05-06T12:25:39Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Meta["command"] == "/ip cloud print" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Meta["log_type"] == "sshesame_cmd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Meta["source_ip"] == "188.255.62.33" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Meta["timestamp"] == "2022-05-06T12:25:39Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Enriched["MarshaledTime"] == "2022-05-06T12:25:39Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][70].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][71].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][71].Evt.Parsed["message"] == "2022/05/06 12:25:39 [188.255.62.33:48649] [channel 1] command \"ifconfig\" requested" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][71].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][71].Evt.Parsed["source_ip"] == "188.255.62.33" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][71].Evt.Parsed["sshesame_cmd"] == "ifconfig" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][71].Evt.Parsed["timestamp"] == "2022/05/06 12:25:39" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][71].Evt.Parsed["message"] == "2022/05/06 12:25:39 [188.255.62.33:48649] [channel 1] command \"ifconfig\" requested" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][71].Evt.Meta["command"] == "ifconfig" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][71].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][71].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][71].Evt.Meta["log_type"] == "sshesame_cmd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][71].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][71].Evt.Meta["source_ip"] == "188.255.62.33" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][71].Evt.Meta["timestamp"] == "2022-05-06T12:25:39Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][71].Evt.Meta["command"] == "ifconfig" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][71].Evt.Meta["datasource_path"] == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][71].Evt.Enriched["MarshaledTime"] == "2022-05-06T12:25:39Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][71].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Evt.Parsed["message"] == "2022/05/06 12:33:29 [154.86.27.24:33448] authentication for user \"sam\" with password \"12345678\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Evt.Parsed["program"] == "sshesame" @@ -5074,15 +5567,15 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Evt.Parsed["sshesame_password"] == "12345678" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Evt.Parsed["sshesame_user"] == "sam" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Evt.Parsed["timestamp"] == "2022/05/06 12:33:29" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Evt.Meta["timestamp"] == "2022-05-06T12:33:29Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Evt.Meta["username"] == "sam" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Evt.Meta["source_ip"] == "154.86.27.24" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Evt.Meta["target_user"] == "sam" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Evt.Meta["timestamp"] == "2022-05-06T12:33:29Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Evt.Enriched["MarshaledTime"] == "2022-05-06T12:33:29Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][72].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][73].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][73].Evt.Parsed["message"] == "2022/05/06 12:33:31 [154.86.27.24:34072] authentication for user \"nproc\" with password \"nproc\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][73].Evt.Parsed["program"] == "sshesame" @@ -5090,15 +5583,15 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][73].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][73].Evt.Parsed["sshesame_password"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][73].Evt.Parsed["sshesame_user"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][73].Evt.Parsed["timestamp"] == "2022/05/06 12:33:31" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][73].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][73].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][73].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][73].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][73].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][73].Evt.Meta["source_ip"] == "154.86.27.24" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][73].Evt.Meta["target_user"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][73].Evt.Meta["timestamp"] == "2022-05-06T12:33:31Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][73].Evt.Meta["username"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][73].Evt.Enriched["MarshaledTime"] == "2022-05-06T12:33:31Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][73].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Parsed["message"] == "2022/05/06 12:39:33 [195.3.147.60:9217] authentication for user \"admin\" with password \"aisadmin\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Parsed["program"] == "sshesame" @@ -5106,106 +5599,112 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Parsed["sshesame_password"] == "aisadmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Parsed["sshesame_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Parsed["timestamp"] == "2022/05/06 12:39:33" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Meta["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Meta["timestamp"] == "2022-05-06T12:39:33Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Meta["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Enriched["MarshaledTime"] == "2022-05-06T12:39:33Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][74].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][75].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][75].Evt.Parsed["message"] == "2022/05/06 12:39:33 [195.3.147.60:9217] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][75].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][75].Evt.Parsed["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][75].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][75].Evt.Parsed["timestamp"] == "2022/05/06 12:39:33" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][75].Evt.Meta["timestamp"] == "2022-05-06T12:39:33Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][75].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][75].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][75].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][75].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][75].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][75].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][75].Evt.Meta["source_ip"] == "195.3.147.60" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][75].Evt.Meta["timestamp"] == "2022-05-06T12:39:33Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][75].Evt.Enriched["MarshaledTime"] == "2022-05-06T12:39:33Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][75].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][76].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][76].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][76].Evt.Parsed["timestamp"] == "2022/05/06 12:39:33" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][76].Evt.Parsed["message"] == "2022/05/06 12:39:33 [195.3.147.60:9217] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][76].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][76].Evt.Parsed["source_ip"] == "195.3.147.60" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][76].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][76].Evt.Parsed["timestamp"] == "2022/05/06 12:39:33" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][76].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][76].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][76].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][76].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][76].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][76].Evt.Meta["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][76].Evt.Meta["timestamp"] == "2022-05-06T12:39:33Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][76].Evt.Meta["datasource_path"] == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][76].Evt.Enriched["MarshaledTime"] == "2022-05-06T12:39:33Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][76].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Evt.Parsed["message"] == "2022/05/06 12:58:50 [190.2.139.67:7117] [channel 141] input: \"GET /?requestid=72371 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Evt.Parsed["sshesame_input"] == "GET /?requestid=72371 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Evt.Parsed["timestamp"] == "2022/05/06 12:58:50" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Evt.Meta["service"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Evt.Meta["source_ip"] == "190.2.139.67" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Evt.Meta["timestamp"] == "2022-05-06T12:58:50Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Evt.Meta["input"] == "GET /?requestid=72371 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Evt.Meta["log_type"] == "sshesame_input" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Evt.Meta["source_ip"] == "190.2.139.67" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Evt.Meta["timestamp"] == "2022-05-06T12:58:50Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Evt.Enriched["MarshaledTime"] == "2022-05-06T12:58:50Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][77].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Evt.Parsed["message"] == "2022/05/06 12:59:04 [45.82.65.44:42736] [channel 30] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14\\r\\n\\r\\n\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Evt.Parsed["source_ip"] == "45.82.65.44" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Evt.Parsed["timestamp"] == "2022/05/06 12:59:04" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Evt.Parsed["message"] == "2022/05/06 12:59:04 [45.82.65.44:42736] [channel 30] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14\\r\\n\\r\\n\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Evt.Parsed["program"] == "sshesame" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Evt.Meta["input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Evt.Meta["source_ip"] == "45.82.65.44" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Evt.Meta["timestamp"] == "2022-05-06T12:59:04Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Evt.Enriched["MarshaledTime"] == "2022-05-06T12:59:04Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][78].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Evt.Parsed["sshesame_input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14\\r\\n\\r\\n" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Evt.Parsed["timestamp"] == "2022/05/06 12:59:05" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Evt.Parsed["message"] == "2022/05/06 12:59:05 [45.82.65.44:42736] [channel 30] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Evt.Parsed["source_ip"] == "45.82.65.44" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Evt.Meta["timestamp"] == "2022-05-06T12:59:05Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Evt.Parsed["sshesame_input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14\\r\\n\\r\\n" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Evt.Parsed["timestamp"] == "2022/05/06 12:59:05" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Evt.Meta["input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Evt.Meta["source_ip"] == "45.82.65.44" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Evt.Meta["timestamp"] == "2022-05-06T12:59:05Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Evt.Enriched["MarshaledTime"] == "2022-05-06T12:59:05Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][79].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][80].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][80].Evt.Parsed["message"] == "2022/05/06 13:09:34 [190.2.139.67:58629] [channel 143] input: \"GET /?requestid=12627 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][80].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][80].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][80].Evt.Parsed["sshesame_input"] == "GET /?requestid=12627 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][80].Evt.Parsed["timestamp"] == "2022/05/06 13:09:34" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][80].Evt.Meta["source_ip"] == "190.2.139.67" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][80].Evt.Meta["timestamp"] == "2022-05-06T13:09:34Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][80].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][80].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][80].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][80].Evt.Meta["input"] == "GET /?requestid=12627 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][80].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][80].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][80].Evt.Meta["source_ip"] == "190.2.139.67" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][80].Evt.Meta["timestamp"] == "2022-05-06T13:09:34Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][80].Evt.Enriched["MarshaledTime"] == "2022-05-06T13:09:34Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][80].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][81].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][81].Evt.Parsed["message"] == "2022/05/06 13:12:20 [190.2.139.67:58629] [channel 145] input: \"GET /?requestid=88211 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][81].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][81].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][81].Evt.Parsed["sshesame_input"] == "GET /?requestid=88211 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][81].Evt.Parsed["timestamp"] == "2022/05/06 13:12:20" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][81].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][81].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][81].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][81].Evt.Meta["input"] == "GET /?requestid=88211 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][81].Evt.Meta["log_type"] == "sshesame_input" @@ -5213,115 +5712,121 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][81].Evt.Meta["service"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][81].Evt.Meta["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][81].Evt.Meta["timestamp"] == "2022-05-06T13:12:20Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][81].Evt.Enriched["MarshaledTime"] == "2022-05-06T13:12:20Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][81].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Evt.Parsed["message"] == "2022/05/06 13:18:31 [193.105.134.95:13053] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Evt.Parsed["source_ip"] == "193.105.134.95" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Evt.Parsed["timestamp"] == "2022/05/06 13:18:31" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Evt.Meta["service"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Evt.Meta["source_ip"] == "193.105.134.95" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Evt.Meta["timestamp"] == "2022-05-06T13:18:31Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Evt.Meta["log_type"] == "sshesame_input" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Evt.Meta["source_ip"] == "193.105.134.95" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Evt.Meta["timestamp"] == "2022-05-06T13:18:31Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Evt.Enriched["MarshaledTime"] == "2022-05-06T13:18:31Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][82].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Evt.Parsed["message"] == "2022/05/06 13:18:31 [193.105.134.95:13053] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Evt.Parsed["source_ip"] == "193.105.134.95" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Evt.Parsed["timestamp"] == "2022/05/06 13:18:31" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Evt.Meta["service"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Evt.Meta["source_ip"] == "193.105.134.95" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Evt.Meta["timestamp"] == "2022-05-06T13:18:31Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Evt.Meta["log_type"] == "sshesame_input" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Evt.Meta["source_ip"] == "193.105.134.95" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Evt.Meta["timestamp"] == "2022-05-06T13:18:31Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Evt.Enriched["MarshaledTime"] == "2022-05-06T13:18:31Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][83].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Parsed["sshesame_user"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Parsed["timestamp"] == "2022/05/06 13:25:40" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Parsed["message"] == "2022/05/06 13:25:40 [144.22.213.51:55710] authentication for user \"admin\" with password \"1234567\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Parsed["source_ip"] == "144.22.213.51" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Parsed["sshesame_password"] == "1234567" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Meta["source_ip"] == "144.22.213.51" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Meta["target_user"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Meta["timestamp"] == "2022-05-06T13:25:40Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Meta["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Parsed["sshesame_user"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Parsed["timestamp"] == "2022/05/06 13:25:40" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Meta["source_ip"] == "144.22.213.51" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Meta["target_user"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Meta["timestamp"] == "2022-05-06T13:25:40Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Enriched["MarshaledTime"] == "2022-05-06T13:25:40Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][84].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Parsed["timestamp"] == "2022/05/06 13:48:37" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Parsed["message"] == "2022/05/06 13:48:37 [193.105.134.95:49178] authentication for user \"admin\" with password \"aisadmin\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Parsed["source_ip"] == "193.105.134.95" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Parsed["sshesame_password"] == "aisadmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Parsed["sshesame_user"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Parsed["timestamp"] == "2022/05/06 13:48:37" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Meta["source_ip"] == "193.105.134.95" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Meta["timestamp"] == "2022-05-06T13:48:37Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Meta["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Enriched["MarshaledTime"] == "2022-05-06T13:48:37Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][85].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][86].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][86].Evt.Parsed["message"] == "2022/05/06 13:48:37 [193.105.134.95:49178] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][86].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][86].Evt.Parsed["source_ip"] == "193.105.134.95" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][86].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][86].Evt.Parsed["timestamp"] == "2022/05/06 13:48:37" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][86].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][86].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][86].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][86].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][86].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][86].Evt.Meta["source_ip"] == "193.105.134.95" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][86].Evt.Meta["timestamp"] == "2022-05-06T13:48:37Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][86].Evt.Meta["datasource_path"] == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][86].Evt.Enriched["MarshaledTime"] == "2022-05-06T13:48:37Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][86].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][87].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][87].Evt.Parsed["message"] == "2022/05/06 13:48:37 [193.105.134.95:49178] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][87].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][87].Evt.Parsed["source_ip"] == "193.105.134.95" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][87].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][87].Evt.Parsed["timestamp"] == "2022/05/06 13:48:37" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][87].Evt.Meta["source_ip"] == "193.105.134.95" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][87].Evt.Meta["timestamp"] == "2022-05-06T13:48:37Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][87].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][87].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][87].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][87].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][87].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][87].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][87].Evt.Meta["source_ip"] == "193.105.134.95" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][87].Evt.Meta["timestamp"] == "2022-05-06T13:48:37Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][87].Evt.Enriched["MarshaledTime"] == "2022-05-06T13:48:37Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][87].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][88].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][88].Evt.Parsed["message"] == "2022/05/06 13:55:12 [190.2.139.67:58629] [channel 147] input: \"GET /?requestid=40353 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][88].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][88].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][88].Evt.Parsed["sshesame_input"] == "GET /?requestid=40353 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][88].Evt.Parsed["timestamp"] == "2022/05/06 13:55:12" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][88].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][88].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][88].Evt.Meta["input"] == "GET /?requestid=40353 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][88].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][88].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][88].Evt.Meta["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][88].Evt.Meta["timestamp"] == "2022-05-06T13:55:12Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][88].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][88].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][88].Evt.Enriched["MarshaledTime"] == "2022-05-06T13:55:12Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][88].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][89].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][89].Evt.Parsed["message"] == "2022/05/06 13:59:17 [190.2.139.67:58629] [channel 149] input: \"GET /?requestid=27608 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][89].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][89].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][89].Evt.Parsed["sshesame_input"] == "GET /?requestid=27608 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][89].Evt.Parsed["timestamp"] == "2022/05/06 13:59:17" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][89].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][89].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][89].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][89].Evt.Meta["input"] == "GET /?requestid=27608 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][89].Evt.Meta["log_type"] == "sshesame_input" @@ -5329,6 +5834,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][89].Evt.Meta["service"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][89].Evt.Meta["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][89].Evt.Meta["timestamp"] == "2022-05-06T13:59:17Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][89].Evt.Enriched["MarshaledTime"] == "2022-05-06T13:59:17Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][89].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][90].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][90].Evt.Parsed["message"] == "2022/05/06 14:28:01 [43.154.53.163:58300] authentication for user \"root\" with password \"xiaoming\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][90].Evt.Parsed["program"] == "sshesame" @@ -5336,31 +5842,31 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][90].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][90].Evt.Parsed["sshesame_password"] == "xiaoming" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][90].Evt.Parsed["sshesame_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][90].Evt.Parsed["timestamp"] == "2022/05/06 14:28:01" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][90].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][90].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][90].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][90].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][90].Evt.Meta["source_ip"] == "43.154.53.163" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][90].Evt.Meta["target_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][90].Evt.Meta["timestamp"] == "2022-05-06T14:28:01Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][90].Evt.Meta["username"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][90].Evt.Meta["datasource_path"] == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][90].Evt.Enriched["MarshaledTime"] == "2022-05-06T14:28:01Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][90].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Parsed["sshesame_user"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Parsed["timestamp"] == "2022/05/06 14:28:04" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Parsed["message"] == "2022/05/06 14:28:04 [43.154.53.163:58868] authentication for user \"nproc\" with password \"nproc\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Parsed["source_ip"] == "43.154.53.163" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Parsed["sshesame_password"] == "nproc" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Parsed["sshesame_user"] == "nproc" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Parsed["timestamp"] == "2022/05/06 14:28:04" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Meta["source_ip"] == "43.154.53.163" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Meta["target_user"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Meta["timestamp"] == "2022-05-06T14:28:04Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Meta["username"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Enriched["MarshaledTime"] == "2022-05-06T14:28:04Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][91].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Parsed["message"] == "2022/05/06 14:28:15 [87.121.6.204:49420] authentication for user \"root\" with password \"Password321\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Parsed["program"] == "sshesame" @@ -5368,24 +5874,23 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Parsed["sshesame_password"] == "Password321" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Parsed["sshesame_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Parsed["timestamp"] == "2022/05/06 14:28:15" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Meta["source_ip"] == "87.121.6.204" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Meta["target_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Meta["timestamp"] == "2022-05-06T14:28:15Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Meta["username"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Meta["source_ip"] == "87.121.6.204" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Meta["target_user"] == "root" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Meta["timestamp"] == "2022-05-06T14:28:15Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Enriched["MarshaledTime"] == "2022-05-06T14:28:15Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][92].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Parsed["message"] == "2022/05/06 14:28:15 [87.121.6.204:49568] authentication for user \"nproc\" with password \"nproc\" accepted" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Parsed["source_ip"] == "87.121.6.204" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Parsed["sshesame_password"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Parsed["sshesame_user"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Parsed["timestamp"] == "2022/05/06 14:28:15" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Parsed["message"] == "2022/05/06 14:28:15 [87.121.6.204:49568] authentication for user \"nproc\" with password \"nproc\" accepted" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Parsed["program"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Meta["username"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Meta["service"] == "sshesame" @@ -5393,22 +5898,23 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Meta["source_ip" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Meta["target_user"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Meta["timestamp"] == "2022-05-06T14:28:15Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Enriched["MarshaledTime"] == "2022-05-06T14:28:15Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][93].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Parsed["sshesame_password"] == "root#1234" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Parsed["sshesame_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Parsed["timestamp"] == "2022/05/06 14:30:02" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Parsed["message"] == "2022/05/06 14:30:02 [45.239.216.250:45336] authentication for user \"root\" with password \"root#1234\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Parsed["source_ip"] == "45.239.216.250" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Meta["source_ip"] == "45.239.216.250" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Meta["target_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Meta["timestamp"] == "2022-05-06T14:30:02Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Meta["username"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Parsed["sshesame_password"] == "root#1234" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Parsed["sshesame_user"] == "root" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Parsed["timestamp"] == "2022/05/06 14:30:02" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Meta["source_ip"] == "45.239.216.250" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Meta["target_user"] == "root" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Meta["timestamp"] == "2022-05-06T14:30:02Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Enriched["MarshaledTime"] == "2022-05-06T14:30:02Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][94].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][95].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][95].Evt.Parsed["message"] == "2022/05/06 14:30:05 [45.239.216.250:46226] authentication for user \"nproc\" with password \"nproc\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][95].Evt.Parsed["program"] == "sshesame" @@ -5416,15 +5922,15 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][95].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][95].Evt.Parsed["sshesame_password"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][95].Evt.Parsed["sshesame_user"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][95].Evt.Parsed["timestamp"] == "2022/05/06 14:30:05" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][95].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][95].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][95].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][95].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][95].Evt.Meta["source_ip"] == "45.239.216.250" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][95].Evt.Meta["target_user"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][95].Evt.Meta["timestamp"] == "2022-05-06T14:30:05Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][95].Evt.Meta["username"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][95].Evt.Meta["datasource_path"] == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][95].Evt.Enriched["MarshaledTime"] == "2022-05-06T14:30:05Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][95].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Parsed["message"] == "2022/05/06 14:56:35 [1.7.180.245:44604] authentication for user \"admin\" with password \"1234567\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Parsed["program"] == "sshesame" @@ -5432,50 +5938,52 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Parsed["source_i results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Parsed["sshesame_password"] == "1234567" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Parsed["sshesame_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Parsed["timestamp"] == "2022/05/06 14:56:35" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Meta["source_ip"] == "1.7.180.245" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Meta["timestamp"] == "2022-05-06T14:56:35Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Meta["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Enriched["MarshaledTime"] == "2022-05-06T14:56:35Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][96].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][97].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][97].Evt.Parsed["message"] == "2022/05/06 15:35:00 [45.82.65.44:42736] [channel 31] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20091218 Firefox 3.6b5\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][97].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][97].Evt.Parsed["source_ip"] == "45.82.65.44" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][97].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20091218 Firefox 3.6b5\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][97].Evt.Parsed["timestamp"] == "2022/05/06 15:35:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][97].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][97].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][97].Evt.Meta["input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20091218 Firefox 3.6b5\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][97].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][97].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][97].Evt.Meta["source_ip"] == "45.82.65.44" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][97].Evt.Meta["timestamp"] == "2022-05-06T15:35:00Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][97].Evt.Meta["datasource_path"] == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][97].Evt.Enriched["MarshaledTime"] == "2022-05-06T15:35:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][97].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Evt.Parsed["message"] == "2022/05/06 15:35:00 [45.82.65.44:42736] [channel 31] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20091218 Firefox 3.6b5\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Evt.Parsed["source_ip"] == "45.82.65.44" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Evt.Parsed["sshesame_input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20091218 Firefox 3.6b5\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Evt.Parsed["timestamp"] == "2022/05/06 15:35:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Evt.Meta["service"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Evt.Meta["source_ip"] == "45.82.65.44" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Evt.Meta["timestamp"] == "2022-05-06T15:35:00Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Evt.Meta["input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20091218 Firefox 3.6b5\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Evt.Meta["log_type"] == "sshesame_input" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Evt.Meta["source_ip"] == "45.82.65.44" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Evt.Meta["timestamp"] == "2022-05-06T15:35:00Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Evt.Enriched["MarshaledTime"] == "2022-05-06T15:35:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][98].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][99].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][99].Evt.Parsed["message"] == "2022/05/06 15:38:52 [195.3.147.60:39075] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][99].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][99].Evt.Parsed["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][99].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][99].Evt.Parsed["timestamp"] == "2022/05/06 15:38:52" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][99].Evt.Parsed["message"] == "2022/05/06 15:38:52 [195.3.147.60:39075] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][99].Evt.Parsed["program"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][99].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][99].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][99].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][99].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][99].Evt.Meta["log_type"] == "sshesame_input" @@ -5483,20 +5991,22 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][99].Evt.Meta["service"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][99].Evt.Meta["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][99].Evt.Meta["timestamp"] == "2022-05-06T15:38:52Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][99].Evt.Enriched["MarshaledTime"] == "2022-05-06T15:38:52Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][99].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Evt.Parsed["message"] == "2022/05/06 15:38:52 [195.3.147.60:39075] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Evt.Parsed["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Evt.Parsed["timestamp"] == "2022/05/06 15:38:52" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Evt.Meta["service"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Evt.Meta["source_ip"] == "195.3.147.60" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Evt.Meta["timestamp"] == "2022-05-06T15:38:52Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Evt.Meta["log_type"] == "sshesame_input" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Evt.Meta["source_ip"] == "195.3.147.60" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Evt.Meta["timestamp"] == "2022-05-06T15:38:52Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Evt.Enriched["MarshaledTime"] == "2022-05-06T15:38:52Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][100].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Evt.Parsed["message"] == "2022/05/06 15:40:33 [65.108.254.28:39092] authentication for user \"root\" with password \"1234qwer\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Evt.Parsed["program"] == "sshesame" @@ -5504,171 +6014,180 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Evt.Parsed["source_ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Evt.Parsed["sshesame_password"] == "1234qwer" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Evt.Parsed["sshesame_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Evt.Parsed["timestamp"] == "2022/05/06 15:40:33" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Evt.Meta["source_ip"] == "65.108.254.28" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Evt.Meta["target_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Evt.Meta["timestamp"] == "2022-05-06T15:40:33Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Evt.Meta["username"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Evt.Enriched["MarshaledTime"] == "2022-05-06T15:40:33Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][101].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Parsed["sshesame_password"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Parsed["sshesame_user"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Parsed["timestamp"] == "2022/05/06 15:40:33" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Parsed["message"] == "2022/05/06 15:40:33 [65.108.254.28:39098] authentication for user \"nproc\" with password \"nproc\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Parsed["source_ip"] == "65.108.254.28" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Parsed["sshesame_password"] == "nproc" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Parsed["sshesame_user"] == "nproc" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Parsed["timestamp"] == "2022/05/06 15:40:33" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Meta["source_ip"] == "65.108.254.28" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Meta["target_user"] == "nproc" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Meta["timestamp"] == "2022-05-06T15:40:33Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Meta["username"] == "nproc" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Enriched["MarshaledTime"] == "2022-05-06T15:40:33Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][102].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Parsed["sshesame_password"] == "aisadmin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Parsed["sshesame_user"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Parsed["timestamp"] == "2022/05/06 15:41:33" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Parsed["message"] == "2022/05/06 15:41:33 [195.3.147.60:33414] authentication for user \"admin\" with password \"aisadmin\" accepted" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Parsed["source_ip"] == "195.3.147.60" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Meta["timestamp"] == "2022-05-06T15:41:33Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Meta["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Parsed["sshesame_password"] == "aisadmin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Parsed["sshesame_user"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Parsed["timestamp"] == "2022/05/06 15:41:33" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Meta["log_type"] == "sshesame_login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Meta["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Meta["target_user"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Meta["timestamp"] == "2022-05-06T15:41:33Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Enriched["MarshaledTime"] == "2022-05-06T15:41:33Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][103].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][104].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][104].Evt.Parsed["message"] == "2022/05/06 15:41:33 [195.3.147.60:33414] [channel 0] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][104].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][104].Evt.Parsed["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][104].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][104].Evt.Parsed["timestamp"] == "2022/05/06 15:41:33" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][104].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][104].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][104].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][104].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][104].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][104].Evt.Meta["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][104].Evt.Meta["timestamp"] == "2022-05-06T15:41:33Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][104].Evt.Meta["datasource_path"] == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][104].Evt.Enriched["MarshaledTime"] == "2022-05-06T15:41:33Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][104].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][105].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][105].Evt.Parsed["message"] == "2022/05/06 15:41:33 [195.3.147.60:33414] [channel 1] input: \"GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][105].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][105].Evt.Parsed["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][105].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][105].Evt.Parsed["timestamp"] == "2022/05/06 15:41:33" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][105].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][105].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][105].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][105].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][105].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][105].Evt.Meta["source_ip"] == "195.3.147.60" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][105].Evt.Meta["timestamp"] == "2022-05-06T15:41:33Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][105].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][105].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][105].Evt.Meta["input"] == "GET / HTTP/1.0\\r\\nHost: google.com\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][105].Evt.Enriched["MarshaledTime"] == "2022-05-06T15:41:33Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][105].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][106].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][106].Evt.Parsed["message"] == "2022/05/06 15:44:30 [190.2.139.67:58629] [channel 151] input: \"GET /?requestid=57232 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][106].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][106].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][106].Evt.Parsed["sshesame_input"] == "GET /?requestid=57232 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][106].Evt.Parsed["timestamp"] == "2022/05/06 15:44:30" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][106].Evt.Meta["timestamp"] == "2022-05-06T15:44:30Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][106].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][106].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][106].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][106].Evt.Meta["input"] == "GET /?requestid=57232 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][106].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][106].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][106].Evt.Meta["source_ip"] == "190.2.139.67" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][106].Evt.Meta["timestamp"] == "2022-05-06T15:44:30Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][106].Evt.Enriched["MarshaledTime"] == "2022-05-06T15:44:30Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][106].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/13.0.782.41 Chrome/13.0.782.41 Safari/535.1\\r\\n\\r\\n" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Evt.Parsed["timestamp"] == "2022/05/06 16:16:45" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Evt.Parsed["message"] == "2022/05/06 16:16:45 [45.82.65.44:42736] [channel 32] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/13.0.782.41 Chrome/13.0.782.41 Safari/535.1\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Evt.Parsed["source_ip"] == "45.82.65.44" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Evt.Meta["timestamp"] == "2022-05-06T16:16:45Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/13.0.782.41 Chrome/13.0.782.41 Safari/535.1\\r\\n\\r\\n" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Evt.Parsed["timestamp"] == "2022/05/06 16:16:45" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Evt.Meta["input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/13.0.782.41 Chrome/13.0.782.41 Safari/535.1\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Evt.Meta["source_ip"] == "45.82.65.44" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Evt.Meta["timestamp"] == "2022-05-06T16:16:45Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Evt.Enriched["MarshaledTime"] == "2022-05-06T16:16:45Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][107].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][108].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][108].Evt.Parsed["message"] == "2022/05/06 16:16:45 [45.82.65.44:42736] [channel 32] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/13.0.782.41 Chrome/13.0.782.41 Safari/535.1\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][108].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][108].Evt.Parsed["source_ip"] == "45.82.65.44" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][108].Evt.Parsed["sshesame_input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/13.0.782.41 Chrome/13.0.782.41 Safari/535.1\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][108].Evt.Parsed["timestamp"] == "2022/05/06 16:16:45" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][108].Evt.Meta["timestamp"] == "2022-05-06T16:16:45Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][108].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][108].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][108].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][108].Evt.Meta["input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/13.0.782.41 Chrome/13.0.782.41 Safari/535.1\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][108].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][108].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][108].Evt.Meta["source_ip"] == "45.82.65.44" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][108].Evt.Meta["timestamp"] == "2022-05-06T16:16:45Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][108].Evt.Enriched["MarshaledTime"] == "2022-05-06T16:16:45Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][108].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][109].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][109].Evt.Parsed["message"] == "2022/05/06 16:28:03 [45.82.65.44:42736] [channel 33] input: \"GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.698.0 Safari/534.24\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][109].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][109].Evt.Parsed["source_ip"] == "45.82.65.44" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][109].Evt.Parsed["sshesame_input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.698.0 Safari/534.24\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][109].Evt.Parsed["timestamp"] == "2022/05/06 16:28:03" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][109].Evt.Meta["timestamp"] == "2022-05-06T16:28:03Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][109].Evt.Meta["datasource_path"] == "sshesame.log" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][109].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][109].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][109].Evt.Meta["input"] == "GET / HTTP/1.1\\r\\nHost: omegle.com\\r\\nConnection: close\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.698.0 Safari/534.24\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][109].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][109].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][109].Evt.Meta["source_ip"] == "45.82.65.44" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][109].Evt.Meta["timestamp"] == "2022-05-06T16:28:03Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][109].Evt.Enriched["MarshaledTime"] == "2022-05-06T16:28:03Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][109].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Parsed["timestamp"] == "2022/05/06 16:28:03" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Parsed["message"] == "2022/05/06 16:28:03 [45.82.65.44:42736] [channel 33] input: \"GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.698.0 Safari/534.24\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Parsed["source_ip"] == "45.82.65.44" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Parsed["sshesame_input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.698.0 Safari/534.24\\r\\n\\r\\n" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Meta["service"] == "sshesame" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Meta["source_ip"] == "45.82.65.44" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Meta["timestamp"] == "2022-05-06T16:28:03Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Parsed["timestamp"] == "2022/05/06 16:28:03" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Meta["input"] == "GET http://omegle.com/ HTTP/1.1\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.698.0 Safari/534.24\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Meta["log_type"] == "sshesame_input" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Meta["service"] == "sshesame" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Meta["source_ip"] == "45.82.65.44" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Meta["timestamp"] == "2022-05-06T16:28:03Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Enriched["MarshaledTime"] == "2022-05-06T16:28:03Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][110].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][111].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][111].Evt.Parsed["timestamp"] == "2022/05/06 16:33:02" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][111].Evt.Parsed["message"] == "2022/05/06 16:33:02 [190.2.139.67:58629] [channel 153] input: \"GET /?requestid=44562 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][111].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][111].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][111].Evt.Parsed["sshesame_input"] == "GET /?requestid=44562 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][111].Evt.Meta["timestamp"] == "2022-05-06T16:33:02Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][111].Evt.Meta["datasource_path"] == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][111].Evt.Parsed["timestamp"] == "2022/05/06 16:33:02" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][111].Evt.Meta["datasource_path"]) == "sshesame.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][111].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][111].Evt.Meta["input"] == "GET /?requestid=44562 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][111].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][111].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][111].Evt.Meta["source_ip"] == "190.2.139.67" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][111].Evt.Meta["timestamp"] == "2022-05-06T16:33:02Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][111].Evt.Enriched["MarshaledTime"] == "2022-05-06T16:33:02Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][111].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][112].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][112].Evt.Parsed["message"] == "2022/05/06 16:41:59 [190.2.139.67:58629] [channel 155] input: \"GET /?requestid=90219 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][112].Evt.Parsed["program"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][112].Evt.Parsed["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][112].Evt.Parsed["sshesame_input"] == "GET /?requestid=90219 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][112].Evt.Parsed["timestamp"] == "2022/05/06 16:41:59" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][112].Evt.Parsed["message"] == "2022/05/06 16:41:59 [190.2.139.67:58629] [channel 155] input: \"GET /?requestid=90219 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n\"" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][112].Evt.Meta["datasource_path"]) == "sshesame.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][112].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][112].Evt.Meta["input"] == "GET /?requestid=90219 HTTP/1.1\\r\\nHost: ip.bablosoft.com\\r\\nConnection: close\\r\\nAccept: */*\\r\\nConnection: close\\r\\n\\r\\n" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][112].Evt.Meta["log_type"] == "sshesame_input" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][112].Evt.Meta["service"] == "sshesame" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][112].Evt.Meta["source_ip"] == "190.2.139.67" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][112].Evt.Meta["timestamp"] == "2022-05-06T16:41:59Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][112].Evt.Meta["datasource_path"] == "sshesame.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][112].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][112].Evt.Enriched["MarshaledTime"] == "2022-05-06T16:41:59Z" -len(results["success"][""]) == 0 \ No newline at end of file +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][112].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/sshesame/scenario.assert b/.tests/sshesame/scenario.assert index 9d4d0d95df6..a150ebc9fba 100644 --- a/.tests/sshesame/scenario.assert +++ b/.tests/sshesame/scenario.assert @@ -5,7 +5,7 @@ results[0].Overflow.Sources["188.255.62.33"].Range == "" results[0].Overflow.Sources["188.255.62.33"].GetScope() == "Ip" results[0].Overflow.Sources["188.255.62.33"].GetValue() == "188.255.62.33" results[0].Overflow.Alert.Events[0].GetMeta("command") == "/ip cloud print" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "sshesame.log" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "sshesame.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "sshesame_cmd" results[0].Overflow.Alert.Events[0].GetMeta("service") == "sshesame" @@ -20,7 +20,7 @@ results[1].Overflow.Sources["186.78.209.242"].Range == "" results[1].Overflow.Sources["186.78.209.242"].GetScope() == "Ip" results[1].Overflow.Sources["186.78.209.242"].GetValue() == "186.78.209.242" results[1].Overflow.Alert.Events[0].GetMeta("command") == "scp -t /tmp/taCiyiIF" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "sshesame.log" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "sshesame.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "sshesame_cmd" results[1].Overflow.Alert.Events[0].GetMeta("service") == "sshesame" @@ -35,7 +35,7 @@ results[2].Overflow.Sources["165.232.183.156"].Range == "" results[2].Overflow.Sources["165.232.183.156"].GetScope() == "Ip" results[2].Overflow.Sources["165.232.183.156"].GetValue() == "165.232.183.156" results[2].Overflow.Alert.Events[0].GetMeta("command") == "uname -s -v -n -r -m" -results[2].Overflow.Alert.Events[0].GetMeta("datasource_path") == "sshesame.log" +basename(results[2].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "sshesame.log" results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[2].Overflow.Alert.Events[0].GetMeta("log_type") == "sshesame_cmd" results[2].Overflow.Alert.Events[0].GetMeta("service") == "sshesame" @@ -50,7 +50,7 @@ results[3].Overflow.Sources["165.232.183.156"].Range == "" results[3].Overflow.Sources["165.232.183.156"].GetScope() == "Ip" results[3].Overflow.Sources["165.232.183.156"].GetValue() == "165.232.183.156" results[3].Overflow.Alert.Events[0].GetMeta("command") == "uname -s -v -n -r -m" -results[3].Overflow.Alert.Events[0].GetMeta("datasource_path") == "sshesame.log" +basename(results[3].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "sshesame.log" results[3].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[3].Overflow.Alert.Events[0].GetMeta("log_type") == "sshesame_cmd" results[3].Overflow.Alert.Events[0].GetMeta("service") == "sshesame" @@ -64,38 +64,34 @@ results[4].Overflow.Sources["3.16.59.158"].IP == "3.16.59.158" results[4].Overflow.Sources["3.16.59.158"].Range == "" results[4].Overflow.Sources["3.16.59.158"].GetScope() == "Ip" results[4].Overflow.Sources["3.16.59.158"].GetValue() == "3.16.59.158" -results[4].Overflow.Alert.Events[0].GetMeta("datasource_path") == "sshesame.log" +basename(results[4].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "sshesame.log" results[4].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[4].Overflow.Alert.Events[0].GetMeta("log_type") == "sshesame_login" results[4].Overflow.Alert.Events[0].GetMeta("service") == "sshesame" results[4].Overflow.Alert.Events[0].GetMeta("source_ip") == "3.16.59.158" results[4].Overflow.Alert.Events[0].GetMeta("target_user") == "root" results[4].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-05-06T09:15:03Z" -results[4].Overflow.Alert.Events[0].GetMeta("username") == "root" -results[4].Overflow.Alert.Events[1].GetMeta("datasource_path") == "sshesame.log" +basename(results[4].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "sshesame.log" results[4].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[4].Overflow.Alert.Events[1].GetMeta("log_type") == "sshesame_login" results[4].Overflow.Alert.Events[1].GetMeta("service") == "sshesame" results[4].Overflow.Alert.Events[1].GetMeta("source_ip") == "3.16.59.158" results[4].Overflow.Alert.Events[1].GetMeta("target_user") == "knockknockwhosthere" results[4].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-05-06T09:15:04Z" -results[4].Overflow.Alert.Events[1].GetMeta("username") == "knockknockwhosthere" -results[4].Overflow.Alert.Events[2].GetMeta("datasource_path") == "sshesame.log" +basename(results[4].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "sshesame.log" results[4].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[4].Overflow.Alert.Events[2].GetMeta("log_type") == "sshesame_login" results[4].Overflow.Alert.Events[2].GetMeta("service") == "sshesame" results[4].Overflow.Alert.Events[2].GetMeta("source_ip") == "3.16.59.158" results[4].Overflow.Alert.Events[2].GetMeta("target_user") == "root" results[4].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-05-06T09:17:10Z" -results[4].Overflow.Alert.Events[2].GetMeta("username") == "root" -results[4].Overflow.Alert.Events[3].GetMeta("datasource_path") == "sshesame.log" +basename(results[4].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "sshesame.log" results[4].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[4].Overflow.Alert.Events[3].GetMeta("log_type") == "sshesame_login" results[4].Overflow.Alert.Events[3].GetMeta("service") == "sshesame" results[4].Overflow.Alert.Events[3].GetMeta("source_ip") == "3.16.59.158" results[4].Overflow.Alert.Events[3].GetMeta("target_user") == "knockknockwhosthere" results[4].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-05-06T09:17:11Z" -results[4].Overflow.Alert.Events[3].GetMeta("username") == "knockknockwhosthere" results[4].Overflow.Alert.GetScenario() == "thespad/sshesame-bf" results[4].Overflow.Alert.Remediation == true -results[4].Overflow.Alert.GetEventsCount() == 4 \ No newline at end of file +results[4].Overflow.Alert.GetEventsCount() == 4 diff --git a/.tests/stirling-pdf-bf/parser.assert b/.tests/stirling-pdf-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/stirling-pdf-bf/scenario.assert b/.tests/stirling-pdf-bf/scenario.assert index df800e9562a..b4d8350c247 100644 --- a/.tests/stirling-pdf-bf/scenario.assert +++ b/.tests/stirling-pdf-bf/scenario.assert @@ -4,27 +4,27 @@ results[0].Overflow.Sources["::1"].IP == "::1" results[0].Overflow.Sources["::1"].Range == "" results[0].Overflow.Sources["::1"].GetScope() == "Ip" results[0].Overflow.Sources["::1"].GetValue() == "::1" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "stirling-pdf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "stirling-pdf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "failed_authentication" results[0].Overflow.Alert.Events[0].GetMeta("service") == "stirling-pdf" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "::1" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-10-10T12:59:53.237Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "stirling-pdf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "stirling-pdf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "failed_authentication" results[0].Overflow.Alert.Events[1].GetMeta("service") == "stirling-pdf" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "::1" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-10-10T12:59:53.237Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "stirling-pdf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "stirling-pdf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "failed_authentication" results[0].Overflow.Alert.Events[2].GetMeta("service") == "stirling-pdf" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "::1" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-10-10T12:59:58.543Z" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "stirling-pdf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "stirling-pdf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "failed_authentication" results[0].Overflow.Alert.Events[3].GetMeta("service") == "stirling-pdf" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "::1" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-10-10T12:59:58.543Z" diff --git a/.tests/stirling-pdf-logs/parser.assert b/.tests/stirling-pdf-logs/parser.assert index 0da13264740..67d07438306 100644 --- a/.tests/stirling-pdf-logs/parser.assert +++ b/.tests/stirling-pdf-logs/parser.assert @@ -3,61 +3,61 @@ len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 10 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2024-10-10 12:59:53,237 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-102] Failed login attempt from IP: [::1]" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "stirling-pdf" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "stirling-pdf.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2024-10-10 12:59:58,543 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-1176] Failed login attempt from IP: [::1]" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "stirling-pdf" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "stirling-pdf.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "2024-10-10 13:00:00,991 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-1161] Failed login attempt from IP: [::1]" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "stirling-pdf" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "stirling-pdf.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "2024-10-10 13:00:04,304 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-1159] Failed login attempt from IP: [::1]" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "stirling-pdf" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "stirling-pdf.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "2024-10-10 13:00:06,846 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-1176] Failed login attempt from IP: [::1]" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "stirling-pdf" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "stirling-pdf.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "2024-10-10 13:02:49,060 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-1160] Failed login attempt from IP: [::1]" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "stirling-pdf" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"] == "stirling-pdf.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][6].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["message"] == "2024-10-10 13:02:53,703 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-1176] Failed login attempt from IP: [::1]" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "stirling-pdf" -results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"] == "stirling-pdf.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][7].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["message"] == "2024-10-10 13:02:56,524 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-1160] Failed login attempt from IP: [::1]" results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["program"] == "stirling-pdf" -results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"] == "stirling-pdf.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][8].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["message"] == "2024-10-10 13:04:28,001 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-96] Failed login attempt from IP: 192.168.111.213" results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["program"] == "stirling-pdf" -results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_path"] == "stirling-pdf.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][9].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["message"] == "2024-10-10 13:04:30,558 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-66] Failed login attempt from IP: 192.168.111.213" results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["program"] == "stirling-pdf" -results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_path"] == "stirling-pdf.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Whitelisted == false len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 10 @@ -78,9 +78,9 @@ results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][0].Evt.Parsed["message"] results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][0].Evt.Parsed["program"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][0].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][0].Evt.Parsed["timestamp"] == "2024-10-10 12:59:53,237" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][0].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][0].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][0].Evt.Meta["log_type"] == "failed_authentication" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][0].Evt.Meta["service"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][0].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][0].Evt.Whitelisted == false @@ -90,9 +90,9 @@ results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][1].Evt.Parsed["message"] results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][1].Evt.Parsed["program"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][1].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][1].Evt.Parsed["timestamp"] == "2024-10-10 12:59:58,543" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][1].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][1].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][1].Evt.Meta["log_type"] == "failed_authentication" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][1].Evt.Meta["service"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][1].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][1].Evt.Whitelisted == false @@ -102,9 +102,9 @@ results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][2].Evt.Parsed["message"] results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][2].Evt.Parsed["program"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][2].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][2].Evt.Parsed["timestamp"] == "2024-10-10 13:00:00,991" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][2].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][2].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][2].Evt.Meta["log_type"] == "failed_authentication" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][2].Evt.Meta["service"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][2].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][2].Evt.Whitelisted == false @@ -114,9 +114,9 @@ results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][3].Evt.Parsed["message"] results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][3].Evt.Parsed["program"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][3].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][3].Evt.Parsed["timestamp"] == "2024-10-10 13:00:04,304" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][3].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][3].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][3].Evt.Meta["log_type"] == "failed_authentication" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][3].Evt.Meta["service"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][3].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][3].Evt.Whitelisted == false @@ -126,9 +126,9 @@ results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][4].Evt.Parsed["message"] results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][4].Evt.Parsed["program"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][4].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][4].Evt.Parsed["timestamp"] == "2024-10-10 13:00:06,846" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][4].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][4].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][4].Evt.Meta["log_type"] == "failed_authentication" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][4].Evt.Meta["service"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][4].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][4].Evt.Whitelisted == false @@ -138,9 +138,9 @@ results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][5].Evt.Parsed["message"] results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][5].Evt.Parsed["program"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][5].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][5].Evt.Parsed["timestamp"] == "2024-10-10 13:02:49,060" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][5].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][5].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][5].Evt.Meta["log_type"] == "failed_authentication" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][5].Evt.Meta["service"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][5].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][5].Evt.Whitelisted == false @@ -150,9 +150,9 @@ results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][6].Evt.Parsed["message"] results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][6].Evt.Parsed["program"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][6].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][6].Evt.Parsed["timestamp"] == "2024-10-10 13:02:53,703" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][6].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][6].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][6].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][6].Evt.Meta["log_type"] == "failed_authentication" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][6].Evt.Meta["service"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][6].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][6].Evt.Whitelisted == false @@ -162,9 +162,9 @@ results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][7].Evt.Parsed["message"] results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][7].Evt.Parsed["program"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][7].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][7].Evt.Parsed["timestamp"] == "2024-10-10 13:02:56,524" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][7].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][7].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][7].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][7].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][7].Evt.Meta["log_type"] == "failed_authentication" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][7].Evt.Meta["service"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][7].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][7].Evt.Whitelisted == false @@ -174,9 +174,9 @@ results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][8].Evt.Parsed["message"] results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][8].Evt.Parsed["program"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][8].Evt.Parsed["source_ip"] == "192.168.111.213" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][8].Evt.Parsed["timestamp"] == "2024-10-10 13:04:28,001" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][8].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][8].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][8].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][8].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][8].Evt.Meta["log_type"] == "failed_authentication" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][8].Evt.Meta["service"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][8].Evt.Meta["source_ip"] == "192.168.111.213" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][8].Evt.Whitelisted == false @@ -186,9 +186,9 @@ results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][9].Evt.Parsed["message"] results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][9].Evt.Parsed["program"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][9].Evt.Parsed["source_ip"] == "192.168.111.213" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][9].Evt.Parsed["timestamp"] == "2024-10-10 13:04:30,558" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][9].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][9].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][9].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][9].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][9].Evt.Meta["log_type"] == "failed_authentication" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][9].Evt.Meta["service"] == "stirling-pdf" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][9].Evt.Meta["source_ip"] == "192.168.111.213" results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][9].Evt.Whitelisted == false @@ -199,9 +199,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2024-10-10 12:59:53,237" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2024-10-10T12:59:53.237Z" @@ -213,9 +213,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2024-10-10 12:59:58,543" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2024-10-10T12:59:58.543Z" @@ -227,9 +227,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "2024-10-10 13:00:00,991" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2024-10-10T13:00:00.991Z" @@ -241,9 +241,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "2024-10-10 13:00:04,304" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2024-10-10T13:00:04.304Z" @@ -255,9 +255,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "2024-10-10 13:00:06,846" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2024-10-10T13:00:06.846Z" @@ -269,9 +269,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "2024-10-10 13:02:49,060" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2024-10-10T13:02:49.06Z" @@ -283,9 +283,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["timestamp"] == "2024-10-10 13:02:53,703" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2024-10-10T13:02:53.703Z" @@ -297,9 +297,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["timestamp"] == "2024-10-10 13:02:56,524" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2024-10-10T13:02:56.524Z" @@ -311,9 +311,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["program"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["source_ip"] == "192.168.111.213" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["timestamp"] == "2024-10-10 13:04:28,001" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "192.168.111.213" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2024-10-10T13:04:28.001Z" @@ -325,9 +325,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["program"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_ip"] == "192.168.111.213" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["timestamp"] == "2024-10-10 13:04:30,558" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"] == "stirling-pdf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"]) == "stirling-pdf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_type"] == "failed_authentication" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "stirling-pdf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "192.168.111.213" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2024-10-10T13:04:30.558Z" diff --git a/.tests/supabase-docker-pgsql-logs/parser.assert b/.tests/supabase-docker-pgsql-logs/parser.assert index dcbde1bc0cd..b919ac79b8d 100644 --- a/.tests/supabase-docker-pgsql-logs/parser.assert +++ b/.tests/supabase-docker-pgsql-logs/parser.assert @@ -3,18 +3,21 @@ len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 3 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "152.58.17.218 2023-03-12 10:17:27.491 UTC [23429] postgrs@postgrs FATAL: password authentication failed for user \"postgrs\"" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "postgres" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "supabase-docker-pgsql-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "supabase-docker-pgsql-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "postgres" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "152.58.19.114 2023-03-12 07:45:34.311 UTC [8824] root@root FATAL: password authentication failed for user \"root\"" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "postgres" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "supabase-docker-pgsql-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "supabase-docker-pgsql-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.411 UTC [53959] zyrian@postgres FATAL: password authentication failed for user \"zyrian\"" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "postgres" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "supabase-docker-pgsql-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "supabase-docker-pgsql-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 3 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false @@ -22,117 +25,129 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false len(results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"]) == 3 results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Success == true results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["PID"] == "23429" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["auth_method"] == "password" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["message"] == "152.58.17.218 2023-03-12 10:17:27.491 UTC [23429] postgrs@postgrs FATAL: password authentication failed for user \"postgrs\"" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["pgsql_dbname"] == "postgrs" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["pgsql_target_user"] == "postgrs" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["pgsql_user"] == "postgrs" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["program"] == "postgres" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["source_ip"] == "152.58.17.218" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["auth_method"] == "password" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["pgsql_dbname"] == "postgrs" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["pgsql_user"] == "postgrs" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["timestamp"] == "2023-03-12 10:17:27.491" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Parsed["zone"] == "UTC" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["datasource_path"] == "supabase-docker-pgsql-logs.log" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["auth_method"] == "password" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["datasource_path"]) == "supabase-docker-pgsql-logs.log" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["db"] == "postgrs" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["log_type"] == "pgsql_failed_auth" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["service"] == "pgsql" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["source_ip"] == "152.58.17.218" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["user"] == "postgrs" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["auth_method"] == "password" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Meta["target_user"] == "postgrs" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][0].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Success == true results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["PID"] == "8824" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["auth_method"] == "password" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["message"] == "152.58.19.114 2023-03-12 07:45:34.311 UTC [8824] root@root FATAL: password authentication failed for user \"root\"" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["pgsql_dbname"] == "root" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["pgsql_target_user"] == "root" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["pgsql_user"] == "root" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["source_ip"] == "152.58.19.114" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["pgsql_dbname"] == "root" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["program"] == "postgres" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["source_ip"] == "152.58.19.114" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["timestamp"] == "2023-03-12 07:45:34.311" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Parsed["zone"] == "UTC" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Meta["auth_method"] == "password" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Meta["datasource_path"] == "supabase-docker-pgsql-logs.log" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Meta["datasource_path"]) == "supabase-docker-pgsql-logs.log" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Meta["db"] == "root" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Meta["log_type"] == "pgsql_failed_auth" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Meta["service"] == "pgsql" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Meta["source_ip"] == "152.58.19.114" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Meta["user"] == "root" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Meta["target_user"] == "root" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][1].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Success == true -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["program"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["source_ip"] == "65.2.129.7" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["PID"] == "53959" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["auth_method"] == "password" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.411 UTC [53959] zyrian@postgres FATAL: password authentication failed for user \"zyrian\"" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["pgsql_dbname"] == "postgres" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["pgsql_target_user"] == "zyrian" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["pgsql_user"] == "zyrian" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["pgsql_dbname"] == "postgres" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["program"] == "postgres" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["source_ip"] == "65.2.129.7" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["timestamp"] == "2023-03-12 11:17:28.411" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Parsed["zone"] == "UTC" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["auth_method"] == "password" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["datasource_path"]) == "supabase-docker-pgsql-logs.log" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["db"] == "postgres" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["log_type"] == "pgsql_failed_auth" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["service"] == "pgsql" results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["source_ip"] == "65.2.129.7" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["user"] == "zyrian" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["auth_method"] == "password" -results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["datasource_path"] == "supabase-docker-pgsql-logs.log" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Meta["target_user"] == "zyrian" +results["s01-parse"]["crowdsecurity/supabase-docker-pgsql"][2].Evt.Whitelisted == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 3 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["PID"] == "23429" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["auth_method"] == "password" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "152.58.17.218 2023-03-12 10:17:27.491 UTC [23429] postgrs@postgrs FATAL: password authentication failed for user \"postgrs\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pgsql_dbname"] == "postgrs" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pgsql_target_user"] == "postgrs" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pgsql_user"] == "postgrs" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "postgres" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "152.58.17.218" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2023-03-12 10:17:27.491" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["auth_method"] == "password" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pgsql_dbname"] == "postgrs" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pgsql_user"] == "postgrs" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["zone"] == "UTC" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_method"] == "password" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "supabase-docker-pgsql-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "supabase-docker-pgsql-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["db"] == "postgrs" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "pgsql_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "pgsql" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "152.58.17.218" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "postgrs" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-03-12T10:17:27.491Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "postgrs" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-03-12T10:17:27.491Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["PID"] == "8824" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pgsql_user"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2023-03-12 07:45:34.311" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "152.58.19.114" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["zone"] == "UTC" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["auth_method"] == "password" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "152.58.19.114 2023-03-12 07:45:34.311 UTC [8824] root@root FATAL: password authentication failed for user \"root\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pgsql_dbname"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pgsql_target_user"] == "root" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pgsql_user"] == "root" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "postgres" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "152.58.19.114" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2023-03-12 07:45:34.311" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["zone"] == "UTC" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_method"] == "password" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "supabase-docker-pgsql-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "supabase-docker-pgsql-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["db"] == "root" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "pgsql_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "pgsql" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "152.58.19.114" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-03-12T07:45:34.311Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "root" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-03-12T07:45:34.311Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["PID"] == "53959" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["auth_method"] == "password" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.411 UTC [53959] zyrian@postgres FATAL: password authentication failed for user \"zyrian\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pgsql_dbname"] == "postgres" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pgsql_target_user"] == "zyrian" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pgsql_user"] == "zyrian" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "postgres" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "65.2.129.7" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "2023-03-12 11:17:28.411" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["zone"] == "UTC" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "65.2.129.7 2023-03-12 11:17:28.411 UTC [53959] zyrian@postgres FATAL: password authentication failed for user \"zyrian\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pgsql_dbname"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pgsql_target_user"] == "zyrian" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-03-12T11:17:28.411Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["user"] == "zyrian" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_method"] == "password" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "supabase-docker-pgsql-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "supabase-docker-pgsql-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["db"] == "postgres" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "pgsql_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "pgsql" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "65.2.129.7" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "zyrian" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-03-12T11:17:28.411Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2023-03-12T11:17:28.411Z" -len(results["success"][""]) == 0 \ No newline at end of file +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/suricata-eve-detect/parser.assert b/.tests/suricata-eve-detect/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/synology-dsm-bf/parser.assert b/.tests/synology-dsm-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/synology-dsm-bf/scenario.assert b/.tests/synology-dsm-bf/scenario.assert index a1edf915ad9..7abfb661efe 100644 --- a/.tests/synology-dsm-bf/scenario.assert +++ b/.tests/synology-dsm-bf/scenario.assert @@ -1,42 +1,51 @@ -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "synology-dsm-bf.log" +len(results) == 1 +"10.4.2.113" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["10.4.2.113"].IP == "10.4.2.113" +results[0].Overflow.Sources["10.4.2.113"].Range == "" +results[0].Overflow.Sources["10.4.2.113"].GetScope() == "Ip" +results[0].Overflow.Sources["10.4.2.113"].GetValue() == "10.4.2.113" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "synology-dsm-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "synology-dsm_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("machine") == "synologynas" results[0].Overflow.Alert.Events[0].GetMeta("service") == "synology-dsm" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.4.2.113" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-09T20:55:18+01:00" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "synology-dsm-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "synology-dsm-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "synology-dsm_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("machine") == "synologynas" results[0].Overflow.Alert.Events[1].GetMeta("service") == "synology-dsm" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "10.4.2.113" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-09T20:55:18+01:00" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "synology-dsm-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "synology-dsm-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "synology-dsm_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("machine") == "synologynas" results[0].Overflow.Alert.Events[2].GetMeta("service") == "synology-dsm" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "10.4.2.113" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-09T20:55:18+01:00" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "synology-dsm-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "synology-dsm-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "synology-dsm_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("machine") == "synologynas" results[0].Overflow.Alert.Events[3].GetMeta("service") == "synology-dsm" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "10.4.2.113" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-09T20:55:18+01:00" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "synology-dsm-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "synology-dsm-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "synology-dsm_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("machine") == "synologynas" results[0].Overflow.Alert.Events[4].GetMeta("service") == "synology-dsm" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "10.4.2.113" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-09T20:55:18+01:00" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "synology-dsm-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "synology-dsm-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "synology-dsm_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("machine") == "synologynas" results[0].Overflow.Alert.Events[5].GetMeta("service") == "synology-dsm" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "10.4.2.113" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-09T20:55:18+01:00" +results[0].Overflow.Alert.GetScenario() == "crowdsecurity/synology-dsm-bf" +results[0].Overflow.Alert.Remediation == true +results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/synology-dsm-logs/parser.assert b/.tests/synology-dsm-logs/parser.assert index 44669755872..b0883288024 100644 --- a/.tests/synology-dsm-logs/parser.assert +++ b/.tests/synology-dsm-logs/parser.assert @@ -1,65 +1,205 @@ +len(results) == 4 +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 5 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.112" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "2197" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_7_login" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp8601"] == "2022-02-09T20:53:37+01:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "synology-dsm-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "synologynas" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.112" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "2209" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_7_login" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp8601"] == "2022-02-09T20:53:48+01:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "synology-dsm-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "synologynas" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.116" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "2368" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_7_login" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp8601"] == "2022-02-09T20:54:00+01:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "synology-dsm-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "synologynas" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.114" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "2706" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_7_login" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp8601"] == "2022-02-09T20:55:08+01:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "synology-dsm-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "synologynas" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.113" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "2737" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_7_login" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp8601"] == "2022-02-09T20:55:18+01:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"]) == "synology-dsm-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "synologynas" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false +len(results["s01-parse"]["crowdsecurity/synology-dsm-logs"]) == 5 results["s01-parse"]["crowdsecurity/synology-dsm-logs"][0].Success == true results["s01-parse"]["crowdsecurity/synology-dsm-logs"][0].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][0].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.112" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][0].Evt.Parsed["pid"] == "2197" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][0].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_7_login" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][0].Evt.Parsed["src_ip"] == "10.4.2.112" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][0].Evt.Parsed["timestamp8601"] == "2022-02-09T20:53:37+01:00" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][0].Evt.Parsed["pid"] == "2197" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][0].Evt.Meta["log_type"] == "synology-dsm_failed_auth" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/synology-dsm-logs"][0].Evt.Meta["datasource_path"]) == "synology-dsm-logs.log" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][0].Evt.Meta["machine"] == "synologynas" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][0].Evt.Meta["service"] == "synology-dsm" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][0].Evt.Meta["source_ip"] == "10.4.2.112" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][0].Evt.Meta["datasource_path"] == "synology-dsm-logs.log" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][0].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/synology-dsm-logs"][1].Success == true -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][1].Evt.Parsed["pid"] == "2209" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][1].Evt.Parsed["src_ip"] == "10.4.2.112" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][1].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.112" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][1].Evt.Parsed["pid"] == "2209" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][1].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_7_login" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][1].Evt.Parsed["src_ip"] == "10.4.2.112" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][1].Evt.Parsed["timestamp8601"] == "2022-02-09T20:53:48+01:00" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][1].Evt.Meta["datasource_path"] == "synology-dsm-logs.log" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/synology-dsm-logs"][1].Evt.Meta["datasource_path"]) == "synology-dsm-logs.log" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][1].Evt.Meta["log_type"] == "synology-dsm_failed_auth" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][1].Evt.Meta["machine"] == "synologynas" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][1].Evt.Meta["service"] == "synology-dsm" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][1].Evt.Meta["source_ip"] == "10.4.2.112" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][1].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/synology-dsm-logs"][2].Success == true +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][2].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.116" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][2].Evt.Parsed["pid"] == "2368" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][2].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_7_login" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][2].Evt.Parsed["src_ip"] == "10.4.2.116" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][2].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][2].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.116" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][2].Evt.Parsed["timestamp8601"] == "2022-02-09T20:54:00+01:00" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][2].Evt.Meta["datasource_path"] == "synology-dsm-logs.log" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/synology-dsm-logs"][2].Evt.Meta["datasource_path"]) == "synology-dsm-logs.log" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][2].Evt.Meta["log_type"] == "synology-dsm_failed_auth" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][2].Evt.Meta["machine"] == "synologynas" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][2].Evt.Meta["service"] == "synology-dsm" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][2].Evt.Meta["source_ip"] == "10.4.2.116" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][2].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/synology-dsm-logs"][3].Success == true +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][3].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][3].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.114" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][3].Evt.Parsed["pid"] == "2706" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][3].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][3].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_7_login" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][3].Evt.Parsed["src_ip"] == "10.4.2.114" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][3].Evt.Parsed["timestamp8601"] == "2022-02-09T20:55:08+01:00" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][3].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_7_login" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][3].Evt.Meta["datasource_path"] == "synology-dsm-logs.log" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/synology-dsm-logs"][3].Evt.Meta["datasource_path"]) == "synology-dsm-logs.log" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][3].Evt.Meta["log_type"] == "synology-dsm_failed_auth" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][3].Evt.Meta["machine"] == "synologynas" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][3].Evt.Meta["service"] == "synology-dsm" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][3].Evt.Meta["source_ip"] == "10.4.2.114" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][3].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Success == true -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_7_login" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Parsed["src_ip"] == "10.4.2.113" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Parsed["timestamp8601"] == "2022-02-09T20:55:18+01:00" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.113" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Parsed["pid"] == "2737" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Meta["datasource_path"] == "synology-dsm-logs.log" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_7_login" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Parsed["src_ip"] == "10.4.2.113" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Parsed["timestamp8601"] == "2022-02-09T20:55:18+01:00" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Meta["datasource_path"]) == "synology-dsm-logs.log" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Meta["log_type"] == "synology-dsm_failed_auth" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Meta["machine"] == "synologynas" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Meta["service"] == "synology-dsm" results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Meta["source_ip"] == "10.4.2.113" +results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 5 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.112" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "2197" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_7_login" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["src_ip"] == "10.4.2.112" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp8601"] == "2022-02-09T20:53:37+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "synology-dsm-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "synologynas" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "synology-dsm" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "10.4.2.112" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-02-09T20:53:37+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-02-09T20:53:37+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.112" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "2209" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_7_login" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["src_ip"] == "10.4.2.112" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp8601"] == "2022-02-09T20:53:48+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "synology-dsm-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "synologynas" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "synology-dsm" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "10.4.2.112" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-02-09T20:53:48+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-02-09T20:53:48+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.116" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "2368" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_7_login" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["src_ip"] == "10.4.2.116" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp8601"] == "2022-02-09T20:54:00+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "synology-dsm-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "synologynas" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "synology-dsm" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "10.4.2.116" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2022-02-09T20:54:00+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2022-02-09T20:54:00+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.114" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "2706" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_7_login" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["src_ip"] == "10.4.2.114" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp8601"] == "2022-02-09T20:55:08+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "synology-dsm-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "synologynas" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "synology-dsm" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "10.4.2.114" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2022-02-09T20:55:08+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2022-02-09T20:55:08+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.113" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pid"] == "2737" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_7_login" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["src_ip"] == "10.4.2.113" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp8601"] == "2022-02-09T20:55:18+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "synology-dsm-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "synologynas" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "synology-dsm" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "10.4.2.113" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2022-02-09T20:55:18+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2022-02-09T20:55:18+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/tcpdump-logs/parser.assert b/.tests/tcpdump-logs/parser.assert index b687eeac061..297773192fe 100644 --- a/.tests/tcpdump-logs/parser.assert +++ b/.tests/tcpdump-logs/parser.assert @@ -1,69 +1,105 @@ +len(results) == 3 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 4 +results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "11:29:42.550475 IP 1.2.3.4.43436 > 172.1.2.3.22: Flags [S], seq 2398030442, win 64240, options [mss 1460,sackOK,TS val 2908275146 ecr 0,nop,wscale 7], length 0" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "tcpdump" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "tcpdump-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "11:29:42.550554 IP 172.1.2.3.22 > 1.2.3.4.43436: Flags [S.], seq 1252624761, ack 2398030443, win 62643, options [mss 8961,sackOK,TS val 1384641183 ecr 2908275146,nop,wscale 7], length 0" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "tcpdump" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "tcpdump-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "11:31:20.553633 IP 4.3.2.1.21803 > 172.1.2.3.22: Flags [S], seq 3756801163, win 29200, options [mss 1460,sackOK,TS val 9368516 ecr 0,nop,wscale 7], length 0" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "tcpdump" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "tcpdump-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "11:31:20.553713 IP 172.1.2.3.22 > 4.3.2.1.21803: Flags [S.], seq 1202442063, ack 3756801164, win 62643, options [mss 8961,sackOK,TS val 2669130073 ecr 9368516,nop,wscale 7], length 0" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "tcpdump" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "tcpdump-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false len(results["s01-parse"]["crowdsecurity/tcpdump-logs"]) == 4 results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Success == true -results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Parsed["new_connection"] == "true" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Parsed["program"] == "tcpdump" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Parsed["tcpflags"] == "S" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Parsed["timestamp"] == "11:29:42.550475" results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Parsed["dest_ip"] == "172.1.2.3" results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Parsed["dest_port"] == "22" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Parsed["source_port"] == "43436" results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Parsed["message"] == "11:29:42.550475 IP 1.2.3.4.43436 > 172.1.2.3.22: Flags [S], seq 2398030442, win 64240, options [mss 1460,sackOK,TS val 2908275146 ecr 0,nop,wscale 7], length 0" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Parsed["new_connection"] == "true" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Parsed["program"] == "tcpdump" results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Meta["datasource_path"] == "tcpdump-logs.log" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Parsed["source_port"] == "43436" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Parsed["tcpflags"] == "S" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Parsed["timestamp"] == "11:29:42.550475" +basename(results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Meta["datasource_path"]) == "tcpdump-logs.log" results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Meta["dest_ip"] == "172.1.2.3" results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Meta["dest_port"] == "22" results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Meta["log_type"] == "tcp_syn" results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Meta["service"] == "tcp" results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][0].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Success == true -results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Parsed["source_ip"] == "172.1.2.3" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Parsed["timestamp"] == "11:29:42.550554" results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Parsed["dest_ip"] == "1.2.3.4" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Parsed["new_connection"] == "true" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Parsed["program"] == "tcpdump" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Parsed["tcpflags"] == "S." results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Parsed["dest_port"] == "43436" results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Parsed["message"] == "11:29:42.550554 IP 172.1.2.3.22 > 1.2.3.4.43436: Flags [S.], seq 1252624761, ack 2398030443, win 62643, options [mss 8961,sackOK,TS val 1384641183 ecr 2908275146,nop,wscale 7], length 0" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Parsed["new_connection"] == "true" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Parsed["program"] == "tcpdump" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Parsed["source_ip"] == "172.1.2.3" results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Parsed["source_port"] == "22" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Meta["source_ip"] == "172.1.2.3" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Meta["datasource_path"] == "tcpdump-logs.log" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Parsed["tcpflags"] == "S." +results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Parsed["timestamp"] == "11:29:42.550554" +basename(results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Meta["datasource_path"]) == "tcpdump-logs.log" results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Meta["dest_ip"] == "1.2.3.4" results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Meta["dest_port"] == "43436" results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Meta["log_type"] == "tcp_syn" results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Meta["service"] == "tcp" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Meta["source_ip"] == "172.1.2.3" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][1].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Success == true -results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Parsed["timestamp"] == "11:31:20.553633" results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Parsed["dest_ip"] == "172.1.2.3" results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Parsed["dest_port"] == "22" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Parsed["program"] == "tcpdump" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Parsed["source_port"] == "21803" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Parsed["tcpflags"] == "S" results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Parsed["message"] == "11:31:20.553633 IP 4.3.2.1.21803 > 172.1.2.3.22: Flags [S], seq 3756801163, win 29200, options [mss 1460,sackOK,TS val 9368516 ecr 0,nop,wscale 7], length 0" results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Parsed["new_connection"] == "true" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Parsed["program"] == "tcpdump" results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Parsed["source_ip"] == "4.3.2.1" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Meta["log_type"] == "tcp_syn" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Meta["service"] == "tcp" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Meta["source_ip"] == "4.3.2.1" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Meta["datasource_path"] == "tcpdump-logs.log" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Parsed["source_port"] == "21803" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Parsed["tcpflags"] == "S" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Parsed["timestamp"] == "11:31:20.553633" +basename(results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Meta["datasource_path"]) == "tcpdump-logs.log" results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Meta["dest_ip"] == "172.1.2.3" results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Meta["dest_port"] == "22" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Meta["log_type"] == "tcp_syn" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Meta["service"] == "tcp" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Meta["source_ip"] == "4.3.2.1" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][2].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Success == true -results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Parsed["dest_port"] == "21803" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Parsed["source_ip"] == "172.1.2.3" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Parsed["source_port"] == "22" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Parsed["tcpflags"] == "S." results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Parsed["dest_ip"] == "4.3.2.1" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Parsed["dest_port"] == "21803" results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Parsed["message"] == "11:31:20.553713 IP 172.1.2.3.22 > 4.3.2.1.21803: Flags [S.], seq 1202442063, ack 3756801164, win 62643, options [mss 8961,sackOK,TS val 2669130073 ecr 9368516,nop,wscale 7], length 0" results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Parsed["new_connection"] == "true" results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Parsed["program"] == "tcpdump" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Parsed["source_ip"] == "172.1.2.3" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Parsed["source_port"] == "22" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Parsed["tcpflags"] == "S." results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Parsed["timestamp"] == "11:31:20.553713" +basename(results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Meta["datasource_path"]) == "tcpdump-logs.log" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Meta["dest_ip"] == "4.3.2.1" results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Meta["dest_port"] == "21803" results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Meta["log_type"] == "tcp_syn" results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Meta["service"] == "tcp" results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Meta["source_ip"] == "172.1.2.3" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Meta["datasource_path"] == "tcpdump-logs.log" -results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/tcpdump-logs"][3].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/tcpudp-flood-traefik/scenario.assert b/.tests/tcpudp-flood-traefik/scenario.assert index 56425411a40..d7b4de17504 100644 --- a/.tests/tcpudp-flood-traefik/scenario.assert +++ b/.tests/tcpudp-flood-traefik/scenario.assert @@ -1,20 +1,64 @@ +len(results) == 1 "1.2.3.44" in results[0].Overflow.GetSources() results[0].Overflow.Sources["1.2.3.44"].IP == "1.2.3.44" results[0].Overflow.Sources["1.2.3.44"].Range == "" results[0].Overflow.Sources["1.2.3.44"].GetScope() == "Ip" results[0].Overflow.Sources["1.2.3.44"].GetValue() == "1.2.3.44" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "tcpudp-flood-traefik.log" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "tcpudp-flood-traefik.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "traefik_tcpudp" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.44" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-01-15T18:43:09Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "tcpudp-flood-traefik.log" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "tcpudp-flood-traefik.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "traefik_tcpudp" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.44" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-01-15T18:43:09Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "tcpudp-flood-traefik.log" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "tcpudp-flood-traefik.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "traefik_tcpudp" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.44" -results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-01-15T18:43:09Z" \ No newline at end of file +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-01-15T18:43:09Z" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "tcpudp-flood-traefik.log" +results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "traefik_tcpudp" +results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.44" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-01-15T18:43:09Z" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "tcpudp-flood-traefik.log" +results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "traefik_tcpudp" +results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.2.3.44" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2024-01-15T18:43:09Z" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "tcpudp-flood-traefik.log" +results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "traefik_tcpudp" +results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.2.3.44" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2024-01-15T18:43:09Z" +basename(results[0].Overflow.Alert.Events[6].GetMeta("datasource_path")) == "tcpudp-flood-traefik.log" +results[0].Overflow.Alert.Events[6].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[6].GetMeta("log_type") == "traefik_tcpudp" +results[0].Overflow.Alert.Events[6].GetMeta("source_ip") == "1.2.3.44" +results[0].Overflow.Alert.Events[6].GetMeta("timestamp") == "2024-01-15T18:43:09Z" +basename(results[0].Overflow.Alert.Events[7].GetMeta("datasource_path")) == "tcpudp-flood-traefik.log" +results[0].Overflow.Alert.Events[7].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[7].GetMeta("log_type") == "traefik_tcpudp" +results[0].Overflow.Alert.Events[7].GetMeta("source_ip") == "1.2.3.44" +results[0].Overflow.Alert.Events[7].GetMeta("timestamp") == "2024-01-15T18:43:09Z" +basename(results[0].Overflow.Alert.Events[8].GetMeta("datasource_path")) == "tcpudp-flood-traefik.log" +results[0].Overflow.Alert.Events[8].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[8].GetMeta("log_type") == "traefik_tcpudp" +results[0].Overflow.Alert.Events[8].GetMeta("source_ip") == "1.2.3.44" +results[0].Overflow.Alert.Events[8].GetMeta("timestamp") == "2024-01-15T18:43:09Z" +basename(results[0].Overflow.Alert.Events[9].GetMeta("datasource_path")) == "tcpudp-flood-traefik.log" +results[0].Overflow.Alert.Events[9].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[9].GetMeta("log_type") == "traefik_tcpudp" +results[0].Overflow.Alert.Events[9].GetMeta("source_ip") == "1.2.3.44" +results[0].Overflow.Alert.Events[9].GetMeta("timestamp") == "2024-01-15T18:43:09Z" +basename(results[0].Overflow.Alert.Events[10].GetMeta("datasource_path")) == "tcpudp-flood-traefik.log" +results[0].Overflow.Alert.Events[10].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[10].GetMeta("log_type") == "traefik_tcpudp" +results[0].Overflow.Alert.Events[10].GetMeta("source_ip") == "1.2.3.44" +results[0].Overflow.Alert.Events[10].GetMeta("timestamp") == "2024-01-15T18:43:09Z" +results[0].Overflow.Alert.GetScenario() == "aidalinfo/tcpudp-flood-traefik" +results[0].Overflow.Alert.Remediation == true +results[0].Overflow.Alert.GetEventsCount() == 1001 diff --git a/.tests/technitium-bf/config.yaml b/.tests/technitium-bf/config.yaml index 29a3d0df302..eda33c214ef 100644 --- a/.tests/technitium-bf/config.yaml +++ b/.tests/technitium-bf/config.yaml @@ -8,3 +8,4 @@ postoverflows: - "" log_file: technitium.log log_type: technitium +ignore_parsers: true diff --git a/.tests/technitium-bf/parser.assert b/.tests/technitium-bf/parser.assert deleted file mode 100644 index e1dc5d04c69..00000000000 --- a/.tests/technitium-bf/parser.assert +++ /dev/null @@ -1,46 +0,0 @@ -len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 6 -results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "[2025-07-28 05:34:01 UTC] [169.254.44.3:50051] DnsServerCore.DnsWebServiceException: Invalid username or password for user: admin" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "technitium" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 6 -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false -len(results["s01-parse"]["PintjesB/technitium-logs"]) == 6 -results["s01-parse"]["PintjesB/technitium-logs"][0].Success == true -results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Parsed["day"] == "28" -results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Parsed["message"] == "[2025-07-28 05:34:01 UTC] [169.254.44.3:50051] DnsServerCore.DnsWebServiceException: Invalid username or password for user: admin" -results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Parsed["month"] == "07" -results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Parsed["program"] == "technitium" -results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Parsed["source_ip"] == "169.254.44.3" -results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Parsed["source_port"] == "50051" -results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Parsed["time"] == "05:34:01" -results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Parsed["username"] == "admin" -results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Parsed["year"] == "2025" -results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Meta["log_type"] == "technitium_failed_auth" -results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Meta["service"] == "technitium" -results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Meta["source_ip"] == "169.254.44.3" -results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Meta["source_port"] == "50051" -results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Meta["username"] == "admin" -results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Whitelisted == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["day"] == "28" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "[2025-07-28 05:34:01 UTC] [169.254.44.3:50051] DnsServerCore.DnsWebServiceException: Invalid username or password for user: admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["month"] == "07" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "technitium" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "169.254.44.3" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_port"] == "50051" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time"] == "05:34:01" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["year"] == "2025" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "technitium_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "technitium" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "169.254.44.3" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_port"] == "50051" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false -len(results["success"][""]) == 0 \ No newline at end of file diff --git a/.tests/technitium-bf/scenario.assert b/.tests/technitium-bf/scenario.assert index 15803c59b4b..3df70ca5b28 100644 --- a/.tests/technitium-bf/scenario.assert +++ b/.tests/technitium-bf/scenario.assert @@ -4,54 +4,54 @@ results[0].Overflow.Sources["169.254.44.3"].IP == "169.254.44.3" results[0].Overflow.Sources["169.254.44.3"].Range == "" results[0].Overflow.Sources["169.254.44.3"].GetScope() == "Ip" results[0].Overflow.Sources["169.254.44.3"].GetValue() == "169.254.44.3" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "technitium.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "technitium_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "technitium" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "169.254.44.3" results[0].Overflow.Alert.Events[0].GetMeta("source_port") == "50051" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "admin" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-07-28T05:34:01Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "admin" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "technitium.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "technitium_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "technitium" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "169.254.44.3" results[0].Overflow.Alert.Events[1].GetMeta("source_port") == "50051" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "admin" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-07-28T05:34:02Z" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "admin" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "technitium.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "technitium_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "technitium" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "169.254.44.3" results[0].Overflow.Alert.Events[2].GetMeta("source_port") == "50051" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "admin" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-07-28T05:34:03Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "admin" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "technitium.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "technitium_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "technitium" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "169.254.44.3" results[0].Overflow.Alert.Events[3].GetMeta("source_port") == "50051" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "admin" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-07-28T05:34:04Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "admin" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "technitium.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "technitium_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "technitium" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "169.254.44.3" results[0].Overflow.Alert.Events[4].GetMeta("source_port") == "50051" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "admin" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-07-28T05:34:05Z" -results[0].Overflow.Alert.Events[4].GetMeta("username") == "admin" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "technitium.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "technitium_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "technitium" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "169.254.44.3" results[0].Overflow.Alert.Events[5].GetMeta("source_port") == "50051" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "admin" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-07-28T05:34:06Z" -results[0].Overflow.Alert.Events[5].GetMeta("username") == "admin" results[0].Overflow.Alert.GetScenario() == "PintjesB/technitium-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/technitium-logs/parser.assert b/.tests/technitium-logs/parser.assert index a01c633dab2..9296dd8fa36 100644 --- a/.tests/technitium-logs/parser.assert +++ b/.tests/technitium-logs/parser.assert @@ -19,13 +19,13 @@ results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Parsed["source_port"] == results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Parsed["time"] == "05:34:01" results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Parsed["username"] == "admin" results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Parsed["year"] == "2025" +results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Meta["datasource_path"]) == "technitium.log" results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Meta["log_type"] == "technitium_failed_auth" results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Meta["service"] == "technitium" results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Meta["source_ip"] == "169.254.44.3" results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Meta["source_port"] == "50051" -results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Meta["username"] == "admin" +results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Meta["target_user"] == "admin" results["s01-parse"]["PintjesB/technitium-logs"][0].Evt.Whitelisted == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 1 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true @@ -38,14 +38,14 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_po results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time"] == "05:34:01" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["year"] == "2025" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "technitium.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "technitium_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "technitium" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "169.254.44.3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_port"] == "50051" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-07-28T05:34:01Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-07-28T05:34:01Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/teleport-bf/parser.assert b/.tests/teleport-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/teleport-bf/scenario.assert b/.tests/teleport-bf/scenario.assert index fc59979ad5e..388a056d5c3 100644 --- a/.tests/teleport-bf/scenario.assert +++ b/.tests/teleport-bf/scenario.assert @@ -4,66 +4,66 @@ results[0].Overflow.Sources["172.19.0.2"].IP == "172.19.0.2" results[0].Overflow.Sources["172.19.0.2"].Range == "" results[0].Overflow.Sources["172.19.0.2"].GetScope() == "Ip" results[0].Overflow.Sources["172.19.0.2"].GetValue() == "172.19.0.2" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "teleport-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "teleport-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed" results[0].Overflow.Alert.Events[0].GetMeta("service") == "teleport" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.19.0.2" results[0].Overflow.Alert.Events[0].GetMeta("sub_type") == "user.login" results[0].Overflow.Alert.Events[0].GetMeta("success") == "false" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "Bekekrb" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-09-05T07:16:25.133Z" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "Bekekrb" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "teleport-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "teleport-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed" results[0].Overflow.Alert.Events[1].GetMeta("service") == "teleport" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "172.19.0.2" results[0].Overflow.Alert.Events[1].GetMeta("sub_type") == "user.login" results[0].Overflow.Alert.Events[1].GetMeta("success") == "false" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "Bekekrb" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-09-05T07:16:25.133Z" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "Bekekrb" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "teleport-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "teleport-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed" results[0].Overflow.Alert.Events[2].GetMeta("service") == "teleport" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "172.19.0.2" results[0].Overflow.Alert.Events[2].GetMeta("sub_type") == "user.login" results[0].Overflow.Alert.Events[2].GetMeta("success") == "false" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "Bekekrb" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-09-05T07:16:25.133Z" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "Bekekrb" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "teleport-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "teleport-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed" results[0].Overflow.Alert.Events[3].GetMeta("service") == "teleport" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "172.19.0.2" results[0].Overflow.Alert.Events[3].GetMeta("sub_type") == "user.login" results[0].Overflow.Alert.Events[3].GetMeta("success") == "false" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "Bekekrb" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-09-05T07:16:25.133Z" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "Bekekrb" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "teleport-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "teleport-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[4].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed" results[0].Overflow.Alert.Events[4].GetMeta("service") == "teleport" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "172.19.0.2" results[0].Overflow.Alert.Events[4].GetMeta("sub_type") == "user.login" results[0].Overflow.Alert.Events[4].GetMeta("success") == "false" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "Bekekrb" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-09-05T07:16:25.133Z" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "Bekekrb" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "teleport-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "teleport-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[5].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed" results[0].Overflow.Alert.Events[5].GetMeta("service") == "teleport" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "172.19.0.2" results[0].Overflow.Alert.Events[5].GetMeta("sub_type") == "user.login" results[0].Overflow.Alert.Events[5].GetMeta("success") == "false" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "Bekekrb" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-09-05T07:16:25.133Z" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "Bekekrb" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/teleport-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/teleport-impossible-travel/parser.assert b/.tests/teleport-impossible-travel/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/teleport-impossible-travel/scenario.assert b/.tests/teleport-impossible-travel/scenario.assert index a212328c5d5..b9ecf01c558 100644 --- a/.tests/teleport-impossible-travel/scenario.assert +++ b/.tests/teleport-impossible-travel/scenario.assert @@ -12,29 +12,29 @@ results[0].Overflow.Sources["9.8.8.8"].GetValue() == "9.8.8.8" results[0].Overflow.Alert.Events[0].GetMeta("ASNNumber") == "0" results[0].Overflow.Alert.Events[0].GetMeta("IsInEU") == "false" results[0].Overflow.Alert.Events[0].GetMeta("IsoCode") == "AU" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "teleport-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "success" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "teleport-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_success" results[0].Overflow.Alert.Events[0].GetMeta("service") == "teleport" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" results[0].Overflow.Alert.Events[0].GetMeta("sub_type") == "user.login" results[0].Overflow.Alert.Events[0].GetMeta("success") == "true" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "root" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-09-05T07:16:25.133Z" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "root" results[0].Overflow.Alert.Events[1].GetMeta("ASNNumber") == "0" results[0].Overflow.Alert.Events[1].GetMeta("IsInEU") == "false" results[0].Overflow.Alert.Events[1].GetMeta("IsoCode") == "US" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "teleport-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "success" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "teleport-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_success" results[0].Overflow.Alert.Events[1].GetMeta("service") == "teleport" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "9.8.8.8" results[0].Overflow.Alert.Events[1].GetMeta("sub_type") == "user.login" results[0].Overflow.Alert.Events[1].GetMeta("success") == "true" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "root" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-09-05T07:16:26.133Z" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "root" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/impossible-travel" results[0].Overflow.Alert.Remediation == false results[0].Overflow.Alert.GetEventsCount() == 2 @@ -46,29 +46,29 @@ results[1].Overflow.Sources["root"].GetValue() == "root" results[1].Overflow.Alert.Events[0].GetMeta("ASNNumber") == "0" results[1].Overflow.Alert.Events[0].GetMeta("IsInEU") == "false" results[1].Overflow.Alert.Events[0].GetMeta("IsoCode") == "AU" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "teleport-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "success" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "teleport-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_success" results[1].Overflow.Alert.Events[0].GetMeta("service") == "teleport" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" results[1].Overflow.Alert.Events[0].GetMeta("sub_type") == "user.login" results[1].Overflow.Alert.Events[0].GetMeta("success") == "true" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "root" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-09-05T07:16:25.133Z" -results[1].Overflow.Alert.Events[0].GetMeta("user") == "root" results[1].Overflow.Alert.Events[1].GetMeta("ASNNumber") == "0" results[1].Overflow.Alert.Events[1].GetMeta("IsInEU") == "false" results[1].Overflow.Alert.Events[1].GetMeta("IsoCode") == "US" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "teleport-bf.log" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "success" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "teleport-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[1].Overflow.Alert.Events[1].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_success" results[1].Overflow.Alert.Events[1].GetMeta("service") == "teleport" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "9.8.8.8" results[1].Overflow.Alert.Events[1].GetMeta("sub_type") == "user.login" results[1].Overflow.Alert.Events[1].GetMeta("success") == "true" +results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "root" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-09-05T07:16:26.133Z" -results[1].Overflow.Alert.Events[1].GetMeta("user") == "root" results[1].Overflow.Alert.GetScenario() == "crowdsecurity/impossible-travel-user" results[1].Overflow.Alert.Remediation == false results[1].Overflow.Alert.GetEventsCount() == 2 diff --git a/.tests/teleport-logs/parser.assert b/.tests/teleport-logs/parser.assert index 01ea9f4c9bc..62eabfb2675 100644 --- a/.tests/teleport-logs/parser.assert +++ b/.tests/teleport-logs/parser.assert @@ -3,7 +3,7 @@ len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 1 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "{\"ei\":0,\"event\":\"user.login\",\"uid\":\"a487975c-a132-4b76-81c1-225284b2a129\",\"code\":\"T1000W\",\"time\":\"2023-09-05T07:16:25.133Z\",\"cluster_name\":\"teleport.home.example.com\",\"user\":\"Bekekrb\",\"success\":false,\"error\":\"invalid username, password or second factor\",\"method\":\"local\",\"user_agent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1\",\"addr.remote\":\"172.19.0.2:34204\"}" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "teleport" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "teleport-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "teleport-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 1 @@ -12,54 +12,54 @@ len(results["s01-parse"]["crowdsecurity/teleport-logs"]) == 1 results["s01-parse"]["crowdsecurity/teleport-logs"][0].Success == true results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Parsed["message"] == "{\"ei\":0,\"event\":\"user.login\",\"uid\":\"a487975c-a132-4b76-81c1-225284b2a129\",\"code\":\"T1000W\",\"time\":\"2023-09-05T07:16:25.133Z\",\"cluster_name\":\"teleport.home.example.com\",\"user\":\"Bekekrb\",\"success\":false,\"error\":\"invalid username, password or second factor\",\"method\":\"local\",\"user_agent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1\",\"addr.remote\":\"172.19.0.2:34204\"}" results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Parsed["program"] == "teleport" -results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["datasource_path"] == "teleport-logs.log" +results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["datasource_path"]) == "teleport-logs.log" results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" -results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["log_type"] == "auth_failed" results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["service"] == "teleport" results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["source_ip"] == "172.19.0.2" results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["sub_type"] == "user.login" results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["success"] == "false" -results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["user"] == "Bekekrb" +results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["target_user"] == "Bekekrb" results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["user"] == "Bekekrb" results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["addr.remote"] == "172.19.0.2:34204" -results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["code"] == "T1000W" -results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["ei"] == 0 -results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["error"] == "invalid username, password or second factor" -results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["success"] == false -results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["uid"] == "a487975c-a132-4b76-81c1-225284b2a129" results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["cluster_name"] == "teleport.home.example.com" +results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["ei"] == 0 results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["event"] == "user.login" +results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["success"] == false +results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["user_agent"] == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" +results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["code"] == "T1000W" +results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["error"] == "invalid username, password or second factor" results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["method"] == "local" results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["time"] == "2023-09-05T07:16:25.133Z" -results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["user_agent"] == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" +results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["uid"] == "a487975c-a132-4b76-81c1-225284b2a129" results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Whitelisted == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 1 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "{\"ei\":0,\"event\":\"user.login\",\"uid\":\"a487975c-a132-4b76-81c1-225284b2a129\",\"code\":\"T1000W\",\"time\":\"2023-09-05T07:16:25.133Z\",\"cluster_name\":\"teleport.home.example.com\",\"user\":\"Bekekrb\",\"success\":false,\"error\":\"invalid username, password or second factor\",\"method\":\"local\",\"user_agent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1\",\"addr.remote\":\"172.19.0.2:34204\"}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "teleport" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "teleport-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "teleport-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "auth_failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "teleport" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "172.19.0.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["sub_type"] == "user.login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["success"] == "false" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "Bekekrb" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-09-05T07:16:25.133Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "Bekekrb" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-09-05T07:16:25.133Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["uid"] == "a487975c-a132-4b76-81c1-225284b2a129" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["user_agent"] == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["cluster_name"] == "teleport.home.example.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["method"] == "local" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["time"] == "2023-09-05T07:16:25.133Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["code"] == "T1000W" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["ei"] == 0 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["error"] == "invalid username, password or second factor" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["event"] == "user.login" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["success"] == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["time"] == "2023-09-05T07:16:25.133Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["uid"] == "a487975c-a132-4b76-81c1-225284b2a129" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["user"] == "Bekekrb" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["cluster_name"] == "teleport.home.example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["event"] == "user.login" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["method"] == "local" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["user_agent"] == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["addr.remote"] == "172.19.0.2:34204" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["code"] == "T1000W" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["ei"] == 0 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/thehive-bf/config.yaml b/.tests/thehive-bf/config.yaml index 072104d0b23..5304c873b86 100644 --- a/.tests/thehive-bf/config.yaml +++ b/.tests/thehive-bf/config.yaml @@ -9,5 +9,5 @@ postoverflows: log_file: thehive-bf.log log_type: thehive labels: {} -ignore_parsers: false +ignore_parsers: true override_statics: [] diff --git a/.tests/thehive-bf/parser.assert b/.tests/thehive-bf/parser.assert deleted file mode 100644 index 71e0154f684..00000000000 --- a/.tests/thehive-bf/parser.assert +++ /dev/null @@ -1,138 +0,0 @@ -len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 6 -results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1741f|2989d0704d3c364c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "thehive" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "thehive-bf.log" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "thehive" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "thehive-bf.log" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "thehive" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "thehive-bf.log" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "thehive" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "thehive-bf.log" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "thehive" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "thehive-bf.log" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "thehive" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"] == "thehive-bf.log" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 6 -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == false -len(results["s01-parse"]["crowdsecurity/thehive-logs"]) == 6 -results["s01-parse"]["crowdsecurity/thehive-logs"][0].Success == true -results["s01-parse"]["crowdsecurity/thehive-logs"][0].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1741f|2989d0704d3c364c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s01-parse"]["crowdsecurity/thehive-logs"][0].Evt.Parsed["program"] == "thehive" -results["s01-parse"]["crowdsecurity/thehive-logs"][0].Evt.Parsed["source_ip"] == "172.17.0.2" -results["s01-parse"]["crowdsecurity/thehive-logs"][0].Evt.Meta["datasource_path"] == "thehive-bf.log" -results["s01-parse"]["crowdsecurity/thehive-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/thehive-logs"][0].Evt.Meta["log_type"] == "thehive_failed_auth" -results["s01-parse"]["crowdsecurity/thehive-logs"][0].Evt.Meta["source_ip"] == "172.17.0.2" -results["s01-parse"]["crowdsecurity/thehive-logs"][1].Success == true -results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Parsed["program"] == "thehive" -results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Parsed["source_ip"] == "172.17.0.2" -results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Meta["datasource_path"] == "thehive-bf.log" -results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Meta["log_type"] == "thehive_failed_auth" -results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Meta["source_ip"] == "172.17.0.2" -results["s01-parse"]["crowdsecurity/thehive-logs"][2].Success == true -results["s01-parse"]["crowdsecurity/thehive-logs"][2].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s01-parse"]["crowdsecurity/thehive-logs"][2].Evt.Parsed["program"] == "thehive" -results["s01-parse"]["crowdsecurity/thehive-logs"][2].Evt.Parsed["source_ip"] == "172.17.0.2" -results["s01-parse"]["crowdsecurity/thehive-logs"][2].Evt.Meta["datasource_path"] == "thehive-bf.log" -results["s01-parse"]["crowdsecurity/thehive-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/thehive-logs"][2].Evt.Meta["log_type"] == "thehive_failed_auth" -results["s01-parse"]["crowdsecurity/thehive-logs"][2].Evt.Meta["source_ip"] == "172.17.0.2" -results["s01-parse"]["crowdsecurity/thehive-logs"][3].Success == true -results["s01-parse"]["crowdsecurity/thehive-logs"][3].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s01-parse"]["crowdsecurity/thehive-logs"][3].Evt.Parsed["program"] == "thehive" -results["s01-parse"]["crowdsecurity/thehive-logs"][3].Evt.Parsed["source_ip"] == "172.17.0.2" -results["s01-parse"]["crowdsecurity/thehive-logs"][3].Evt.Meta["datasource_path"] == "thehive-bf.log" -results["s01-parse"]["crowdsecurity/thehive-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/thehive-logs"][3].Evt.Meta["log_type"] == "thehive_failed_auth" -results["s01-parse"]["crowdsecurity/thehive-logs"][3].Evt.Meta["source_ip"] == "172.17.0.2" -results["s01-parse"]["crowdsecurity/thehive-logs"][4].Success == true -results["s01-parse"]["crowdsecurity/thehive-logs"][4].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s01-parse"]["crowdsecurity/thehive-logs"][4].Evt.Parsed["program"] == "thehive" -results["s01-parse"]["crowdsecurity/thehive-logs"][4].Evt.Parsed["source_ip"] == "172.17.0.2" -results["s01-parse"]["crowdsecurity/thehive-logs"][4].Evt.Meta["datasource_path"] == "thehive-bf.log" -results["s01-parse"]["crowdsecurity/thehive-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/thehive-logs"][4].Evt.Meta["log_type"] == "thehive_failed_auth" -results["s01-parse"]["crowdsecurity/thehive-logs"][4].Evt.Meta["source_ip"] == "172.17.0.2" -results["s01-parse"]["crowdsecurity/thehive-logs"][5].Success == true -results["s01-parse"]["crowdsecurity/thehive-logs"][5].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s01-parse"]["crowdsecurity/thehive-logs"][5].Evt.Parsed["program"] == "thehive" -results["s01-parse"]["crowdsecurity/thehive-logs"][5].Evt.Parsed["source_ip"] == "172.17.0.2" -results["s01-parse"]["crowdsecurity/thehive-logs"][5].Evt.Meta["datasource_path"] == "thehive-bf.log" -results["s01-parse"]["crowdsecurity/thehive-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/thehive-logs"][5].Evt.Meta["log_type"] == "thehive_failed_auth" -results["s01-parse"]["crowdsecurity/thehive-logs"][5].Evt.Meta["source_ip"] == "172.17.0.2" -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "172.17.0.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1741f|2989d0704d3c364c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "thehive" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "thehive_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "172.17.0.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "thehive-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "thehive" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "172.17.0.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "thehive_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "172.17.0.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "thehive-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "thehive" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "172.17.0.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "thehive-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "thehive_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "172.17.0.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "thehive" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "172.17.0.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "thehive-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "thehive_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "172.17.0.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "thehive" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "172.17.0.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "thehive_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "172.17.0.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "thehive-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "thehive" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "172.17.0.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "thehive-bf.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "thehive_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "172.17.0.2" -len(results["success"][""]) == 0 \ No newline at end of file diff --git a/.tests/thehive-bf/scenario.assert b/.tests/thehive-bf/scenario.assert index bbbdacb2e8d..90d1d039c65 100644 --- a/.tests/thehive-bf/scenario.assert +++ b/.tests/thehive-bf/scenario.assert @@ -4,30 +4,36 @@ results[0].Overflow.Sources["172.17.0.2"].IP == "172.17.0.2" results[0].Overflow.Sources["172.17.0.2"].Range == "" results[0].Overflow.Sources["172.17.0.2"].GetScope() == "Ip" results[0].Overflow.Sources["172.17.0.2"].GetValue() == "172.17.0.2" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "thehive-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "thehive-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "thehive_failed_auth" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "thehive" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.17.0.2" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "thehive-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "thehive-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "thehive_failed_auth" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "thehive" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "172.17.0.2" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "thehive-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "thehive-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "thehive_failed_auth" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "thehive" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "172.17.0.2" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "thehive-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "thehive-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "thehive_failed_auth" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "thehive" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "172.17.0.2" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "thehive-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "thehive-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "thehive_failed_auth" +results[0].Overflow.Alert.Events[4].GetMeta("service") == "thehive" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "172.17.0.2" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "thehive-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "thehive-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "thehive_failed_auth" +results[0].Overflow.Alert.Events[5].GetMeta("service") == "thehive" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "172.17.0.2" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/thehive-bf" results[0].Overflow.Alert.Remediation == true -results[0].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/thehive-logs/config.yaml b/.tests/thehive-logs/config.yaml index fdfc284797f..0d75d734912 100644 --- a/.tests/thehive-logs/config.yaml +++ b/.tests/thehive-logs/config.yaml @@ -1,6 +1,5 @@ parsers: - crowdsecurity/syslog-logs -- crowdsecurity/dateparse-enrich - ./parsers/s01-parse/crowdsecurity/thehive-logs.yaml scenarios: - "" diff --git a/.tests/thehive-logs/parser.assert b/.tests/thehive-logs/parser.assert index c4d6b0e04ac..69aeb2c16b8 100644 --- a/.tests/thehive-logs/parser.assert +++ b/.tests/thehive-logs/parser.assert @@ -1,15 +1,17 @@ -len(results) == 4 +len(results) == 3 len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 2 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1741f|2989d0704d3c364c] 172.17.0.1 POST /api/v1/login took 8ms and returned 401 65 bytes" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "thehive" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "thehive-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "thehive-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "thehive" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "thehive-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "thehive-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false @@ -18,33 +20,20 @@ results["s01-parse"]["crowdsecurity/thehive-logs"][0].Success == true results["s01-parse"]["crowdsecurity/thehive-logs"][0].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1741f|2989d0704d3c364c] 172.17.0.1 POST /api/v1/login took 8ms and returned 401 65 bytes" results["s01-parse"]["crowdsecurity/thehive-logs"][0].Evt.Parsed["program"] == "thehive" results["s01-parse"]["crowdsecurity/thehive-logs"][0].Evt.Parsed["source_ip"] == "172.17.0.1" -results["s01-parse"]["crowdsecurity/thehive-logs"][0].Evt.Meta["datasource_path"] == "thehive-logs.log" +results["s01-parse"]["crowdsecurity/thehive-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/thehive-logs"][0].Evt.Meta["datasource_path"]) == "thehive-logs.log" results["s01-parse"]["crowdsecurity/thehive-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/thehive-logs"][0].Evt.Meta["log_type"] == "thehive_failed_auth" +results["s01-parse"]["crowdsecurity/thehive-logs"][0].Evt.Meta["service"] == "thehive" results["s01-parse"]["crowdsecurity/thehive-logs"][0].Evt.Meta["source_ip"] == "172.17.0.1" +results["s01-parse"]["crowdsecurity/thehive-logs"][0].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/thehive-logs"][1].Success == true +results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Parsed["program"] == "thehive" results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Parsed["source_ip"] == "172.17.0.2" -results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Meta["datasource_path"] == "thehive-logs.log" +results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Meta["datasource_path"]) == "thehive-logs.log" results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Meta["log_type"] == "thehive_failed_auth" +results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Meta["service"] == "thehive" results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Meta["source_ip"] == "172.17.0.2" -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1741f|2989d0704d3c364c] 172.17.0.1 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "thehive" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "172.17.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "thehive_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "172.17.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "thehive-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "thehive" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "172.17.0.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "thehive_failed_auth" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "172.17.0.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "thehive-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -len(results["success"][""]) == 0 \ No newline at end of file +results["s01-parse"]["crowdsecurity/thehive-logs"][1].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/thehive-logs/thehive-logs.log b/.tests/thehive-logs/thehive-logs.log index 0a86364b2c2..878f42cb612 100644 --- a/.tests/thehive-logs/thehive-logs.log +++ b/.tests/thehive-logs/thehive-logs.log @@ -1,2 +1,2 @@ [info] o.t.s.AccessLogFilter [1e60d1e5e2a1741f|2989d0704d3c364c] 172.17.0.1 POST /api/v1/login took 8ms and returned 401 65 bytes -[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes \ No newline at end of file +[info] o.t.s.AccessLogFilter [1e60d1e5e2a1742f|2989d0704d3c594c] 172.17.0.2 POST /api/v1/login took 8ms and returned 401 65 bytes diff --git a/.tests/thinkphp-cve-2018-20062/parser.assert b/.tests/thinkphp-cve-2018-20062/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/traefik_base-http-scenario/parser.assert b/.tests/traefik_base-http-scenario/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/unifi-logs/parser.assert b/.tests/unifi-logs/parser.assert index 1b461f02db7..8a1b9fb7575 100644 --- a/.tests/unifi-logs/parser.assert +++ b/.tests/unifi-logs/parser.assert @@ -75,21 +75,21 @@ results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Meta["datasource_type results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Meta["log_type"] == "iptables_drop" results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Meta["service"] == "udp" results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Meta["source_ip"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["LEN"] == "102" results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["PREC"] == "0x00" -results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["SRC"] == "192.168.1.1" -results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["DESCR"] == "[WAN_LOCAL]Block All Traffic" -results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["DPT"] == "54329" +results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["SPT"] == "38451" +results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["DST"] == "192.168.1.25" results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["ID"] == "45366" -results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["IN"] == "eth8" results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["MAC"] == "74:ac:b9:1c:62:e5:00:17:10:2b:31:a9:08:00" +results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["OUT"] == "" +results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["TOS"] == "00" +results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["DESCR"] == "[WAN_LOCAL]Block All Traffic" +results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["IN"] == "eth8" results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["MARK"] == "1a0000" results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["PROTO"] == "UDP" -results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["TOS"] == "00" -results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["OUT"] == "" -results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["SPT"] == "38451" -results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["DST"] == "192.168.1.25" -results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["LEN"] == "102" +results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["SRC"] == "192.168.1.1" results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["TTL"] == "49" +results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Unmarshaled["iptables"]["DPT"] == "54329" results["s01-parse"]["crowdsecurity/iptables-logs"][0].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/iptables-logs"][1].Success == true results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Parsed["action"] == "D" @@ -114,21 +114,21 @@ results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Meta["log_type"] == " results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Meta["machine"] == "UDMP-DTC" results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Meta["service"] == "udp" results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["PREC"] == "0x00" results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["PROTO"] == "UDP" -results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["SPT"] == "38451" -results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["SRC"] == "192.168.1.1" -results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["DESCR"] == "[WAN_LOCAL]Block All Traffic" results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["TTL"] == "49" -results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["ID"] == "45366" +results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["SRC"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["TOS"] == "00" results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["IN"] == "eth8" results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["LEN"] == "102" -results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["OUT"] == "" -results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["DST"] == "192.168.1.25" -results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["MARK"] == "1a0000" -results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["TOS"] == "00" -results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["DPT"] == "54329" results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["MAC"] == "74:ac:b9:1c:62:e5:00:17:10:2b:31:a9:08:00" +results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["PREC"] == "0x00" +results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["DESCR"] == "[WAN_LOCAL]Block All Traffic" +results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["DPT"] == "54329" +results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["MARK"] == "1a0000" +results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["SPT"] == "38451" +results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["DST"] == "192.168.1.25" +results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["ID"] == "45366" +results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Unmarshaled["iptables"]["OUT"] == "" results["s01-parse"]["crowdsecurity/iptables-logs"][1].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/iptables-logs"][2].Success == true results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Parsed["action"] == "A" @@ -151,21 +151,21 @@ results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Meta["datasource_type results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Meta["log_type"] == "iptables_event" results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Meta["service"] == "udp" results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Meta["source_ip"] == "192.168.1.2" +results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["DPT"] == "54329" +results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["IN"] == "eth8" +results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["LEN"] == "102" results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["OUT"] == "" results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["PROTO"] == "UDP" results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["SRC"] == "192.168.1.2" -results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["TOS"] == "00" -results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["DPT"] == "54329" -results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["DST"] == "192.168.1.25" +results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["SPT"] == "38451" +results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["DESCR"] == "[WAN_LOCAL]Block All Traffic" results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["ID"] == "45366" results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["MAC"] == "74:ac:b9:1c:62:e5:00:17:10:2b:31:a9:08:00" -results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["SPT"] == "38451" -results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["IN"] == "eth8" -results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["TTL"] == "49" +results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["DST"] == "192.168.1.25" results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["MARK"] == "1a0000" results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["PREC"] == "0x00" -results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["DESCR"] == "[WAN_LOCAL]Block All Traffic" -results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["LEN"] == "102" +results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["TOS"] == "00" +results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Unmarshaled["iptables"]["TTL"] == "49" results["s01-parse"]["crowdsecurity/iptables-logs"][2].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/iptables-logs"][3].Success == false len(results["s01-parse"]["crowdsecurity/sshd-logs"]) == 1 @@ -178,9 +178,10 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["program"] == "ssh results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["sshd_client_ip"] == "192.168.1.2" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["sshd_invalid_user"] == "asdasf" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["timestamp"] == "Jun 27 09:02:22" +results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["datasource_path"]) == "unifi-logs.log" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["log_type"] == "iptables_drop" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["machine"] == "Dream-Machine-Pro" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["source_ip"] == "192.168.1.2" @@ -210,21 +211,21 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] = results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-06-13T23:29:15Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-06-13T23:29:15Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["MAC"] == "74:ac:b9:1c:62:e5:00:17:10:2b:31:a9:08:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["IN"] == "eth8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["LEN"] == "102" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["OUT"] == "" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["PREC"] == "0x00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["PROTO"] == "UDP" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["TTL"] == "49" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["DPT"] == "54329" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["ID"] == "45366" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["LEN"] == "102" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["MARK"] == "1a0000" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["DPT"] == "54329" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["IN"] == "eth8" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["OUT"] == "" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["SPT"] == "38451" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["PROTO"] == "UDP" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["SRC"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["TOS"] == "00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["DESCR"] == "[WAN_LOCAL]Block All Traffic" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["DST"] == "192.168.1.25" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["MAC"] == "74:ac:b9:1c:62:e5:00:17:10:2b:31:a9:08:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["iptables"]["SPT"] == "38451" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["action"] == "D" @@ -251,21 +252,21 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] = results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-06-13T23:29:15Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-06-13T23:29:15Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["DST"] == "192.168.1.25" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["IN"] == "eth8" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["MARK"] == "1a0000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["MAC"] == "74:ac:b9:1c:62:e5:00:17:10:2b:31:a9:08:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["SRC"] == "192.168.1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["DESCR"] == "[WAN_LOCAL]Block All Traffic" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["LEN"] == "102" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["SPT"] == "38451" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["ID"] == "45366" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["TOS"] == "00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["DPT"] == "54329" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["DST"] == "192.168.1.25" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["OUT"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["PREC"] == "0x00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["PROTO"] == "UDP" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["TOS"] == "00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["TTL"] == "49" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["ID"] == "45366" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["MAC"] == "74:ac:b9:1c:62:e5:00:17:10:2b:31:a9:08:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["PREC"] == "0x00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["DESCR"] == "[WAN_LOCAL]Block All Traffic" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["IN"] == "eth8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["LEN"] == "102" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["MARK"] == "1a0000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["iptables"]["SPT"] == "38451" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["action"] == "A" @@ -290,21 +291,21 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] = results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "192.168.1.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-06-13T23:29:15Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2025-06-13T23:29:15Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["IN"] == "eth8" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["LEN"] == "102" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["OUT"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["TOS"] == "00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["TTL"] == "49" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["DESCR"] == "[WAN_LOCAL]Block All Traffic" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["MAC"] == "74:ac:b9:1c:62:e5:00:17:10:2b:31:a9:08:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["PREC"] == "0x00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["PROTO"] == "UDP" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["SPT"] == "38451" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["TTL"] == "49" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["SRC"] == "192.168.1.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["MARK"] == "1a0000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["PROTO"] == "UDP" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["DPT"] == "54329" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["DST"] == "192.168.1.25" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["TOS"] == "00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["SRC"] == "192.168.1.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["ID"] == "45366" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["OUT"] == "" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["DESCR"] == "[WAN_LOCAL]Block All Traffic" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["MARK"] == "1a0000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["IN"] == "eth8" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["iptables"]["PREC"] == "0x00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["hostname"] == "Dream-Machine-Pro" @@ -315,9 +316,10 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["sshd_client_ip"] == "192.168.1.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["sshd_invalid_user"] == "asdasf" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Jun 27 09:02:22" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "unifi-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "iptables_drop" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "Dream-Machine-Pro" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "192.168.1.2" diff --git a/.tests/uptime-kuma-bf/parser.assert b/.tests/uptime-kuma-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/uptime-kuma-logs/parser.assert b/.tests/uptime-kuma-logs/parser.assert index 263123183fa..3c0be30bd5b 100644 --- a/.tests/uptime-kuma-logs/parser.assert +++ b/.tests/uptime-kuma-logs/parser.assert @@ -1,25 +1,76 @@ +len(results) == 4 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 2 +results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2022-04-25T15:08:29.098Z [AUTH] WARN: Incorrect username or password for user Test. IP=1.1.1.1" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "uptime-kuma" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "uptime-kuma-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2022-04-25T15:16:10.450Z [AUTH] WARN: Invalid token provided for user Test. IP=1.1.1.1" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "uptime-kuma" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "uptime-kuma-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false len(results["s01-parse"]["timokoessler/uptime-kuma-logs"]) == 2 results["s01-parse"]["timokoessler/uptime-kuma-logs"][0].Success == true -results["s01-parse"]["timokoessler/uptime-kuma-logs"][0].Evt.Parsed["timestamp"] == "2022-04-25T15:08:29.098Z" -results["s01-parse"]["timokoessler/uptime-kuma-logs"][0].Evt.Parsed["username"] == "Test" results["s01-parse"]["timokoessler/uptime-kuma-logs"][0].Evt.Parsed["message"] == "2022-04-25T15:08:29.098Z [AUTH] WARN: Incorrect username or password for user Test. IP=1.1.1.1" results["s01-parse"]["timokoessler/uptime-kuma-logs"][0].Evt.Parsed["program"] == "uptime-kuma" results["s01-parse"]["timokoessler/uptime-kuma-logs"][0].Evt.Parsed["source_ip"] == "1.1.1.1" -results["s01-parse"]["timokoessler/uptime-kuma-logs"][0].Evt.Meta["datasource_path"] == "uptime-kuma-logs.log" +results["s01-parse"]["timokoessler/uptime-kuma-logs"][0].Evt.Parsed["timestamp"] == "2022-04-25T15:08:29.098Z" +results["s01-parse"]["timokoessler/uptime-kuma-logs"][0].Evt.Parsed["username"] == "Test" +basename(results["s01-parse"]["timokoessler/uptime-kuma-logs"][0].Evt.Meta["datasource_path"]) == "uptime-kuma-logs.log" results["s01-parse"]["timokoessler/uptime-kuma-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["timokoessler/uptime-kuma-logs"][0].Evt.Meta["log_type"] == "uptime_kuma_failed_password" results["s01-parse"]["timokoessler/uptime-kuma-logs"][0].Evt.Meta["service"] == "uptime-kuma" results["s01-parse"]["timokoessler/uptime-kuma-logs"][0].Evt.Meta["source_ip"] == "1.1.1.1" results["s01-parse"]["timokoessler/uptime-kuma-logs"][0].Evt.Meta["username"] == "Test" +results["s01-parse"]["timokoessler/uptime-kuma-logs"][0].Evt.Whitelisted == false results["s01-parse"]["timokoessler/uptime-kuma-logs"][1].Success == true +results["s01-parse"]["timokoessler/uptime-kuma-logs"][1].Evt.Parsed["message"] == "2022-04-25T15:16:10.450Z [AUTH] WARN: Invalid token provided for user Test. IP=1.1.1.1" results["s01-parse"]["timokoessler/uptime-kuma-logs"][1].Evt.Parsed["program"] == "uptime-kuma" results["s01-parse"]["timokoessler/uptime-kuma-logs"][1].Evt.Parsed["source_ip"] == "1.1.1.1" results["s01-parse"]["timokoessler/uptime-kuma-logs"][1].Evt.Parsed["timestamp"] == "2022-04-25T15:16:10.450Z" results["s01-parse"]["timokoessler/uptime-kuma-logs"][1].Evt.Parsed["username"] == "Test" -results["s01-parse"]["timokoessler/uptime-kuma-logs"][1].Evt.Parsed["message"] == "2022-04-25T15:16:10.450Z [AUTH] WARN: Invalid token provided for user Test. IP=1.1.1.1" -results["s01-parse"]["timokoessler/uptime-kuma-logs"][1].Evt.Meta["datasource_path"] == "uptime-kuma-logs.log" +basename(results["s01-parse"]["timokoessler/uptime-kuma-logs"][1].Evt.Meta["datasource_path"]) == "uptime-kuma-logs.log" results["s01-parse"]["timokoessler/uptime-kuma-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["timokoessler/uptime-kuma-logs"][1].Evt.Meta["log_type"] == "uptime_kuma_failed_totp" results["s01-parse"]["timokoessler/uptime-kuma-logs"][1].Evt.Meta["service"] == "uptime-kuma" results["s01-parse"]["timokoessler/uptime-kuma-logs"][1].Evt.Meta["source_ip"] == "1.1.1.1" -results["s01-parse"]["timokoessler/uptime-kuma-logs"][1].Evt.Meta["username"] == "Test" \ No newline at end of file +results["s01-parse"]["timokoessler/uptime-kuma-logs"][1].Evt.Meta["username"] == "Test" +results["s01-parse"]["timokoessler/uptime-kuma-logs"][1].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2022-04-25T15:08:29.098Z [AUTH] WARN: Incorrect username or password for user Test. IP=1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "uptime-kuma" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2022-04-25T15:08:29.098Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "Test" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "uptime-kuma-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "uptime_kuma_failed_password" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "uptime-kuma" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-04-25T15:08:29.098Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "Test" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-04-25T15:08:29.098Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "2022-04-25T15:16:10.450Z [AUTH] WARN: Invalid token provided for user Test. IP=1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "uptime-kuma" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2022-04-25T15:16:10.450Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "Test" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "uptime-kuma-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "uptime_kuma_failed_totp" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "uptime-kuma" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "1.1.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-04-25T15:16:10.45Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "Test" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-04-25T15:16:10.45Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/vaultwarden-bf/parser.assert b/.tests/vaultwarden-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/vaultwarden-bf/scenario.assert b/.tests/vaultwarden-bf/scenario.assert index aea8f1b2b5b..9acafea9b4c 100644 --- a/.tests/vaultwarden-bf/scenario.assert +++ b/.tests/vaultwarden-bf/scenario.assert @@ -4,48 +4,48 @@ results[0].Overflow.Sources["2001:db8::b6d3:95d7:1425:766d"].IP == "2001:db8::b6 results[0].Overflow.Sources["2001:db8::b6d3:95d7:1425:766d"].Range == "" results[0].Overflow.Sources["2001:db8::b6d3:95d7:1425:766d"].GetScope() == "Ip" results[0].Overflow.Sources["2001:db8::b6d3:95d7:1425:766d"].GetValue() == "2001:db8::b6d3:95d7:1425:766d" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "vaultwarden_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "vaultwarden" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "2001:db8::b6d3:95d7:1425:766d" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "test@example.com" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-03T16:10:11.219Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "test@example.com" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "vaultwarden_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "vaultwarden" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "2001:db8::b6d3:95d7:1425:766d" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "test@example.com" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-03T16:10:15.993Z" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "test@example.com" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "vaultwarden_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "vaultwarden" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "2001:db8::b6d3:95d7:1425:766d" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "test@example.com" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-03T16:10:14.593Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "test@example.com" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "vaultwarden_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "vaultwarden" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "2001:db8::b6d3:95d7:1425:766d" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "test@example.com" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-03T16:10:30.702Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "test@example.com" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "vaultwarden_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "vaultwarden" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "2001:db8::b6d3:95d7:1425:766d" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "test@example.com" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-03T16:10:35.376Z" -results[0].Overflow.Alert.Events[4].GetMeta("username") == "test@example.com" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "vaultwarden_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "vaultwarden" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "2001:db8::b6d3:95d7:1425:766d" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "test@example.com" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-03T16:10:36.81Z" -results[0].Overflow.Alert.Events[5].GetMeta("username") == "test@example.com" results[0].Overflow.Alert.GetScenario() == "Dominic-Wagner/vaultwarden-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 @@ -54,39 +54,39 @@ results[1].Overflow.Sources["2001:db8:48::82b:7a19"].IP == "2001:db8:48::82b:7a1 results[1].Overflow.Sources["2001:db8:48::82b:7a19"].Range == "" results[1].Overflow.Sources["2001:db8:48::82b:7a19"].GetScope() == "Ip" results[1].Overflow.Sources["2001:db8:48::82b:7a19"].GetValue() == "2001:db8:48::82b:7a19" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "vaultwarden_failed_admin_auth" results[1].Overflow.Alert.Events[0].GetMeta("service") == "vaultwarden" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "2001:db8:48::82b:7a19" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-05T11:55:04.725Z" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "vaultwarden_failed_admin_auth" results[1].Overflow.Alert.Events[1].GetMeta("service") == "vaultwarden" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "2001:db8:48::82b:7a19" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-05T11:55:04.725Z" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "vaultwarden_failed_admin_auth" results[1].Overflow.Alert.Events[2].GetMeta("service") == "vaultwarden" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "2001:db8:48::82b:7a19" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-05T11:55:04.725Z" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "vaultwarden_failed_admin_auth" results[1].Overflow.Alert.Events[3].GetMeta("service") == "vaultwarden" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "2001:db8:48::82b:7a19" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-05T11:55:04.725Z" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "vaultwarden_failed_admin_auth" results[1].Overflow.Alert.Events[4].GetMeta("service") == "vaultwarden" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "2001:db8:48::82b:7a19" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-05T11:55:04.725Z" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "vaultwarden_failed_admin_auth" results[1].Overflow.Alert.Events[5].GetMeta("service") == "vaultwarden" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "2001:db8:48::82b:7a19" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-05T11:55:04.725Z" @@ -98,39 +98,39 @@ results[2].Overflow.Sources["2001:db8:48::82b:7a18"].IP == "2001:db8:48::82b:7a1 results[2].Overflow.Sources["2001:db8:48::82b:7a18"].Range == "" results[2].Overflow.Sources["2001:db8:48::82b:7a18"].GetScope() == "Ip" results[2].Overflow.Sources["2001:db8:48::82b:7a18"].GetValue() == "2001:db8:48::82b:7a18" +results[2].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[0].GetMeta("log_type") == "vaultwarden_failed_2fa_totp" results[2].Overflow.Alert.Events[0].GetMeta("service") == "vaultwarden" results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "2001:db8:48::82b:7a18" results[2].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-05T12:01:51.892Z" +results[2].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[2].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[1].GetMeta("log_type") == "vaultwarden_failed_2fa_totp" results[2].Overflow.Alert.Events[1].GetMeta("service") == "vaultwarden" results[2].Overflow.Alert.Events[1].GetMeta("source_ip") == "2001:db8:48::82b:7a18" results[2].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-05T12:01:51.892Z" +results[2].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[2].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[2].GetMeta("log_type") == "vaultwarden_failed_2fa_totp" results[2].Overflow.Alert.Events[2].GetMeta("service") == "vaultwarden" results[2].Overflow.Alert.Events[2].GetMeta("source_ip") == "2001:db8:48::82b:7a18" results[2].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-05T12:01:51.892Z" +results[2].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[2].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[3].GetMeta("log_type") == "vaultwarden_failed_2fa_totp" results[2].Overflow.Alert.Events[3].GetMeta("service") == "vaultwarden" results[2].Overflow.Alert.Events[3].GetMeta("source_ip") == "2001:db8:48::82b:7a18" results[2].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-05T12:01:51.892Z" +results[2].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[2].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[4].GetMeta("log_type") == "vaultwarden_failed_2fa_totp" results[2].Overflow.Alert.Events[4].GetMeta("service") == "vaultwarden" results[2].Overflow.Alert.Events[4].GetMeta("source_ip") == "2001:db8:48::82b:7a18" results[2].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-05T12:01:51.892Z" +results[2].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[2].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[5].GetMeta("log_type") == "vaultwarden_failed_2fa_totp" results[2].Overflow.Alert.Events[5].GetMeta("service") == "vaultwarden" results[2].Overflow.Alert.Events[5].GetMeta("source_ip") == "2001:db8:48::82b:7a18" results[2].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-05T12:01:51.892Z" @@ -142,39 +142,39 @@ results[3].Overflow.Sources["192.168.45.12"].IP == "192.168.45.12" results[3].Overflow.Sources["192.168.45.12"].Range == "" results[3].Overflow.Sources["192.168.45.12"].GetScope() == "Ip" results[3].Overflow.Sources["192.168.45.12"].GetValue() == "192.168.45.12" +results[3].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[3].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[0].GetMeta("log_type") == "vaultwarden_failed_2fa_email" results[3].Overflow.Alert.Events[0].GetMeta("service") == "vaultwarden" results[3].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.45.12" results[3].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-02-05T12:01:51.892Z" +results[3].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[3].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[1].GetMeta("log_type") == "vaultwarden_failed_2fa_email" results[3].Overflow.Alert.Events[1].GetMeta("service") == "vaultwarden" results[3].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.45.12" results[3].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-02-05T12:01:51.892Z" +results[3].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[3].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[2].GetMeta("log_type") == "vaultwarden_failed_2fa_email" results[3].Overflow.Alert.Events[2].GetMeta("service") == "vaultwarden" results[3].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.45.12" results[3].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-02-05T12:01:51.892Z" +results[3].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[3].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[3].GetMeta("log_type") == "vaultwarden_failed_2fa_email" results[3].Overflow.Alert.Events[3].GetMeta("service") == "vaultwarden" results[3].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.45.12" results[3].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-02-05T12:01:51.892Z" +results[3].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[3].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[4].GetMeta("log_type") == "vaultwarden_failed_2fa_email" results[3].Overflow.Alert.Events[4].GetMeta("service") == "vaultwarden" results[3].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.45.12" results[3].Overflow.Alert.Events[4].GetMeta("timestamp") == "2024-02-05T12:01:51.892Z" +results[3].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "vaultwarden-bf.log" results[3].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[5].GetMeta("log_type") == "vaultwarden_failed_2fa_email" results[3].Overflow.Alert.Events[5].GetMeta("service") == "vaultwarden" results[3].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.45.12" results[3].Overflow.Alert.Events[5].GetMeta("timestamp") == "2024-02-05T12:01:51.892Z" diff --git a/.tests/vaultwarden-logs/parser.assert b/.tests/vaultwarden-logs/parser.assert index 149e0968c96..b64ebe24cd7 100644 --- a/.tests/vaultwarden-logs/parser.assert +++ b/.tests/vaultwarden-logs/parser.assert @@ -1,5 +1,5 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 32 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 33 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "[2022-02-03 16:10:11.219][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: ::1. Username: test@example.com." results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "Vaultwarden" @@ -192,7 +192,13 @@ results["s00-raw"]["crowdsecurity/non-syslog"][31].Evt.Parsed["program"] == "Vau basename(results["s00-raw"]["crowdsecurity/non-syslog"][31].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][31].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][31].Evt.Whitelisted == false -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 32 +results["s00-raw"]["crowdsecurity/non-syslog"][32].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][32].Evt.Parsed["message"] == "[2024-03-07 21:20:00.000-0700][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.1.2. Username: crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl." +results["s00-raw"]["crowdsecurity/non-syslog"][32].Evt.Parsed["program"] == "Vaultwarden" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][32].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][32].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][32].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 33 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false @@ -225,19 +231,20 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][28].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][29].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][30].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][31].Success == false -len(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"]) == 32 +results["s00-raw"]["crowdsecurity/syslog-logs"][32].Success == false +len(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"]) == 33 results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][0].Success == true results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][0].Evt.Parsed["datetimestamp"] == "2022-02-03 16:10:11.219" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][0].Evt.Parsed["message"] == "[2022-02-03 16:10:11.219][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: ::1. Username: test@example.com." results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][0].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][0].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][0].Evt.Parsed["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][0].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][0].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][0].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][0].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][0].Evt.Meta["source_ip"] == "::1" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][0].Evt.Meta["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][0].Evt.Meta["target_user"] == "test@example.com" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][0].Evt.Whitelisted == false results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][1].Success == true results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][1].Evt.Parsed["datetimestamp"] == "2022-02-03 16:10:15.993" @@ -245,12 +252,12 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][1].Evt.Parsed["message"] results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][1].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][1].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][1].Evt.Parsed["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][1].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][1].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][1].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][1].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][1].Evt.Meta["source_ip"] == "::1" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][1].Evt.Meta["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][1].Evt.Meta["target_user"] == "test@example.com" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][1].Evt.Whitelisted == false results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][2].Success == true results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][2].Evt.Parsed["datetimestamp"] == "2022-02-03 16:10:14.593" @@ -258,12 +265,12 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][2].Evt.Parsed["message"] results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][2].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][2].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][2].Evt.Parsed["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][2].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][2].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][2].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][2].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][2].Evt.Meta["source_ip"] == "::1" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][2].Evt.Meta["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][2].Evt.Meta["target_user"] == "test@example.com" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][2].Evt.Whitelisted == false results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][3].Success == true results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][3].Evt.Parsed["datetimestamp"] == "2022-02-03 16:10:30.702" @@ -271,12 +278,12 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][3].Evt.Parsed["message"] results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][3].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][3].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][3].Evt.Parsed["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][3].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][3].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][3].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][3].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][3].Evt.Meta["source_ip"] == "::1" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][3].Evt.Meta["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][3].Evt.Meta["target_user"] == "test@example.com" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][3].Evt.Whitelisted == false results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][4].Success == true results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][4].Evt.Parsed["datetimestamp"] == "2022-02-03 16:10:35.376" @@ -284,12 +291,12 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][4].Evt.Parsed["message"] results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][4].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][4].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][4].Evt.Parsed["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][4].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][4].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][4].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][4].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][4].Evt.Meta["source_ip"] == "::1" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][4].Evt.Meta["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][4].Evt.Meta["target_user"] == "test@example.com" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][4].Evt.Whitelisted == false results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][5].Success == true results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][5].Evt.Parsed["datetimestamp"] == "2022-02-03 16:10:36.810" @@ -297,12 +304,12 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][5].Evt.Parsed["message"] results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][5].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][5].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][5].Evt.Parsed["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][5].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][5].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][5].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][5].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][5].Evt.Meta["source_ip"] == "::1" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][5].Evt.Meta["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][5].Evt.Meta["target_user"] == "test@example.com" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][5].Evt.Whitelisted == false results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][6].Success == true results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][6].Evt.Parsed["datetimestamp"] == "2021-02-03 16:10:59.955" @@ -310,12 +317,12 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][6].Evt.Parsed["message"] results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][6].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][6].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][6].Evt.Parsed["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][6].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][6].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][6].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][6].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][6].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][6].Evt.Meta["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][6].Evt.Meta["target_user"] == "test@example.com" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][6].Evt.Whitelisted == false results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][7].Success == true results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][7].Evt.Parsed["datetimestamp"] == "2021-02-03 16:11:02.266" @@ -323,12 +330,12 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][7].Evt.Parsed["message"] results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][7].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][7].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][7].Evt.Parsed["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][7].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][7].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][7].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][7].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][7].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][7].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][7].Evt.Meta["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][7].Evt.Meta["target_user"] == "test@example.com" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][7].Evt.Whitelisted == false results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][8].Success == true results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][8].Evt.Parsed["datetimestamp"] == "2021-02-03 16:11:04.117" @@ -336,12 +343,12 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][8].Evt.Parsed["message"] results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][8].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][8].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][8].Evt.Parsed["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][8].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][8].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][8].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][8].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][8].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][8].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][8].Evt.Meta["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][8].Evt.Meta["target_user"] == "test@example.com" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][8].Evt.Whitelisted == false results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][9].Success == true results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][9].Evt.Parsed["datetimestamp"] == "2021-02-03 16:11:57.620" @@ -349,21 +356,21 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][9].Evt.Parsed["message"] results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][9].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][9].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][9].Evt.Parsed["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][9].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][9].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][9].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][9].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][9].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][9].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][9].Evt.Meta["username"] == "test@example.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][9].Evt.Meta["target_user"] == "test@example.com" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][9].Evt.Whitelisted == false results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][10].Success == true results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][10].Evt.Parsed["datetimestamp"] == "2022-02-05 11:55:04.725" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][10].Evt.Parsed["message"] == "[2022-02-05 11:55:04.725][vaultwarden::api::admin][ERROR] Invalid admin token. IP: ::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][10].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][10].Evt.Parsed["source_ip"] == "::1" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][10].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][10].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][10].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][10].Evt.Meta["log_type"] == "vaultwarden_failed_admin_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][10].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][10].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][10].Evt.Whitelisted == false @@ -372,9 +379,9 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][11].Evt.Parsed["datetime results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][11].Evt.Parsed["message"] == "[2022-02-05 11:55:04.725][vaultwarden::api::admin][ERROR] Invalid admin token. IP: ::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][11].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][11].Evt.Parsed["source_ip"] == "::1" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][11].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][11].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][11].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][11].Evt.Meta["log_type"] == "vaultwarden_failed_admin_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][11].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][11].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][11].Evt.Whitelisted == false @@ -383,9 +390,9 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][12].Evt.Parsed["datetime results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][12].Evt.Parsed["message"] == "[2022-02-05 11:55:04.725][vaultwarden::api::admin][ERROR] Invalid admin token. IP: ::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][12].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][12].Evt.Parsed["source_ip"] == "::1" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][12].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][12].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][12].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][12].Evt.Meta["log_type"] == "vaultwarden_failed_admin_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][12].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][12].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][12].Evt.Whitelisted == false @@ -394,9 +401,9 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][13].Evt.Parsed["datetime results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][13].Evt.Parsed["message"] == "[2022-02-05 11:55:04.725][vaultwarden::api::admin][ERROR] Invalid admin token. IP: ::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][13].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][13].Evt.Parsed["source_ip"] == "::1" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][13].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][13].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][13].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][13].Evt.Meta["log_type"] == "vaultwarden_failed_admin_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][13].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][13].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][13].Evt.Whitelisted == false @@ -405,9 +412,9 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][14].Evt.Parsed["datetime results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][14].Evt.Parsed["message"] == "[2022-02-05 11:55:04.725][vaultwarden::api::admin][ERROR] Invalid admin token. IP: ::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][14].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][14].Evt.Parsed["source_ip"] == "::1" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][14].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][14].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][14].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][14].Evt.Meta["log_type"] == "vaultwarden_failed_admin_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][14].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][14].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][14].Evt.Whitelisted == false @@ -416,9 +423,9 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][15].Evt.Parsed["datetime results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][15].Evt.Parsed["message"] == "[2022-02-05 11:55:04.725][vaultwarden::api::admin][ERROR] Invalid admin token. IP: ::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][15].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][15].Evt.Parsed["source_ip"] == "::1" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][15].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][15].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][15].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][15].Evt.Meta["log_type"] == "vaultwarden_failed_admin_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][15].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][15].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][15].Evt.Whitelisted == false @@ -433,9 +440,9 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][16].Evt.Parsed["server_t results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][16].Evt.Parsed["server_tz"] == "UTC" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][16].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][16].Evt.Parsed["year"] == "2022" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][16].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][16].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][16].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][16].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_totp" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][16].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][16].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][16].Evt.Whitelisted == false @@ -450,9 +457,9 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][17].Evt.Parsed["server_t results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][17].Evt.Parsed["server_tz"] == "UTC" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][17].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][17].Evt.Parsed["year"] == "2022" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][17].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][17].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][17].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][17].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_totp" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][17].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][17].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][17].Evt.Whitelisted == false @@ -467,9 +474,9 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][18].Evt.Parsed["server_t results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][18].Evt.Parsed["server_tz"] == "UTC" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][18].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][18].Evt.Parsed["year"] == "2022" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][18].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][18].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][18].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][18].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_totp" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][18].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][18].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][18].Evt.Whitelisted == false @@ -484,9 +491,9 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][19].Evt.Parsed["server_t results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][19].Evt.Parsed["server_tz"] == "UTC" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][19].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][19].Evt.Parsed["year"] == "2022" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][19].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][19].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][19].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][19].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_totp" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][19].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][19].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][19].Evt.Whitelisted == false @@ -501,9 +508,9 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][20].Evt.Parsed["server_t results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][20].Evt.Parsed["server_tz"] == "UTC" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][20].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][20].Evt.Parsed["year"] == "2022" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][20].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][20].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][20].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][20].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_totp" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][20].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][20].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][20].Evt.Whitelisted == false @@ -518,9 +525,9 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][21].Evt.Parsed["server_t results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][21].Evt.Parsed["server_tz"] == "UTC" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][21].Evt.Parsed["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][21].Evt.Parsed["year"] == "2022" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][21].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][21].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][21].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][21].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_totp" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][21].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][21].Evt.Meta["source_ip"] == "::1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][21].Evt.Whitelisted == false @@ -529,9 +536,9 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][22].Evt.Parsed["datetime results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][22].Evt.Parsed["message"] == "[2024-02-05 12:01:51.892][vaultwarden::api::core::two_factor::email][ERROR] Token is invalid! IP: 192.168.45.12" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][22].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][22].Evt.Parsed["source_ip"] == "192.168.45.12" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][22].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][22].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][22].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][22].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_email" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][22].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][22].Evt.Meta["source_ip"] == "192.168.45.12" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][22].Evt.Whitelisted == false @@ -540,9 +547,9 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][23].Evt.Parsed["datetime results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][23].Evt.Parsed["message"] == "[2024-02-05 12:01:51.892][vaultwarden::api::core::two_factor::email][ERROR] Token is invalid! IP: 192.168.45.12" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][23].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][23].Evt.Parsed["source_ip"] == "192.168.45.12" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][23].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][23].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][23].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][23].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_email" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][23].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][23].Evt.Meta["source_ip"] == "192.168.45.12" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][23].Evt.Whitelisted == false @@ -551,9 +558,9 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][24].Evt.Parsed["datetime results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][24].Evt.Parsed["message"] == "[2024-02-05 12:01:51.892][vaultwarden::api::core::two_factor::email][ERROR] Token is invalid! IP: 192.168.45.12" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][24].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][24].Evt.Parsed["source_ip"] == "192.168.45.12" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][24].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][24].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][24].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][24].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_email" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][24].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][24].Evt.Meta["source_ip"] == "192.168.45.12" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][24].Evt.Whitelisted == false @@ -562,9 +569,9 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][25].Evt.Parsed["datetime results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][25].Evt.Parsed["message"] == "[2024-02-05 12:01:51.892][vaultwarden::api::core::two_factor::email][ERROR] Token is invalid! IP: 192.168.45.12" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][25].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][25].Evt.Parsed["source_ip"] == "192.168.45.12" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][25].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][25].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][25].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][25].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_email" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][25].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][25].Evt.Meta["source_ip"] == "192.168.45.12" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][25].Evt.Whitelisted == false @@ -573,9 +580,9 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][26].Evt.Parsed["datetime results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][26].Evt.Parsed["message"] == "[2024-02-05 12:01:51.892][vaultwarden::api::core::two_factor::email][ERROR] Token is invalid! IP: 192.168.45.12" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][26].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][26].Evt.Parsed["source_ip"] == "192.168.45.12" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][26].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][26].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][26].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][26].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_email" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][26].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][26].Evt.Meta["source_ip"] == "192.168.45.12" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][26].Evt.Whitelisted == false @@ -584,9 +591,9 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][27].Evt.Parsed["datetime results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][27].Evt.Parsed["message"] == "[2024-02-05 12:01:51.892][vaultwarden::api::core::two_factor::email][ERROR] Token is invalid! IP: 192.168.45.12" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][27].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][27].Evt.Parsed["source_ip"] == "192.168.45.12" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][27].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][27].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][27].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][27].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_email" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][27].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][27].Evt.Meta["source_ip"] == "192.168.45.12" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][27].Evt.Whitelisted == false @@ -596,12 +603,12 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][28].Evt.Parsed["message" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][28].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][28].Evt.Parsed["source_ip"] == "192.168.1.2" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][28].Evt.Parsed["username"] == "blah@gmail.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][28].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][28].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][28].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][28].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][28].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][28].Evt.Meta["source_ip"] == "192.168.1.2" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][28].Evt.Meta["username"] == "blah@gmail.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][28].Evt.Meta["target_user"] == "blah@gmail.com" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][28].Evt.Whitelisted == false results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][29].Success == true results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][29].Evt.Parsed["datetimestamp"] == "2024-03-02 17:42:20.407-0700" @@ -609,12 +616,12 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][29].Evt.Parsed["message" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][29].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][29].Evt.Parsed["source_ip"] == "192.168.1.2" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][29].Evt.Parsed["username"] == "blah@gmail.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][29].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][29].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][29].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][29].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][29].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][29].Evt.Meta["source_ip"] == "192.168.1.2" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][29].Evt.Meta["username"] == "blah@gmail.com" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][29].Evt.Meta["target_user"] == "blah@gmail.com" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][29].Evt.Whitelisted == false results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][30].Success == true results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][30].Evt.Parsed["datetimestamp"] == "2024-03-07 21:16:33.743-0700" @@ -627,9 +634,9 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][30].Evt.Parsed["server_t results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][30].Evt.Parsed["server_tz"] == "UTC" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][30].Evt.Parsed["source_ip"] == "192.168.43.14" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][30].Evt.Parsed["year"] == "2024" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][30].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][30].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][30].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][30].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_totp" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][30].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][30].Evt.Meta["source_ip"] == "192.168.43.14" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][30].Evt.Whitelisted == false @@ -638,12 +645,13 @@ results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][31].Evt.Parsed["datetime results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][31].Evt.Parsed["message"] == "[2024-03-07 21:19:30.450-0700][vaultwarden::api::admin][ERROR] Invalid admin token. IP: 192.168.41.1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][31].Evt.Parsed["program"] == "Vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][31].Evt.Parsed["source_ip"] == "192.168.41.1" +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][31].Evt.Meta["auth_status"] == "failed" basename(results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][31].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][31].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][31].Evt.Meta["log_type"] == "vaultwarden_failed_admin_auth" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][31].Evt.Meta["service"] == "vaultwarden" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][31].Evt.Meta["source_ip"] == "192.168.41.1" results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][31].Evt.Whitelisted == false +results["s01-parse"]["Dominic-Wagner/vaultwarden-logs"][32].Success == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 32 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["datetimestamp"] == "2022-02-03 16:10:11.219" @@ -651,13 +659,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "test@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "::1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-02-03T16:10:11.219Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-02-03T16:10:11.219Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true @@ -666,13 +674,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "test@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "::1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-02-03T16:10:15.993Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-02-03T16:10:15.993Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true @@ -681,13 +689,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "test@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "::1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2022-02-03T16:10:14.593Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["username"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2022-02-03T16:10:14.593Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true @@ -696,13 +704,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "test@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "::1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2022-02-03T16:10:30.702Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["username"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2022-02-03T16:10:30.702Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true @@ -711,13 +719,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username"] == "test@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "::1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2022-02-03T16:10:35.376Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["username"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2022-02-03T16:10:35.376Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true @@ -726,13 +734,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["username"] == "test@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "::1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2022-02-03T16:10:36.81Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["username"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2022-02-03T16:10:36.81Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true @@ -741,13 +749,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["username"] == "test@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["target_user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2021-02-03T16:10:59.955Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["username"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2021-02-03T16:10:59.955Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true @@ -756,13 +764,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["username"] == "test@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["target_user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2021-02-03T16:11:02.266Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["username"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2021-02-03T16:11:02.266Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Success == true @@ -771,13 +779,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["username"] == "test@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["target_user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2021-02-03T16:11:04.117Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["username"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Enriched["MarshaledTime"] == "2021-02-03T16:11:04.117Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Success == true @@ -786,13 +794,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["message"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_ip"] == "192.168.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["username"] == "test@example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["target_user"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2021-02-03T16:11:57.62Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["username"] == "test@example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Enriched["MarshaledTime"] == "2021-02-03T16:11:57.62Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Success == true @@ -800,9 +808,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["datetime results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["message"] == "[2022-02-05 11:55:04.725][vaultwarden::api::admin][ERROR] Invalid admin token. IP: ::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["source_ip"] == "::1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["log_type"] == "vaultwarden_failed_admin_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["timestamp"] == "2022-02-05T11:55:04.725Z" @@ -813,9 +821,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["datetime results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["message"] == "[2022-02-05 11:55:04.725][vaultwarden::api::admin][ERROR] Invalid admin token. IP: ::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["source_ip"] == "::1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["log_type"] == "vaultwarden_failed_admin_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["timestamp"] == "2022-02-05T11:55:04.725Z" @@ -826,9 +834,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["datetime results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["message"] == "[2022-02-05 11:55:04.725][vaultwarden::api::admin][ERROR] Invalid admin token. IP: ::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["source_ip"] == "::1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["log_type"] == "vaultwarden_failed_admin_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["timestamp"] == "2022-02-05T11:55:04.725Z" @@ -839,9 +847,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["datetime results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["message"] == "[2022-02-05 11:55:04.725][vaultwarden::api::admin][ERROR] Invalid admin token. IP: ::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["source_ip"] == "::1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["log_type"] == "vaultwarden_failed_admin_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["timestamp"] == "2022-02-05T11:55:04.725Z" @@ -852,9 +860,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["datetime results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["message"] == "[2022-02-05 11:55:04.725][vaultwarden::api::admin][ERROR] Invalid admin token. IP: ::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["source_ip"] == "::1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["log_type"] == "vaultwarden_failed_admin_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["timestamp"] == "2022-02-05T11:55:04.725Z" @@ -865,9 +873,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["datetime results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["message"] == "[2022-02-05 11:55:04.725][vaultwarden::api::admin][ERROR] Invalid admin token. IP: ::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["source_ip"] == "::1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["log_type"] == "vaultwarden_failed_admin_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["timestamp"] == "2022-02-05T11:55:04.725Z" @@ -884,9 +892,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["server_t results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["server_tz"] == "UTC" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["year"] == "2022" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_totp" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["timestamp"] == "2022-02-05T12:01:51.892Z" @@ -903,9 +911,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["server_t results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["server_tz"] == "UTC" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Parsed["year"] == "2022" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_totp" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][17].Evt.Meta["timestamp"] == "2022-02-05T12:01:51.892Z" @@ -922,9 +930,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["server_t results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["server_tz"] == "UTC" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Parsed["year"] == "2022" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_totp" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][18].Evt.Meta["timestamp"] == "2022-02-05T12:01:51.892Z" @@ -941,9 +949,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["server_t results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["server_tz"] == "UTC" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Parsed["year"] == "2022" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_totp" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][19].Evt.Meta["timestamp"] == "2022-02-05T12:01:51.892Z" @@ -960,9 +968,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["server_t results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["server_tz"] == "UTC" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Parsed["year"] == "2022" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_totp" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][20].Evt.Meta["timestamp"] == "2022-02-05T12:01:51.892Z" @@ -979,9 +987,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["server_t results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["server_tz"] == "UTC" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Parsed["year"] == "2022" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_totp" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["source_ip"] == "::1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][21].Evt.Meta["timestamp"] == "2022-02-05T12:01:51.892Z" @@ -992,9 +1000,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["datetime results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["message"] == "[2024-02-05 12:01:51.892][vaultwarden::api::core::two_factor::email][ERROR] Token is invalid! IP: 192.168.45.12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Parsed["source_ip"] == "192.168.45.12" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_email" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["source_ip"] == "192.168.45.12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][22].Evt.Meta["timestamp"] == "2024-02-05T12:01:51.892Z" @@ -1005,9 +1013,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["datetime results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["message"] == "[2024-02-05 12:01:51.892][vaultwarden::api::core::two_factor::email][ERROR] Token is invalid! IP: 192.168.45.12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Parsed["source_ip"] == "192.168.45.12" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_email" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["source_ip"] == "192.168.45.12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][23].Evt.Meta["timestamp"] == "2024-02-05T12:01:51.892Z" @@ -1018,9 +1026,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Parsed["datetime results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Parsed["message"] == "[2024-02-05 12:01:51.892][vaultwarden::api::core::two_factor::email][ERROR] Token is invalid! IP: 192.168.45.12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Parsed["source_ip"] == "192.168.45.12" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_email" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["source_ip"] == "192.168.45.12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][24].Evt.Meta["timestamp"] == "2024-02-05T12:01:51.892Z" @@ -1031,9 +1039,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Parsed["datetime results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Parsed["message"] == "[2024-02-05 12:01:51.892][vaultwarden::api::core::two_factor::email][ERROR] Token is invalid! IP: 192.168.45.12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Parsed["source_ip"] == "192.168.45.12" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_email" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["source_ip"] == "192.168.45.12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][25].Evt.Meta["timestamp"] == "2024-02-05T12:01:51.892Z" @@ -1044,9 +1052,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Parsed["datetime results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Parsed["message"] == "[2024-02-05 12:01:51.892][vaultwarden::api::core::two_factor::email][ERROR] Token is invalid! IP: 192.168.45.12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Parsed["source_ip"] == "192.168.45.12" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_email" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["source_ip"] == "192.168.45.12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][26].Evt.Meta["timestamp"] == "2024-02-05T12:01:51.892Z" @@ -1057,9 +1065,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Parsed["datetime results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Parsed["message"] == "[2024-02-05 12:01:51.892][vaultwarden::api::core::two_factor::email][ERROR] Token is invalid! IP: 192.168.45.12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Parsed["source_ip"] == "192.168.45.12" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_email" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["source_ip"] == "192.168.45.12" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][27].Evt.Meta["timestamp"] == "2024-02-05T12:01:51.892Z" @@ -1071,13 +1079,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["message" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["source_ip"] == "192.168.1.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Parsed["username"] == "blah@gmail.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["source_ip"] == "192.168.1.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["target_user"] == "blah@gmail.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["timestamp"] == "2024-03-02T17:38:19.023-07:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Meta["username"] == "blah@gmail.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Enriched["MarshaledTime"] == "2024-03-02T17:38:19.023-07:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][28].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Success == true @@ -1086,13 +1094,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Parsed["message" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Parsed["source_ip"] == "192.168.1.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Parsed["username"] == "blah@gmail.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["log_type"] == "vaultwarden_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["source_ip"] == "192.168.1.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["target_user"] == "blah@gmail.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["timestamp"] == "2024-03-02T17:42:20.407-07:00" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Meta["username"] == "blah@gmail.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Enriched["MarshaledTime"] == "2024-03-02T17:42:20.407-07:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Success == true @@ -1106,9 +1114,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["server_t results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["server_tz"] == "UTC" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["source_ip"] == "192.168.43.14" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Parsed["year"] == "2024" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["log_type"] == "vaultwarden_failed_2fa_totp" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["source_ip"] == "192.168.43.14" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][30].Evt.Meta["timestamp"] == "2024-03-07T21:16:33.743-07:00" @@ -1119,9 +1127,9 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["datetime results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["message"] == "[2024-03-07 21:19:30.450-0700][vaultwarden::api::admin][ERROR] Invalid admin token. IP: 192.168.41.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["program"] == "Vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Parsed["source_ip"] == "192.168.41.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["auth_status"] == "failed" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["datasource_path"]) == "vaultwarden-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["log_type"] == "vaultwarden_failed_admin_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["service"] == "vaultwarden" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["source_ip"] == "192.168.41.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][31].Evt.Meta["timestamp"] == "2024-03-07T21:19:30.45-07:00" diff --git a/.tests/vaultwarden-logs/vaultwarden-logs.log b/.tests/vaultwarden-logs/vaultwarden-logs.log index 5945fa43e41..e6dabc2cfdc 100644 --- a/.tests/vaultwarden-logs/vaultwarden-logs.log +++ b/.tests/vaultwarden-logs/vaultwarden-logs.log @@ -29,4 +29,5 @@ [2024-03-02 17:38:19.023-0700][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.1.2. Username: blah@gmail.com. [2024-03-02 17:42:20.407-0700][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.1.2. Username: blah@gmail.com. [2024-03-07 21:16:33.743-0700][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-03-08 04:16:33 UTC IP: 192.168.43.14 -[2024-03-07 21:19:30.450-0700][vaultwarden::api::admin][ERROR] Invalid admin token. IP: 192.168.41.1 \ No newline at end of file +[2024-03-07 21:19:30.450-0700][vaultwarden::api::admin][ERROR] Invalid admin token. IP: 192.168.41.1 +[2024-03-07 21:20:00.000-0700][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.1.2. Username: crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl. \ No newline at end of file diff --git a/.tests/vmware-cve-2022-22954/parser.assert b/.tests/vmware-cve-2022-22954/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/vmware-vcenter-vmsa-2021-0027/parser.assert b/.tests/vmware-vcenter-vmsa-2021-0027/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/vsftpd-bf/parser.assert b/.tests/vsftpd-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/vsftpd-bf/scenario.assert b/.tests/vsftpd-bf/scenario.assert index 66c4c81f33c..bf35a435c86 100644 --- a/.tests/vsftpd-bf/scenario.assert +++ b/.tests/vsftpd-bf/scenario.assert @@ -4,43 +4,54 @@ results[0].Overflow.Sources["93.24.101.89"].IP == "93.24.101.89" results[0].Overflow.Sources["93.24.101.89"].Range == "" results[0].Overflow.Sources["93.24.101.89"].GetScope() == "Ip" results[0].Overflow.Sources["93.24.101.89"].GetValue() == "93.24.101.89" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "vsftpd-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "vsftpd-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ftp_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("program") == "vsftpd" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "vsftpd" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "93.24.101.89" -results[0].Overflow.Alert.Events[0].GetMeta("user") == "user" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "vsftpd-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "user" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2020-06-08T12:08:53Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "vsftpd-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "ftp_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("program") == "vsftpd" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "vsftpd" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "93.24.101.89" -results[0].Overflow.Alert.Events[1].GetMeta("user") == "user" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "vsftpd-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "user" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2020-06-08T12:08:53Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "vsftpd-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "ftp_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("program") == "vsftpd" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "vsftpd" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "93.24.101.89" -results[0].Overflow.Alert.Events[2].GetMeta("user") == "user" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "vsftpd-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "user" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2020-06-08T12:08:54Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "vsftpd-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "ftp_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("program") == "vsftpd" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "vsftpd" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "93.24.101.89" -results[0].Overflow.Alert.Events[3].GetMeta("user") == "user" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "vsftpd-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "user" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2020-06-08T12:08:54Z" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "vsftpd-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "ftp_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("program") == "vsftpd" +results[0].Overflow.Alert.Events[4].GetMeta("service") == "vsftpd" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "93.24.101.89" -results[0].Overflow.Alert.Events[4].GetMeta("user") == "user" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "vsftpd-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "user" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2020-06-08T12:08:55Z" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "vsftpd-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "ftp_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("program") == "vsftpd" +results[0].Overflow.Alert.Events[5].GetMeta("service") == "vsftpd" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "93.24.101.89" -results[0].Overflow.Alert.Events[5].GetMeta("user") == "user" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "user" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2020-06-08T12:08:55Z" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/vsftpd-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 - diff --git a/.tests/vsftpd-logs/parser.assert b/.tests/vsftpd-logs/parser.assert index 613b3e44e00..d34c75deabb 100644 --- a/.tests/vsftpd-logs/parser.assert +++ b/.tests/vsftpd-logs/parser.assert @@ -1,3 +1,41 @@ +len(results) == 4 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 5 +results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "Mon Jun 8 12:08:44 2020 [pid 27245] CONNECT: Client \"::ffff:93.24.101.89\"" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "vsftpd" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "vsftpd-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "Mon Jun 8 12:12:43 2020 [pid 27307] [ubuntu] OK LOGIN: Client \"::ffff:93.24.101.89\"" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "vsftpd" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "vsftpd-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "Mon Jun 8 12:08:53 2020 [pid 27244] [user] FAIL LOGIN: Client \"::ffff:93.24.101.89\"" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "vsftpd" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "vsftpd-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "Mon Jun 9 12:08:53 2020 [pid 27244] [user] FAIL LOGIN: Client \"::ffff:93.24.101.90\"" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "vsftpd" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "vsftpd-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "Mon Apr 12 15:19:22 2021 [pid 15685] [www-data] FTP response: Client \"1.2.3.4\", \"530 Permission denied.\"" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "vsftpd" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"]) == "vsftpd-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 5 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false len(results["s01-parse"]["vsftpd-logs"]) == 5 results["s01-parse"]["vsftpd-logs"][0].Success == false results["s01-parse"]["vsftpd-logs"][1].Success == false @@ -7,34 +45,89 @@ results["s01-parse"]["vsftpd-logs"][2].Evt.Parsed["program"] == "vsftpd" results["s01-parse"]["vsftpd-logs"][2].Evt.Parsed["source_ip"] == "93.24.101.89" results["s01-parse"]["vsftpd-logs"][2].Evt.Parsed["timestamp"] == "Mon Jun 8 12:08:53 2020" results["s01-parse"]["vsftpd-logs"][2].Evt.Parsed["user"] == "user" +results["s01-parse"]["vsftpd-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["vsftpd-logs"][2].Evt.Meta["datasource_path"]) == "vsftpd-logs.log" results["s01-parse"]["vsftpd-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["vsftpd-logs"][2].Evt.Meta["log_type"] == "ftp_failed_auth" results["s01-parse"]["vsftpd-logs"][2].Evt.Meta["program"] == "vsftpd" +results["s01-parse"]["vsftpd-logs"][2].Evt.Meta["service"] == "vsftpd" results["s01-parse"]["vsftpd-logs"][2].Evt.Meta["source_ip"] == "93.24.101.89" -results["s01-parse"]["vsftpd-logs"][2].Evt.Meta["user"] == "user" -results["s01-parse"]["vsftpd-logs"][2].Evt.Meta["datasource_path"] == "vsftpd-logs.log" +results["s01-parse"]["vsftpd-logs"][2].Evt.Meta["target_user"] == "user" +results["s01-parse"]["vsftpd-logs"][2].Evt.Whitelisted == false results["s01-parse"]["vsftpd-logs"][3].Success == true results["s01-parse"]["vsftpd-logs"][3].Evt.Parsed["message"] == "Mon Jun 9 12:08:53 2020 [pid 27244] [user] FAIL LOGIN: Client \"::ffff:93.24.101.90\"" results["s01-parse"]["vsftpd-logs"][3].Evt.Parsed["program"] == "vsftpd" results["s01-parse"]["vsftpd-logs"][3].Evt.Parsed["source_ip"] == "93.24.101.90" results["s01-parse"]["vsftpd-logs"][3].Evt.Parsed["timestamp"] == "Mon Jun 9 12:08:53 2020" results["s01-parse"]["vsftpd-logs"][3].Evt.Parsed["user"] == "user" +results["s01-parse"]["vsftpd-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["vsftpd-logs"][3].Evt.Meta["datasource_path"]) == "vsftpd-logs.log" results["s01-parse"]["vsftpd-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["vsftpd-logs"][3].Evt.Meta["log_type"] == "ftp_failed_auth" results["s01-parse"]["vsftpd-logs"][3].Evt.Meta["program"] == "vsftpd" +results["s01-parse"]["vsftpd-logs"][3].Evt.Meta["service"] == "vsftpd" results["s01-parse"]["vsftpd-logs"][3].Evt.Meta["source_ip"] == "93.24.101.90" -results["s01-parse"]["vsftpd-logs"][3].Evt.Meta["user"] == "user" -results["s01-parse"]["vsftpd-logs"][3].Evt.Meta["datasource_path"] == "vsftpd-logs.log" +results["s01-parse"]["vsftpd-logs"][3].Evt.Meta["target_user"] == "user" +results["s01-parse"]["vsftpd-logs"][3].Evt.Whitelisted == false results["s01-parse"]["vsftpd-logs"][4].Success == true results["s01-parse"]["vsftpd-logs"][4].Evt.Parsed["message"] == "Mon Apr 12 15:19:22 2021 [pid 15685] [www-data] FTP response: Client \"1.2.3.4\", \"530 Permission denied.\"" results["s01-parse"]["vsftpd-logs"][4].Evt.Parsed["program"] == "vsftpd" results["s01-parse"]["vsftpd-logs"][4].Evt.Parsed["source_ip"] == "1.2.3.4" results["s01-parse"]["vsftpd-logs"][4].Evt.Parsed["timestamp"] == "Mon Apr 12 15:19:22 2021" results["s01-parse"]["vsftpd-logs"][4].Evt.Parsed["user"] == "www-data" -results["s01-parse"]["vsftpd-logs"][4].Evt.Meta["datasource_path"] == "vsftpd-logs.log" +results["s01-parse"]["vsftpd-logs"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["vsftpd-logs"][4].Evt.Meta["datasource_path"]) == "vsftpd-logs.log" results["s01-parse"]["vsftpd-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["vsftpd-logs"][4].Evt.Meta["log_type"] == "ftp_failed_auth" results["s01-parse"]["vsftpd-logs"][4].Evt.Meta["program"] == "vsftpd" +results["s01-parse"]["vsftpd-logs"][4].Evt.Meta["service"] == "vsftpd" results["s01-parse"]["vsftpd-logs"][4].Evt.Meta["source_ip"] == "1.2.3.4" -results["s01-parse"]["vsftpd-logs"][4].Evt.Meta["user"] == "www-data" - +results["s01-parse"]["vsftpd-logs"][4].Evt.Meta["target_user"] == "www-data" +results["s01-parse"]["vsftpd-logs"][4].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 3 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "Mon Jun 8 12:08:53 2020 [pid 27244] [user] FAIL LOGIN: Client \"::ffff:93.24.101.89\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "vsftpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "93.24.101.89" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Mon Jun 8 12:08:53 2020" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["user"] == "user" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "vsftpd-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["program"] == "vsftpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "vsftpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "93.24.101.89" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "user" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2020-06-08T12:08:53Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2020-06-08T12:08:53Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "Mon Jun 9 12:08:53 2020 [pid 27244] [user] FAIL LOGIN: Client \"::ffff:93.24.101.90\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "vsftpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "93.24.101.90" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Mon Jun 9 12:08:53 2020" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["user"] == "user" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "vsftpd-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["program"] == "vsftpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "vsftpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "93.24.101.90" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "user" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2020-06-09T12:08:53Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2020-06-09T12:08:53Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "Mon Apr 12 15:19:22 2021 [pid 15685] [www-data] FTP response: Client \"1.2.3.4\", \"530 Permission denied.\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "vsftpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Mon Apr 12 15:19:22 2021" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["user"] == "www-data" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "vsftpd-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["program"] == "vsftpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "vsftpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "1.2.3.4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "www-data" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2021-04-12T15:19:22Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2021-04-12T15:19:22Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/webmin-bf/parser.assert b/.tests/webmin-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/webmin-bf/scenario.assert b/.tests/webmin-bf/scenario.assert index dcab475d93a..9996eecf08a 100644 --- a/.tests/webmin-bf/scenario.assert +++ b/.tests/webmin-bf/scenario.assert @@ -4,48 +4,48 @@ results[0].Overflow.Sources["192.168.0.100"].IP == "192.168.0.100" results[0].Overflow.Sources["192.168.0.100"].Range == "" results[0].Overflow.Sources["192.168.0.100"].GetScope() == "Ip" results[0].Overflow.Sources["192.168.0.100"].GetValue() == "192.168.0.100" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "webmin-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[0].Overflow.Alert.Events[0].GetMeta("service") == "webmin" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.100" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "admin1" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-08-02T14:06:44Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "admin1" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "webmin-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[0].Overflow.Alert.Events[1].GetMeta("service") == "webmin" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.0.100" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "admin2" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-08-02T14:06:46Z" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "admin2" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "webmin-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[0].Overflow.Alert.Events[2].GetMeta("service") == "webmin" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.0.100" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "admin3" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-08-02T14:06:52Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "admin3" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "webmin-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[0].Overflow.Alert.Events[3].GetMeta("service") == "webmin" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.0.100" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "admin4" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-08-02T14:06:58Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "admin4" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "webmin-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[0].Overflow.Alert.Events[4].GetMeta("service") == "webmin" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.0.100" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "admin5" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-08-02T14:07:14Z" -results[0].Overflow.Alert.Events[4].GetMeta("username") == "admin5" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "webmin-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[0].Overflow.Alert.Events[5].GetMeta("service") == "webmin" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.0.100" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "admin6" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-08-02T14:07:22Z" -results[0].Overflow.Alert.Events[5].GetMeta("username") == "admin6" results[0].Overflow.Alert.GetScenario() == "andreasbrett/webmin-bf_user-enum" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 @@ -54,48 +54,48 @@ results[1].Overflow.Sources["192.168.0.100"].IP == "192.168.0.100" results[1].Overflow.Sources["192.168.0.100"].Range == "" results[1].Overflow.Sources["192.168.0.100"].GetScope() == "Ip" results[1].Overflow.Sources["192.168.0.100"].GetValue() == "192.168.0.100" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "webmin-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[1].Overflow.Alert.Events[0].GetMeta("service") == "webmin" results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.100" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "admin" results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-07-27T14:06:44Z" -results[1].Overflow.Alert.Events[0].GetMeta("username") == "admin" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "webmin-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[1].Overflow.Alert.Events[1].GetMeta("service") == "webmin" results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.0.100" +results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "admin" results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-07-27T14:06:46Z" -results[1].Overflow.Alert.Events[1].GetMeta("username") == "admin" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "webmin-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[1].Overflow.Alert.Events[2].GetMeta("service") == "webmin" results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.0.100" +results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "admin" results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-07-27T14:06:52Z" -results[1].Overflow.Alert.Events[2].GetMeta("username") == "admin" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "webmin-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[1].Overflow.Alert.Events[3].GetMeta("service") == "webmin" results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.0.100" +results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "admin" results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-07-27T14:06:58Z" -results[1].Overflow.Alert.Events[3].GetMeta("username") == "admin" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "webmin-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[1].Overflow.Alert.Events[4].GetMeta("service") == "webmin" results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.0.100" +results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "admin" results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-07-27T14:07:14Z" -results[1].Overflow.Alert.Events[4].GetMeta("username") == "admin" +results[1].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "webmin-bf.log" results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[1].Overflow.Alert.Events[5].GetMeta("service") == "webmin" results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.0.100" +results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "admin" results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-07-27T14:07:22Z" -results[1].Overflow.Alert.Events[5].GetMeta("username") == "admin" results[1].Overflow.Alert.GetScenario() == "andreasbrett/webmin-bf" results[1].Overflow.Alert.Remediation == true results[1].Overflow.Alert.GetEventsCount() == 6 @@ -104,48 +104,48 @@ results[2].Overflow.Sources["192.168.0.100"].IP == "192.168.0.100" results[2].Overflow.Sources["192.168.0.100"].Range == "" results[2].Overflow.Sources["192.168.0.100"].GetScope() == "Ip" results[2].Overflow.Sources["192.168.0.100"].GetValue() == "192.168.0.100" +results[2].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "webmin-bf.log" results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[0].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[2].Overflow.Alert.Events[0].GetMeta("service") == "webmin" results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.100" +results[2].Overflow.Alert.Events[0].GetMeta("target_user") == "admin" results[2].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-08-01T14:06:44Z" -results[2].Overflow.Alert.Events[0].GetMeta("username") == "admin" +results[2].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "webmin-bf.log" results[2].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[1].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[2].Overflow.Alert.Events[1].GetMeta("service") == "webmin" results[2].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.0.100" +results[2].Overflow.Alert.Events[1].GetMeta("target_user") == "admin" results[2].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-08-01T14:06:46Z" -results[2].Overflow.Alert.Events[1].GetMeta("username") == "admin" +results[2].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "webmin-bf.log" results[2].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[2].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[2].Overflow.Alert.Events[2].GetMeta("service") == "webmin" results[2].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.0.100" +results[2].Overflow.Alert.Events[2].GetMeta("target_user") == "admin" results[2].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-08-01T14:06:52Z" -results[2].Overflow.Alert.Events[2].GetMeta("username") == "admin" +results[2].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "webmin-bf.log" results[2].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[3].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[2].Overflow.Alert.Events[3].GetMeta("service") == "webmin" results[2].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.0.100" +results[2].Overflow.Alert.Events[3].GetMeta("target_user") == "admin" results[2].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-08-01T14:06:58Z" -results[2].Overflow.Alert.Events[3].GetMeta("username") == "admin" +results[2].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "webmin-bf.log" results[2].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[4].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[2].Overflow.Alert.Events[4].GetMeta("service") == "webmin" results[2].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.0.100" +results[2].Overflow.Alert.Events[4].GetMeta("target_user") == "admin" results[2].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-08-01T14:07:14Z" -results[2].Overflow.Alert.Events[4].GetMeta("username") == "admin" +results[2].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[2].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "webmin-bf.log" results[2].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[2].Overflow.Alert.Events[5].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[2].Overflow.Alert.Events[5].GetMeta("service") == "webmin" results[2].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.0.100" +results[2].Overflow.Alert.Events[5].GetMeta("target_user") == "admin" results[2].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-08-01T14:07:22Z" -results[2].Overflow.Alert.Events[5].GetMeta("username") == "admin" results[2].Overflow.Alert.GetScenario() == "andreasbrett/webmin-bf" results[2].Overflow.Alert.Remediation == true results[2].Overflow.Alert.GetEventsCount() == 6 @@ -154,48 +154,48 @@ results[3].Overflow.Sources["192.168.0.100"].IP == "192.168.0.100" results[3].Overflow.Sources["192.168.0.100"].Range == "" results[3].Overflow.Sources["192.168.0.100"].GetScope() == "Ip" results[3].Overflow.Sources["192.168.0.100"].GetValue() == "192.168.0.100" +results[3].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "webmin-bf.log" results[3].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[0].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[3].Overflow.Alert.Events[0].GetMeta("service") == "webmin" results[3].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.100" +results[3].Overflow.Alert.Events[0].GetMeta("target_user") == "admin1" results[3].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-08-02T14:06:44Z" -results[3].Overflow.Alert.Events[0].GetMeta("username") == "admin1" +results[3].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "webmin-bf.log" results[3].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[1].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[3].Overflow.Alert.Events[1].GetMeta("service") == "webmin" results[3].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.0.100" +results[3].Overflow.Alert.Events[1].GetMeta("target_user") == "admin2" results[3].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-08-02T14:06:46Z" -results[3].Overflow.Alert.Events[1].GetMeta("username") == "admin2" +results[3].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "webmin-bf.log" results[3].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[2].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[3].Overflow.Alert.Events[2].GetMeta("service") == "webmin" results[3].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.0.100" +results[3].Overflow.Alert.Events[2].GetMeta("target_user") == "admin3" results[3].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-08-02T14:06:52Z" -results[3].Overflow.Alert.Events[2].GetMeta("username") == "admin3" +results[3].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "webmin-bf.log" results[3].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[3].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[3].Overflow.Alert.Events[3].GetMeta("service") == "webmin" results[3].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.0.100" +results[3].Overflow.Alert.Events[3].GetMeta("target_user") == "admin4" results[3].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-08-02T14:06:58Z" -results[3].Overflow.Alert.Events[3].GetMeta("username") == "admin4" +results[3].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "webmin-bf.log" results[3].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[4].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[3].Overflow.Alert.Events[4].GetMeta("service") == "webmin" results[3].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.0.100" +results[3].Overflow.Alert.Events[4].GetMeta("target_user") == "admin5" results[3].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-08-02T14:07:14Z" -results[3].Overflow.Alert.Events[4].GetMeta("username") == "admin5" +results[3].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[3].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "webmin-bf.log" results[3].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" -results[3].Overflow.Alert.Events[5].GetMeta("log_type") == "webmin_failed_auth_wrong_pass" results[3].Overflow.Alert.Events[5].GetMeta("service") == "webmin" results[3].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.0.100" +results[3].Overflow.Alert.Events[5].GetMeta("target_user") == "admin6" results[3].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-08-02T14:07:22Z" -results[3].Overflow.Alert.Events[5].GetMeta("username") == "admin6" results[3].Overflow.Alert.GetScenario() == "andreasbrett/webmin-bf" results[3].Overflow.Alert.Remediation == true results[3].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/webmin-logs/parser.assert b/.tests/webmin-logs/parser.assert index 596a398d07e..b78231f9992 100644 --- a/.tests/webmin-logs/parser.assert +++ b/.tests/webmin-logs/parser.assert @@ -1,66 +1,84 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 12 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 13 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "1690466804.2161960.0 [27/Jul/2023 16:06:44] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "webmin" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "webmin-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "webmin" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "1690466806.2161960.0 [27/Jul/2023 16:06:46] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "webmin" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "1690466812.2161960.0 [27/Jul/2023 16:06:52] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "webmin" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "webmin-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "1690466818.2161960.0 [27/Jul/2023 16:06:58] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "webmin" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "webmin-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "1690466834.2161960.0 [27/Jul/2023 16:07:14] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "webmin" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "webmin-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "1690466842.2161960.0 [27/Jul/2023 16:07:22] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "webmin" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"] == "webmin-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][6].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "webmin" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["message"] == "1690898804.2161960.0 [1/Aug/2023 16:06:44] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" -results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "webmin" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][7].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["message"] == "1690898806.2161960.0 [1/Aug/2023 16:06:46] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["program"] == "webmin" -results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"] == "webmin-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][8].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["program"] == "webmin" results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["message"] == "1690898812.2161960.0 [1/Aug/2023 16:06:52] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" -results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["program"] == "webmin" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][9].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["message"] == "1690898818.2161960.0 [1/Aug/2023 16:06:58] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["program"] == "webmin" -results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_path"] == "webmin-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][10].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Parsed["message"] == "1690898834.2161960.0 [1/Aug/2023 16:07:14] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Parsed["program"] == "webmin" -results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_path"] == "webmin-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][11].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Parsed["message"] == "1690898842.2161960.0 [1/Aug/2023 16:07:22] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Parsed["program"] == "webmin" -results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_path"] == "webmin-logs.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_type"] == "file" -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 12 +results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][12].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Parsed["message"] == "1690899000.2161960.0 [1/Aug/2023 16:10:00] crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" +results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Parsed["program"] == "webmin" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Meta["datasource_path"]) == "webmin-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 13 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false @@ -73,318 +91,371 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][8].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][9].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][10].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][11].Success == false -len(results["s01-parse"]["andreasbrett/webmin-logs"]) == 12 +results["s00-raw"]["crowdsecurity/syslog-logs"][12].Success == false +len(results["s01-parse"]["andreasbrett/webmin-logs"]) == 13 results["s01-parse"]["andreasbrett/webmin-logs"][0].Success == true results["s01-parse"]["andreasbrett/webmin-logs"][0].Evt.Parsed["message"] == "1690466804.2161960.0 [27/Jul/2023 16:06:44] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s01-parse"]["andreasbrett/webmin-logs"][0].Evt.Parsed["program"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][0].Evt.Parsed["source_ip"] == "192.168.0.100" results["s01-parse"]["andreasbrett/webmin-logs"][0].Evt.Parsed["unix_epoch"] == "1690466804" results["s01-parse"]["andreasbrett/webmin-logs"][0].Evt.Parsed["username"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/webmin-logs"][0].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s01-parse"]["andreasbrett/webmin-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/webmin-logs"][0].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s01-parse"]["andreasbrett/webmin-logs"][0].Evt.Meta["service"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][0].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/webmin-logs"][0].Evt.Meta["username"] == "admin" -results["s01-parse"]["andreasbrett/webmin-logs"][0].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s01-parse"]["andreasbrett/webmin-logs"][0].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][0].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/webmin-logs"][1].Success == true +results["s01-parse"]["andreasbrett/webmin-logs"][1].Evt.Parsed["message"] == "1690466806.2161960.0 [27/Jul/2023 16:06:46] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s01-parse"]["andreasbrett/webmin-logs"][1].Evt.Parsed["program"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][1].Evt.Parsed["source_ip"] == "192.168.0.100" results["s01-parse"]["andreasbrett/webmin-logs"][1].Evt.Parsed["unix_epoch"] == "1690466806" results["s01-parse"]["andreasbrett/webmin-logs"][1].Evt.Parsed["username"] == "admin" -results["s01-parse"]["andreasbrett/webmin-logs"][1].Evt.Parsed["message"] == "1690466806.2161960.0 [27/Jul/2023 16:06:46] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" +results["s01-parse"]["andreasbrett/webmin-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/webmin-logs"][1].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s01-parse"]["andreasbrett/webmin-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/webmin-logs"][1].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s01-parse"]["andreasbrett/webmin-logs"][1].Evt.Meta["service"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][1].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/webmin-logs"][1].Evt.Meta["username"] == "admin" -results["s01-parse"]["andreasbrett/webmin-logs"][1].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s01-parse"]["andreasbrett/webmin-logs"][1].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][1].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/webmin-logs"][2].Success == true results["s01-parse"]["andreasbrett/webmin-logs"][2].Evt.Parsed["message"] == "1690466812.2161960.0 [27/Jul/2023 16:06:52] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s01-parse"]["andreasbrett/webmin-logs"][2].Evt.Parsed["program"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][2].Evt.Parsed["source_ip"] == "192.168.0.100" results["s01-parse"]["andreasbrett/webmin-logs"][2].Evt.Parsed["unix_epoch"] == "1690466812" results["s01-parse"]["andreasbrett/webmin-logs"][2].Evt.Parsed["username"] == "admin" -results["s01-parse"]["andreasbrett/webmin-logs"][2].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s01-parse"]["andreasbrett/webmin-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/webmin-logs"][2].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s01-parse"]["andreasbrett/webmin-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/webmin-logs"][2].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s01-parse"]["andreasbrett/webmin-logs"][2].Evt.Meta["service"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][2].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/webmin-logs"][2].Evt.Meta["username"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][2].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][2].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/webmin-logs"][3].Success == true +results["s01-parse"]["andreasbrett/webmin-logs"][3].Evt.Parsed["message"] == "1690466818.2161960.0 [27/Jul/2023 16:06:58] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" +results["s01-parse"]["andreasbrett/webmin-logs"][3].Evt.Parsed["program"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][3].Evt.Parsed["source_ip"] == "192.168.0.100" results["s01-parse"]["andreasbrett/webmin-logs"][3].Evt.Parsed["unix_epoch"] == "1690466818" results["s01-parse"]["andreasbrett/webmin-logs"][3].Evt.Parsed["username"] == "admin" -results["s01-parse"]["andreasbrett/webmin-logs"][3].Evt.Parsed["message"] == "1690466818.2161960.0 [27/Jul/2023 16:06:58] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" -results["s01-parse"]["andreasbrett/webmin-logs"][3].Evt.Parsed["program"] == "webmin" -results["s01-parse"]["andreasbrett/webmin-logs"][3].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/webmin-logs"][3].Evt.Meta["username"] == "admin" -results["s01-parse"]["andreasbrett/webmin-logs"][3].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s01-parse"]["andreasbrett/webmin-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/webmin-logs"][3].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s01-parse"]["andreasbrett/webmin-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/webmin-logs"][3].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s01-parse"]["andreasbrett/webmin-logs"][3].Evt.Meta["service"] == "webmin" +results["s01-parse"]["andreasbrett/webmin-logs"][3].Evt.Meta["source_ip"] == "192.168.0.100" +results["s01-parse"]["andreasbrett/webmin-logs"][3].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][3].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/webmin-logs"][4].Success == true +results["s01-parse"]["andreasbrett/webmin-logs"][4].Evt.Parsed["message"] == "1690466834.2161960.0 [27/Jul/2023 16:07:14] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" +results["s01-parse"]["andreasbrett/webmin-logs"][4].Evt.Parsed["program"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][4].Evt.Parsed["source_ip"] == "192.168.0.100" results["s01-parse"]["andreasbrett/webmin-logs"][4].Evt.Parsed["unix_epoch"] == "1690466834" results["s01-parse"]["andreasbrett/webmin-logs"][4].Evt.Parsed["username"] == "admin" -results["s01-parse"]["andreasbrett/webmin-logs"][4].Evt.Parsed["message"] == "1690466834.2161960.0 [27/Jul/2023 16:07:14] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" -results["s01-parse"]["andreasbrett/webmin-logs"][4].Evt.Parsed["program"] == "webmin" -results["s01-parse"]["andreasbrett/webmin-logs"][4].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s01-parse"]["andreasbrett/webmin-logs"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/webmin-logs"][4].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s01-parse"]["andreasbrett/webmin-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/webmin-logs"][4].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s01-parse"]["andreasbrett/webmin-logs"][4].Evt.Meta["service"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][4].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/webmin-logs"][4].Evt.Meta["username"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][4].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][4].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/webmin-logs"][5].Success == true results["s01-parse"]["andreasbrett/webmin-logs"][5].Evt.Parsed["message"] == "1690466842.2161960.0 [27/Jul/2023 16:07:22] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s01-parse"]["andreasbrett/webmin-logs"][5].Evt.Parsed["program"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][5].Evt.Parsed["source_ip"] == "192.168.0.100" results["s01-parse"]["andreasbrett/webmin-logs"][5].Evt.Parsed["unix_epoch"] == "1690466842" results["s01-parse"]["andreasbrett/webmin-logs"][5].Evt.Parsed["username"] == "admin" -results["s01-parse"]["andreasbrett/webmin-logs"][5].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s01-parse"]["andreasbrett/webmin-logs"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/webmin-logs"][5].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s01-parse"]["andreasbrett/webmin-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/webmin-logs"][5].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s01-parse"]["andreasbrett/webmin-logs"][5].Evt.Meta["service"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][5].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/webmin-logs"][5].Evt.Meta["username"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][5].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][5].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/webmin-logs"][6].Success == true +results["s01-parse"]["andreasbrett/webmin-logs"][6].Evt.Parsed["message"] == "1690898804.2161960.0 [1/Aug/2023 16:06:44] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" +results["s01-parse"]["andreasbrett/webmin-logs"][6].Evt.Parsed["program"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][6].Evt.Parsed["source_ip"] == "192.168.0.100" results["s01-parse"]["andreasbrett/webmin-logs"][6].Evt.Parsed["unix_epoch"] == "1690898804" results["s01-parse"]["andreasbrett/webmin-logs"][6].Evt.Parsed["username"] == "admin" -results["s01-parse"]["andreasbrett/webmin-logs"][6].Evt.Parsed["message"] == "1690898804.2161960.0 [1/Aug/2023 16:06:44] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" -results["s01-parse"]["andreasbrett/webmin-logs"][6].Evt.Parsed["program"] == "webmin" -results["s01-parse"]["andreasbrett/webmin-logs"][6].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s01-parse"]["andreasbrett/webmin-logs"][6].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/webmin-logs"][6].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s01-parse"]["andreasbrett/webmin-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/webmin-logs"][6].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s01-parse"]["andreasbrett/webmin-logs"][6].Evt.Meta["service"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][6].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/webmin-logs"][6].Evt.Meta["username"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][6].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][6].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/webmin-logs"][7].Success == true results["s01-parse"]["andreasbrett/webmin-logs"][7].Evt.Parsed["message"] == "1690898806.2161960.0 [1/Aug/2023 16:06:46] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s01-parse"]["andreasbrett/webmin-logs"][7].Evt.Parsed["program"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][7].Evt.Parsed["source_ip"] == "192.168.0.100" results["s01-parse"]["andreasbrett/webmin-logs"][7].Evt.Parsed["unix_epoch"] == "1690898806" results["s01-parse"]["andreasbrett/webmin-logs"][7].Evt.Parsed["username"] == "admin" -results["s01-parse"]["andreasbrett/webmin-logs"][7].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s01-parse"]["andreasbrett/webmin-logs"][7].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/webmin-logs"][7].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s01-parse"]["andreasbrett/webmin-logs"][7].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/webmin-logs"][7].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s01-parse"]["andreasbrett/webmin-logs"][7].Evt.Meta["service"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][7].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/webmin-logs"][7].Evt.Meta["username"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][7].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][7].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/webmin-logs"][8].Success == true +results["s01-parse"]["andreasbrett/webmin-logs"][8].Evt.Parsed["message"] == "1690898812.2161960.0 [1/Aug/2023 16:06:52] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s01-parse"]["andreasbrett/webmin-logs"][8].Evt.Parsed["program"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][8].Evt.Parsed["source_ip"] == "192.168.0.100" results["s01-parse"]["andreasbrett/webmin-logs"][8].Evt.Parsed["unix_epoch"] == "1690898812" results["s01-parse"]["andreasbrett/webmin-logs"][8].Evt.Parsed["username"] == "admin" -results["s01-parse"]["andreasbrett/webmin-logs"][8].Evt.Parsed["message"] == "1690898812.2161960.0 [1/Aug/2023 16:06:52] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" +results["s01-parse"]["andreasbrett/webmin-logs"][8].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/webmin-logs"][8].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s01-parse"]["andreasbrett/webmin-logs"][8].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/webmin-logs"][8].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s01-parse"]["andreasbrett/webmin-logs"][8].Evt.Meta["service"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][8].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/webmin-logs"][8].Evt.Meta["username"] == "admin" -results["s01-parse"]["andreasbrett/webmin-logs"][8].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s01-parse"]["andreasbrett/webmin-logs"][8].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][8].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/webmin-logs"][9].Success == true results["s01-parse"]["andreasbrett/webmin-logs"][9].Evt.Parsed["message"] == "1690898818.2161960.0 [1/Aug/2023 16:06:58] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s01-parse"]["andreasbrett/webmin-logs"][9].Evt.Parsed["program"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][9].Evt.Parsed["source_ip"] == "192.168.0.100" results["s01-parse"]["andreasbrett/webmin-logs"][9].Evt.Parsed["unix_epoch"] == "1690898818" results["s01-parse"]["andreasbrett/webmin-logs"][9].Evt.Parsed["username"] == "admin" -results["s01-parse"]["andreasbrett/webmin-logs"][9].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s01-parse"]["andreasbrett/webmin-logs"][9].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/webmin-logs"][9].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s01-parse"]["andreasbrett/webmin-logs"][9].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/webmin-logs"][9].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s01-parse"]["andreasbrett/webmin-logs"][9].Evt.Meta["service"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][9].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/webmin-logs"][9].Evt.Meta["username"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][9].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][9].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/webmin-logs"][10].Success == true -results["s01-parse"]["andreasbrett/webmin-logs"][10].Evt.Parsed["unix_epoch"] == "1690898834" -results["s01-parse"]["andreasbrett/webmin-logs"][10].Evt.Parsed["username"] == "admin" results["s01-parse"]["andreasbrett/webmin-logs"][10].Evt.Parsed["message"] == "1690898834.2161960.0 [1/Aug/2023 16:07:14] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s01-parse"]["andreasbrett/webmin-logs"][10].Evt.Parsed["program"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][10].Evt.Parsed["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/webmin-logs"][10].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s01-parse"]["andreasbrett/webmin-logs"][10].Evt.Parsed["unix_epoch"] == "1690898834" +results["s01-parse"]["andreasbrett/webmin-logs"][10].Evt.Parsed["username"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][10].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/webmin-logs"][10].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s01-parse"]["andreasbrett/webmin-logs"][10].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/webmin-logs"][10].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s01-parse"]["andreasbrett/webmin-logs"][10].Evt.Meta["service"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][10].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/webmin-logs"][10].Evt.Meta["username"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][10].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][10].Evt.Whitelisted == false results["s01-parse"]["andreasbrett/webmin-logs"][11].Success == true results["s01-parse"]["andreasbrett/webmin-logs"][11].Evt.Parsed["message"] == "1690898842.2161960.0 [1/Aug/2023 16:07:22] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s01-parse"]["andreasbrett/webmin-logs"][11].Evt.Parsed["program"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][11].Evt.Parsed["source_ip"] == "192.168.0.100" results["s01-parse"]["andreasbrett/webmin-logs"][11].Evt.Parsed["unix_epoch"] == "1690898842" results["s01-parse"]["andreasbrett/webmin-logs"][11].Evt.Parsed["username"] == "admin" -results["s01-parse"]["andreasbrett/webmin-logs"][11].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s01-parse"]["andreasbrett/webmin-logs"][11].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/webmin-logs"][11].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s01-parse"]["andreasbrett/webmin-logs"][11].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["andreasbrett/webmin-logs"][11].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s01-parse"]["andreasbrett/webmin-logs"][11].Evt.Meta["service"] == "webmin" results["s01-parse"]["andreasbrett/webmin-logs"][11].Evt.Meta["source_ip"] == "192.168.0.100" -results["s01-parse"]["andreasbrett/webmin-logs"][11].Evt.Meta["username"] == "admin" -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 12 +results["s01-parse"]["andreasbrett/webmin-logs"][11].Evt.Meta["target_user"] == "admin" +results["s01-parse"]["andreasbrett/webmin-logs"][11].Evt.Whitelisted == false +results["s01-parse"]["andreasbrett/webmin-logs"][12].Success == true +results["s01-parse"]["andreasbrett/webmin-logs"][12].Evt.Parsed["message"] == "1690899000.2161960.0 [1/Aug/2023 16:10:00] crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" +results["s01-parse"]["andreasbrett/webmin-logs"][12].Evt.Parsed["program"] == "webmin" +results["s01-parse"]["andreasbrett/webmin-logs"][12].Evt.Parsed["source_ip"] == "192.168.0.100" +results["s01-parse"]["andreasbrett/webmin-logs"][12].Evt.Parsed["unix_epoch"] == "1690899000" +results["s01-parse"]["andreasbrett/webmin-logs"][12].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["andreasbrett/webmin-logs"][12].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["andreasbrett/webmin-logs"][12].Evt.Meta["datasource_path"]) == "webmin-logs.log" +results["s01-parse"]["andreasbrett/webmin-logs"][12].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["andreasbrett/webmin-logs"][12].Evt.Meta["service"] == "webmin" +results["s01-parse"]["andreasbrett/webmin-logs"][12].Evt.Meta["source_ip"] == "192.168.0.100" +results["s01-parse"]["andreasbrett/webmin-logs"][12].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s01-parse"]["andreasbrett/webmin-logs"][12].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 13 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "1690466804.2161960.0 [27/Jul/2023 16:06:44] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "192.168.0.100" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["unix_epoch"] == "1690466804" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "1690466804.2161960.0 [27/Jul/2023 16:06:44] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-07-27T14:06:44Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-07-27T14:06:44Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-07-27T14:06:44Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "1690466806.2161960.0 [27/Jul/2023 16:06:46] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "192.168.0.100" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["unix_epoch"] == "1690466806" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-07-27T14:06:46Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "webmin-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-07-27T14:06:46Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "1690466812.2161960.0 [27/Jul/2023 16:06:52] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "192.168.0.100" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["unix_epoch"] == "1690466812" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-07-27T14:06:52Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_user"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-07-27T14:06:52Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2023-07-27T14:06:52Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "1690466818.2161960.0 [27/Jul/2023 16:06:58] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "192.168.0.100" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["unix_epoch"] == "1690466818" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "webmin-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2023-07-27T14:06:58Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "webmin-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2023-07-27T14:06:58Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "1690466834.2161960.0 [27/Jul/2023 16:07:14] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "192.168.0.100" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["unix_epoch"] == "1690466834" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2023-07-27T14:07:14Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["username"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2023-07-27T14:07:14Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "1690466842.2161960.0 [27/Jul/2023 16:07:22] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "192.168.0.100" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["unix_epoch"] == "1690466842" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "192.168.0.100" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2023-07-27T14:07:22Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "webmin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_user"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2023-07-27T14:07:22Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2023-07-27T14:07:22Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "1690898804.2161960.0 [1/Aug/2023 16:06:44] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_ip"] == "192.168.0.100" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["unix_epoch"] == "1690898804" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2023-08-01T14:06:44Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["username"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2023-08-01T14:06:44Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "1690898806.2161960.0 [1/Aug/2023 16:06:46] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_ip"] == "192.168.0.100" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["unix_epoch"] == "1690898806" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "1690898806.2161960.0 [1/Aug/2023 16:06:46] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "webmin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2023-08-01T14:06:46Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["username"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2023-08-01T14:06:46Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["message"] == "1690898812.2161960.0 [1/Aug/2023 16:06:52] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["program"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["source_ip"] == "192.168.0.100" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["unix_epoch"] == "1690898812" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2023-08-01T14:06:52Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["target_user"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2023-08-01T14:06:52Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Enriched["MarshaledTime"] == "2023-08-01T14:06:52Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["unix_epoch"] == "1690898818" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["username"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["message"] == "1690898818.2161960.0 [1/Aug/2023 16:06:58] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["program"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["source_ip"] == "192.168.0.100" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2023-08-01T14:06:58Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["unix_epoch"] == "1690898818" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["username"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["target_user"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2023-08-01T14:06:58Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Enriched["MarshaledTime"] == "2023-08-01T14:06:58Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["username"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["message"] == "1690898834.2161960.0 [1/Aug/2023 16:07:14] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["program"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["source_ip"] == "192.168.0.100" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["unix_epoch"] == "1690898834" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["username"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["service"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["target_user"] == "admin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["timestamp"] == "2023-08-01T14:07:14Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"] == "webmin-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Enriched["MarshaledTime"] == "2023-08-01T14:07:14Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["message"] == "1690898842.2161960.0 [1/Aug/2023 16:07:22] admin - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["program"] == "webmin" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["source_ip"] == "192.168.0.100" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["unix_epoch"] == "1690898842" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_ip"] == "192.168.0.100" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["timestamp"] == "2023-08-01T14:07:22Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["username"] == "admin" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_path"] == "webmin-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_path"]) == "webmin-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["log_type"] == "webmin_failed_auth_wrong_pass" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["service"] == "webmin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["target_user"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["timestamp"] == "2023-08-01T14:07:22Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Enriched["MarshaledTime"] == "2023-08-01T14:07:22Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["message"] == "1690899000.2161960.0 [1/Aug/2023 16:10:00] crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl - 192.168.0.100 global miniserv.pl \"failed\" \"-\" \"wrongpass\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["program"] == "webmin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["unix_epoch"] == "1690899000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["username"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_path"]) == "webmin-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["service"] == "webmin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["source_ip"] == "192.168.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["target_user"] == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["timestamp"] == "2023-08-01T14:10:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Enriched["MarshaledTime"] == "2023-08-01T14:10:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/webmin-logs/webmin-logs.log b/.tests/webmin-logs/webmin-logs.log index 0afbc902bee..ca2ef83efcb 100644 --- a/.tests/webmin-logs/webmin-logs.log +++ b/.tests/webmin-logs/webmin-logs.log @@ -10,3 +10,4 @@ 1690898818.2161960.0 [1/Aug/2023 16:06:58] admin - 192.168.0.100 global miniserv.pl "failed" "-" "wrongpass" 1690898834.2161960.0 [1/Aug/2023 16:07:14] admin - 192.168.0.100 global miniserv.pl "failed" "-" "wrongpass" 1690898842.2161960.0 [1/Aug/2023 16:07:22] admin - 192.168.0.100 global miniserv.pl "failed" "-" "wrongpass" +1690899000.2161960.0 [1/Aug/2023 16:10:00] crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl - 192.168.0.100 global miniserv.pl "failed" "-" "wrongpass" diff --git a/.tests/whitelists/parser.assert b/.tests/whitelists/parser.assert index 2cef284f3c4..a215bd3f73f 100644 --- a/.tests/whitelists/parser.assert +++ b/.tests/whitelists/parser.assert @@ -6,7 +6,7 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "Inv results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "16378" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "sshd" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"] == "whitelists.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "whitelists.log" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "sd-126005" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false @@ -16,7 +16,7 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "Inv results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "16378" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "sshd" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"] == "whitelists.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "whitelists.log" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "sd-126005" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false @@ -26,7 +26,7 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "Inv results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "16378" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "sshd" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"] == "whitelists.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "whitelists.log" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "sd-126005" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false @@ -36,7 +36,7 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "Inv results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "16378" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "sshd" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"] == "whitelists.log" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "whitelists.log" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "sd-126005" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false @@ -49,9 +49,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["program"] == "ssh results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["sshd_client_ip"] == "35.188.49.176" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["sshd_invalid_user"] == "pascal" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["datasource_path"] == "whitelists.log" +results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["datasource_path"]) == "whitelists.log" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["machine"] == "sd-126005" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["source_ip"] == "35.188.49.176" @@ -65,9 +65,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["program"] == "ssh results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["sshd_client_ip"] == "127.0.0.1" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["sshd_invalid_user"] == "pascal" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["datasource_path"] == "whitelists.log" +results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["datasource_path"]) == "whitelists.log" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["machine"] == "sd-126005" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["source_ip"] == "127.0.0.1" @@ -81,9 +81,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["program"] == "ssh results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["sshd_client_ip"] == "192.168.1.13" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["sshd_invalid_user"] == "pascal" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["datasource_path"] == "whitelists.log" +results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["datasource_path"]) == "whitelists.log" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["machine"] == "sd-126005" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["source_ip"] == "192.168.1.13" @@ -97,9 +97,9 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["program"] == "ssh results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["sshd_client_ip"] == "10.0.0.1" results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["sshd_invalid_user"] == "pascal" results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["datasource_path"] == "whitelists.log" +results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["datasource_path"]) == "whitelists.log" results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["log_type"] == "ssh_failed-auth" results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["machine"] == "sd-126005" results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["source_ip"] == "10.0.0.1" @@ -114,9 +114,9 @@ results["s02-enrich"]["crowdsecurity/whitelists"][0].Evt.Parsed["program"] == "s results["s02-enrich"]["crowdsecurity/whitelists"][0].Evt.Parsed["sshd_client_ip"] == "35.188.49.176" results["s02-enrich"]["crowdsecurity/whitelists"][0].Evt.Parsed["sshd_invalid_user"] == "pascal" results["s02-enrich"]["crowdsecurity/whitelists"][0].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" -results["s02-enrich"]["crowdsecurity/whitelists"][0].Evt.Meta["datasource_path"] == "whitelists.log" +results["s02-enrich"]["crowdsecurity/whitelists"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/whitelists"][0].Evt.Meta["datasource_path"]) == "whitelists.log" results["s02-enrich"]["crowdsecurity/whitelists"][0].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/whitelists"][0].Evt.Meta["log_type"] == "ssh_failed-auth" results["s02-enrich"]["crowdsecurity/whitelists"][0].Evt.Meta["machine"] == "sd-126005" results["s02-enrich"]["crowdsecurity/whitelists"][0].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/whitelists"][0].Evt.Meta["source_ip"] == "35.188.49.176" @@ -130,9 +130,9 @@ results["s02-enrich"]["crowdsecurity/whitelists"][1].Evt.Parsed["program"] == "s results["s02-enrich"]["crowdsecurity/whitelists"][1].Evt.Parsed["sshd_client_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/whitelists"][1].Evt.Parsed["sshd_invalid_user"] == "pascal" results["s02-enrich"]["crowdsecurity/whitelists"][1].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" -results["s02-enrich"]["crowdsecurity/whitelists"][1].Evt.Meta["datasource_path"] == "whitelists.log" +results["s02-enrich"]["crowdsecurity/whitelists"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/whitelists"][1].Evt.Meta["datasource_path"]) == "whitelists.log" results["s02-enrich"]["crowdsecurity/whitelists"][1].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/whitelists"][1].Evt.Meta["log_type"] == "ssh_failed-auth" results["s02-enrich"]["crowdsecurity/whitelists"][1].Evt.Meta["machine"] == "sd-126005" results["s02-enrich"]["crowdsecurity/whitelists"][1].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/whitelists"][1].Evt.Meta["source_ip"] == "127.0.0.1" @@ -147,9 +147,9 @@ results["s02-enrich"]["crowdsecurity/whitelists"][2].Evt.Parsed["program"] == "s results["s02-enrich"]["crowdsecurity/whitelists"][2].Evt.Parsed["sshd_client_ip"] == "192.168.1.13" results["s02-enrich"]["crowdsecurity/whitelists"][2].Evt.Parsed["sshd_invalid_user"] == "pascal" results["s02-enrich"]["crowdsecurity/whitelists"][2].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" -results["s02-enrich"]["crowdsecurity/whitelists"][2].Evt.Meta["datasource_path"] == "whitelists.log" +results["s02-enrich"]["crowdsecurity/whitelists"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/whitelists"][2].Evt.Meta["datasource_path"]) == "whitelists.log" results["s02-enrich"]["crowdsecurity/whitelists"][2].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/whitelists"][2].Evt.Meta["log_type"] == "ssh_failed-auth" results["s02-enrich"]["crowdsecurity/whitelists"][2].Evt.Meta["machine"] == "sd-126005" results["s02-enrich"]["crowdsecurity/whitelists"][2].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/whitelists"][2].Evt.Meta["source_ip"] == "192.168.1.13" @@ -164,9 +164,9 @@ results["s02-enrich"]["crowdsecurity/whitelists"][3].Evt.Parsed["program"] == "s results["s02-enrich"]["crowdsecurity/whitelists"][3].Evt.Parsed["sshd_client_ip"] == "10.0.0.1" results["s02-enrich"]["crowdsecurity/whitelists"][3].Evt.Parsed["sshd_invalid_user"] == "pascal" results["s02-enrich"]["crowdsecurity/whitelists"][3].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" -results["s02-enrich"]["crowdsecurity/whitelists"][3].Evt.Meta["datasource_path"] == "whitelists.log" +results["s02-enrich"]["crowdsecurity/whitelists"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/whitelists"][3].Evt.Meta["datasource_path"]) == "whitelists.log" results["s02-enrich"]["crowdsecurity/whitelists"][3].Evt.Meta["datasource_type"] == "file" -results["s02-enrich"]["crowdsecurity/whitelists"][3].Evt.Meta["log_type"] == "ssh_failed-auth" results["s02-enrich"]["crowdsecurity/whitelists"][3].Evt.Meta["machine"] == "sd-126005" results["s02-enrich"]["crowdsecurity/whitelists"][3].Evt.Meta["service"] == "ssh" results["s02-enrich"]["crowdsecurity/whitelists"][3].Evt.Meta["source_ip"] == "10.0.0.1" diff --git a/.tests/windows-bf/parser.assert b/.tests/windows-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/windows-bf/scenario.assert b/.tests/windows-bf/scenario.assert index 7173af6600c..1149ee49aad 100644 --- a/.tests/windows-bf/scenario.assert +++ b/.tests/windows-bf/scenario.assert @@ -4,60 +4,66 @@ results[0].Overflow.Sources["192.168.9.212"].IP == "192.168.9.212" results[0].Overflow.Sources["192.168.9.212"].Range == "" results[0].Overflow.Sources["192.168.9.212"].GetScope() == "Ip" results[0].Overflow.Sources["192.168.9.212"].GetValue() == "192.168.9.212" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "windows-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "wineventlog" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "windows_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("logon_type") == "3" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "windows" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.9.212" results[0].Overflow.Alert.Events[0].GetMeta("status") == "0xc000006d" results[0].Overflow.Alert.Events[0].GetMeta("sub_status") == "0xc0000064" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "asdfasdf" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-04-29T12:36:01.9027913Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "asdfasdf" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "windows-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "wineventlog" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "windows_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("logon_type") == "3" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "windows" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.9.212" results[0].Overflow.Alert.Events[1].GetMeta("status") == "0xc000006d" results[0].Overflow.Alert.Events[1].GetMeta("sub_status") == "0xc0000064" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "asdfasdf" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-04-29T12:36:02.2268806Z" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "asdfasdf" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "windows-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "wineventlog" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "windows_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("logon_type") == "3" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "windows" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.9.212" results[0].Overflow.Alert.Events[2].GetMeta("status") == "0xc000006d" results[0].Overflow.Alert.Events[2].GetMeta("sub_status") == "0xc0000064" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "asdfasdf" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-04-29T12:36:03.2268806Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "asdfasdf" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "windows-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "wineventlog" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "windows_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("logon_type") == "3" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "windows" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.9.212" results[0].Overflow.Alert.Events[3].GetMeta("status") == "0xc000006d" results[0].Overflow.Alert.Events[3].GetMeta("sub_status") == "0xc0000064" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "asdfasdf" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-04-29T12:36:04.2268806Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "asdfasdf" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "windows-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "wineventlog" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "windows_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("logon_type") == "3" +results[0].Overflow.Alert.Events[4].GetMeta("service") == "windows" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.9.212" results[0].Overflow.Alert.Events[4].GetMeta("status") == "0xc000006d" results[0].Overflow.Alert.Events[4].GetMeta("sub_status") == "0xc0000064" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "asdfasdf" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-04-29T12:36:06.2268806Z" -results[0].Overflow.Alert.Events[4].GetMeta("username") == "asdfasdf" +results[0].Overflow.Alert.Events[5].GetMeta("auth_status") == "failed" basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "windows-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "wineventlog" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "windows_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("logon_type") == "3" +results[0].Overflow.Alert.Events[5].GetMeta("service") == "windows" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.9.212" results[0].Overflow.Alert.Events[5].GetMeta("status") == "0xc000006d" results[0].Overflow.Alert.Events[5].GetMeta("sub_status") == "0xc0000064" +results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "asdfasdf" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-04-29T12:36:07.2268806Z" -results[0].Overflow.Alert.Events[5].GetMeta("username") == "asdfasdf" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/windows-bf" results[0].Overflow.Alert.Remediation == true -results[0].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/windows-logs/parser.assert b/.tests/windows-logs/parser.assert index d8acf9269d1..3e1a5e3f04f 100644 --- a/.tests/windows-logs/parser.assert +++ b/.tests/windows-logs/parser.assert @@ -1,23 +1,49 @@ len(results) == 3 -len(results["s00-raw"]["crowdsecurity/windows-eventlog"]) == 1 +len(results["s00-raw"]["crowdsecurity/windows-eventlog"]) == 2 results["s00-raw"]["crowdsecurity/windows-eventlog"][0].Success == true -results["s00-raw"]["crowdsecurity/windows-eventlog"][0].Evt.Parsed["program"] == "wineventlog" results["s00-raw"]["crowdsecurity/windows-eventlog"][0].Evt.Parsed["Channel"] == "Security" results["s00-raw"]["crowdsecurity/windows-eventlog"][0].Evt.Parsed["Computer"] == "exchange-1.mydomain.test" results["s00-raw"]["crowdsecurity/windows-eventlog"][0].Evt.Parsed["EventID"] == "4625" results["s00-raw"]["crowdsecurity/windows-eventlog"][0].Evt.Parsed["Source"] == "Microsoft-Windows-Security-Auditing" -results["s00-raw"]["crowdsecurity/windows-eventlog"][0].Evt.Meta["datasource_path"] == "windows-logs.log" +results["s00-raw"]["crowdsecurity/windows-eventlog"][0].Evt.Parsed["program"] == "wineventlog" +basename(results["s00-raw"]["crowdsecurity/windows-eventlog"][0].Evt.Meta["datasource_path"]) == "windows-logs.log" results["s00-raw"]["crowdsecurity/windows-eventlog"][0].Evt.Meta["datasource_type"] == "wineventlog" -len(results["s00-raw"]["overrides"]) == 1 +results["s00-raw"]["crowdsecurity/windows-eventlog"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/windows-eventlog"][1].Success == true +results["s00-raw"]["crowdsecurity/windows-eventlog"][1].Evt.Parsed["Channel"] == "Security" +results["s00-raw"]["crowdsecurity/windows-eventlog"][1].Evt.Parsed["Computer"] == "exchange-1.mydomain.test" +results["s00-raw"]["crowdsecurity/windows-eventlog"][1].Evt.Parsed["EventID"] == "4625" +results["s00-raw"]["crowdsecurity/windows-eventlog"][1].Evt.Parsed["Source"] == "Microsoft-Windows-Security-Auditing" +results["s00-raw"]["crowdsecurity/windows-eventlog"][1].Evt.Parsed["program"] == "wineventlog" +basename(results["s00-raw"]["crowdsecurity/windows-eventlog"][1].Evt.Meta["datasource_path"]) == "windows-logs.log" +results["s00-raw"]["crowdsecurity/windows-eventlog"][1].Evt.Meta["datasource_type"] == "wineventlog" +results["s00-raw"]["crowdsecurity/windows-eventlog"][1].Evt.Whitelisted == false +len(results["s00-raw"]["overrides"]) == 2 results["s00-raw"]["overrides"][0].Success == true -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 1 +results["s00-raw"]["overrides"][0].Evt.Whitelisted == false +results["s00-raw"]["overrides"][1].Success == true +results["s00-raw"]["overrides"][1].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["Source"] == "Microsoft-Windows-Security-Auditing" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "wineventlog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["Channel"] == "Security" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["Computer"] == "exchange-1.mydomain.test" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["EventID"] == "4625" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "windows-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["Source"] == "Microsoft-Windows-Security-Auditing" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "wineventlog" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "windows-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "wineventlog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-04-28T16:09:28.9443547Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-04-28T16:09:28.9443547Z" \ No newline at end of file +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-04-28T16:09:28.9443547Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["Channel"] == "Security" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["Computer"] == "exchange-1.mydomain.test" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["EventID"] == "4625" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["Source"] == "Microsoft-Windows-Security-Auditing" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "wineventlog" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "windows-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "wineventlog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-04-28T16:10:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-04-28T16:10:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/windows-logs/windows-logs.log b/.tests/windows-logs/windows-logs.log index db5cda9ad7a..ba4227521d3 100644 --- a/.tests/windows-logs/windows-logs.log +++ b/.tests/windows-logs/windows-logs.log @@ -1 +1,2 @@ -- - 4625 0 0 12544 0 0x8010000000000000 2524 Security exchange-1.mydomain.test - S-1-5-18 EXCHANGE-1$ MYDOMAIN 0x3e7 S-1-0-0 testuser@mydomain.test EXCHANGE-1 0xc000006d %%2313 0xc0000064 8 Advapi Negotiate EXCHANGE-1 - - 0 0x14a0 C:\Windows\System32\inetsrv\w3wp.exe 192.168.9.212 1628 \ No newline at end of file +- - 4625 0 0 12544 0 0x8010000000000000 2524 Security exchange-1.mydomain.test - S-1-5-18 EXCHANGE-1$ MYDOMAIN 0x3e7 S-1-0-0 testuser@mydomain.test EXCHANGE-1 0xc000006d %%2313 0xc0000064 8 Advapi Negotiate EXCHANGE-1 - - 0 0x14a0 C:\Windows\System32\inetsrv\w3wp.exe 192.168.9.212 1628 +- - 4625 0 0 12544 0 0x8010000000000000 2525 Security exchange-1.mydomain.test - S-1-5-18 EXCHANGE-1$ MYDOMAIN 0x3e7 S-1-0-0 crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl EXCHANGE-1 0xc000006d %%2313 0xc0000064 8 Advapi Negotiate EXCHANGE-1 - - 0 0x14a0 C:\Windows\System32\inetsrv\w3wp.exe 192.168.9.212 1629 \ No newline at end of file diff --git a/.tests/wireguard-auth/scenario.assert b/.tests/wireguard-auth/scenario.assert index d2dd1e830e2..cd9622678a2 100644 --- a/.tests/wireguard-auth/scenario.assert +++ b/.tests/wireguard-auth/scenario.assert @@ -4,38 +4,38 @@ results[0].Overflow.Sources["192.168.100.30"].IP == "192.168.100.30" results[0].Overflow.Sources["192.168.100.30"].Range == "" results[0].Overflow.Sources["192.168.100.30"].GetScope() == "Ip" results[0].Overflow.Sources["192.168.100.30"].GetValue() == "192.168.100.30" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "wireguard-auth.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "wireguard-auth.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("log_subtype") == "wireguard_unauthorized_packet" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "wireguard_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("machine") == "workshop" results[0].Overflow.Alert.Events[0].GetMeta("service") == "wireguard" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.100.30" -results[0].Overflow.Alert.Events[0].GetMeta("timestamp")[4:] == "-06-20T08:42:20Z" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "wireguard-auth.log" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-06-20T08:42:20Z" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "wireguard-auth.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("log_subtype") == "wireguard_unauthorized_packet" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "wireguard_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("machine") == "workshop" results[0].Overflow.Alert.Events[1].GetMeta("service") == "wireguard" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.100.30" -results[0].Overflow.Alert.Events[1].GetMeta("timestamp")[4:] == "-06-20T08:42:21Z" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "wireguard-auth.log" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-06-20T08:42:21Z" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "wireguard-auth.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("log_subtype") == "wireguard_unauthorized_packet" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "wireguard_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("machine") == "workshop" results[0].Overflow.Alert.Events[2].GetMeta("service") == "wireguard" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.100.30" -results[0].Overflow.Alert.Events[2].GetMeta("timestamp")[4:] == "-06-20T08:42:22Z" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "wireguard-auth.log" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-06-20T08:42:22Z" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "wireguard-auth.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("log_subtype") == "wireguard_unauthorized_packet" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "wireguard_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("machine") == "workshop" results[0].Overflow.Alert.Events[3].GetMeta("service") == "wireguard" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.100.30" -results[0].Overflow.Alert.Events[3].GetMeta("timestamp")[4:] == "-06-20T08:42:23Z" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-06-20T08:42:23Z" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/wireguard-auth" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 4 diff --git a/.tests/wireguard-logs/parser.assert b/.tests/wireguard-logs/parser.assert index 443c97fc1f9..54a37ba71e5 100644 --- a/.tests/wireguard-logs/parser.assert +++ b/.tests/wireguard-logs/parser.assert @@ -1,149 +1,161 @@ len(results) == 4 len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "kernel" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jun 20 08:35:15" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "[82508.100168] wireguard: wg0: Packet has unallowed src IP (10.0.0.3) from peer 1 (192.168.1.2:51820)" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"] == "wireguard-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "kernel" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jun 20 08:35:15" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "wireguard-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "workshop" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "kernel" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Jun 20 08:37:32" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "[82508.102168] wireguard: wg1: Packet has unallowed src IP (10.30.0.20) from peer 2 (10.20.50.100:51820)" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"] == "wireguard-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "kernel" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Jun 20 08:37:32" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "wireguard-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "workshop" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "kernel" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jun 20 08:40:02" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "[82508.102168] wireguard: wg0: Invalid handshake initiation from 172.17.100.130:51820" -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"] == "wireguard-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "kernel" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jun 20 08:40:02" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "wireguard-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "workshop" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "kernel" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Jun 20 08:42:20" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "[82508.102168] wireguard: wg1: Invalid handshake initiation from 192.168.100.30:51820" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"] == "wireguard-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "kernel" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Jun 20 08:42:20" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "wireguard-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "workshop" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false len(results["s01-parse"]["crowdsecurity/wireguard-logs"]) == 4 results["s01-parse"]["crowdsecurity/wireguard-logs"][0].Success == true +results["s01-parse"]["crowdsecurity/wireguard-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/wireguard-logs"][0].Evt.Parsed["message"] == "[82508.100168] wireguard: wg0: Packet has unallowed src IP (10.0.0.3) from peer 1 (192.168.1.2:51820)" results["s01-parse"]["crowdsecurity/wireguard-logs"][0].Evt.Parsed["program"] == "kernel" results["s01-parse"]["crowdsecurity/wireguard-logs"][0].Evt.Parsed["source_ip"] == "192.168.1.2" results["s01-parse"]["crowdsecurity/wireguard-logs"][0].Evt.Parsed["timestamp"] == "Jun 20 08:35:15" -results["s01-parse"]["crowdsecurity/wireguard-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/wireguard-logs"][0].Evt.Parsed["message"] == "[82508.100168] wireguard: wg0: Packet has unallowed src IP (10.0.0.3) from peer 1 (192.168.1.2:51820)" +results["s01-parse"]["crowdsecurity/wireguard-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/wireguard-logs"][0].Evt.Meta["datasource_path"]) == "wireguard-logs.log" results["s01-parse"]["crowdsecurity/wireguard-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/wireguard-logs"][0].Evt.Meta["log_subtype"] == "wireguard_invalid_handshake" -results["s01-parse"]["crowdsecurity/wireguard-logs"][0].Evt.Meta["log_type"] == "wireguard_failed_auth" results["s01-parse"]["crowdsecurity/wireguard-logs"][0].Evt.Meta["machine"] == "workshop" results["s01-parse"]["crowdsecurity/wireguard-logs"][0].Evt.Meta["service"] == "wireguard" results["s01-parse"]["crowdsecurity/wireguard-logs"][0].Evt.Meta["source_ip"] == "192.168.1.2" -results["s01-parse"]["crowdsecurity/wireguard-logs"][0].Evt.Meta["datasource_path"] == "wireguard-logs.log" +results["s01-parse"]["crowdsecurity/wireguard-logs"][0].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/wireguard-logs"][1].Success == true -results["s01-parse"]["crowdsecurity/wireguard-logs"][1].Evt.Parsed["timestamp"] == "Jun 20 08:37:32" results["s01-parse"]["crowdsecurity/wireguard-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/wireguard-logs"][1].Evt.Parsed["message"] == "[82508.102168] wireguard: wg1: Packet has unallowed src IP (10.30.0.20) from peer 2 (10.20.50.100:51820)" -results["s01-parse"]["crowdsecurity/wireguard-logs"][1].Evt.Parsed["source_ip"] == "10.20.50.100" results["s01-parse"]["crowdsecurity/wireguard-logs"][1].Evt.Parsed["program"] == "kernel" -results["s01-parse"]["crowdsecurity/wireguard-logs"][1].Evt.Meta["datasource_path"] == "wireguard-logs.log" +results["s01-parse"]["crowdsecurity/wireguard-logs"][1].Evt.Parsed["source_ip"] == "10.20.50.100" +results["s01-parse"]["crowdsecurity/wireguard-logs"][1].Evt.Parsed["timestamp"] == "Jun 20 08:37:32" +results["s01-parse"]["crowdsecurity/wireguard-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/wireguard-logs"][1].Evt.Meta["datasource_path"]) == "wireguard-logs.log" results["s01-parse"]["crowdsecurity/wireguard-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/wireguard-logs"][1].Evt.Meta["log_subtype"] == "wireguard_invalid_handshake" -results["s01-parse"]["crowdsecurity/wireguard-logs"][1].Evt.Meta["log_type"] == "wireguard_failed_auth" results["s01-parse"]["crowdsecurity/wireguard-logs"][1].Evt.Meta["machine"] == "workshop" results["s01-parse"]["crowdsecurity/wireguard-logs"][1].Evt.Meta["service"] == "wireguard" results["s01-parse"]["crowdsecurity/wireguard-logs"][1].Evt.Meta["source_ip"] == "10.20.50.100" +results["s01-parse"]["crowdsecurity/wireguard-logs"][1].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Success == true +results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Evt.Parsed["message"] == "[82508.102168] wireguard: wg0: Invalid handshake initiation from 172.17.100.130:51820" results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Evt.Parsed["program"] == "kernel" -results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Evt.Parsed["source_ip"] == "172.17.100.130" results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Evt.Parsed["timestamp"] == "Jun 20 08:40:02" -results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Evt.Meta["service"] == "wireguard" -results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Evt.Meta["source_ip"] == "172.17.100.130" -results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Evt.Meta["datasource_path"] == "wireguard-logs.log" +results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Evt.Meta["datasource_path"]) == "wireguard-logs.log" results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Evt.Meta["log_subtype"] == "wireguard_unauthorized_packet" -results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Evt.Meta["log_type"] == "wireguard_failed_auth" results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Evt.Meta["machine"] == "workshop" +results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Evt.Meta["service"] == "wireguard" +results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Evt.Meta["source_ip"] == "172.17.100.130" +results["s01-parse"]["crowdsecurity/wireguard-logs"][2].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/wireguard-logs"][3].Success == true -results["s01-parse"]["crowdsecurity/wireguard-logs"][3].Evt.Parsed["source_ip"] == "192.168.100.30" -results["s01-parse"]["crowdsecurity/wireguard-logs"][3].Evt.Parsed["timestamp"] == "Jun 20 08:42:20" results["s01-parse"]["crowdsecurity/wireguard-logs"][3].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/wireguard-logs"][3].Evt.Parsed["message"] == "[82508.102168] wireguard: wg1: Invalid handshake initiation from 192.168.100.30:51820" results["s01-parse"]["crowdsecurity/wireguard-logs"][3].Evt.Parsed["program"] == "kernel" -results["s01-parse"]["crowdsecurity/wireguard-logs"][3].Evt.Meta["datasource_path"] == "wireguard-logs.log" +results["s01-parse"]["crowdsecurity/wireguard-logs"][3].Evt.Parsed["source_ip"] == "192.168.100.30" +results["s01-parse"]["crowdsecurity/wireguard-logs"][3].Evt.Parsed["timestamp"] == "Jun 20 08:42:20" +results["s01-parse"]["crowdsecurity/wireguard-logs"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["crowdsecurity/wireguard-logs"][3].Evt.Meta["datasource_path"]) == "wireguard-logs.log" results["s01-parse"]["crowdsecurity/wireguard-logs"][3].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/wireguard-logs"][3].Evt.Meta["log_subtype"] == "wireguard_unauthorized_packet" -results["s01-parse"]["crowdsecurity/wireguard-logs"][3].Evt.Meta["log_type"] == "wireguard_failed_auth" results["s01-parse"]["crowdsecurity/wireguard-logs"][3].Evt.Meta["machine"] == "workshop" results["s01-parse"]["crowdsecurity/wireguard-logs"][3].Evt.Meta["service"] == "wireguard" results["s01-parse"]["crowdsecurity/wireguard-logs"][3].Evt.Meta["source_ip"] == "192.168.100.30" +results["s01-parse"]["crowdsecurity/wireguard-logs"][3].Evt.Whitelisted == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 4 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "kernel" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "[82508.100168] wireguard: wg0: Packet has unallowed src IP (10.0.0.3) from peer 1 (192.168.1.2:51820)" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "kernel" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "192.168.1.2" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Jun 20 08:35:15" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "wireguard-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_subtype"] == "wireguard_invalid_handshake" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "wireguard_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "workshop" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "wireguard" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.1.2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"][4:] == "-06-20T08:35:15Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "wireguard-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"][4:] == "-06-20T08:35:15Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-06-20T08:35:15Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-06-20T08:35:15Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "[82508.102168] wireguard: wg1: Packet has unallowed src IP (10.30.0.20) from peer 2 (10.20.50.100:51820)" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "kernel" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "10.20.50.100" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Jun 20 08:37:32" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "[82508.102168] wireguard: wg1: Packet has unallowed src IP (10.30.0.20) from peer 2 (10.20.50.100:51820)" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "10.20.50.100" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"][4:] == "-06-20T08:37:32Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "wireguard-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "wireguard-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_subtype"] == "wireguard_invalid_handshake" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "wireguard_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "workshop" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "wireguard" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"][4:] == "-06-20T08:37:32Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "10.20.50.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-06-20T08:37:32Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-06-20T08:37:32Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "[82508.102168] wireguard: wg0: Invalid handshake initiation from 172.17.100.130:51820" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "kernel" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "172.17.100.130" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Jun 20 08:40:02" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "172.17.100.130" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"][4:] == "-06-20T08:40:02Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "wireguard-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "wireguard-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_subtype"] == "wireguard_unauthorized_packet" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "wireguard_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "workshop" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "wireguard" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"][4:] == "-06-20T08:40:02Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "172.17.100.130" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-06-20T08:40:02Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2025-06-20T08:40:02Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "[82508.102168] wireguard: wg1: Invalid handshake initiation from 192.168.100.30:51820" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "kernel" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "192.168.100.30" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Jun 20 08:42:20" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "[82508.102168] wireguard: wg1: Invalid handshake initiation from 192.168.100.30:51820" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["auth_status"] == "failed" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "wireguard-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_subtype"] == "wireguard_unauthorized_packet" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "wireguard_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "workshop" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "wireguard" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "192.168.100.30" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"][4:] == "-06-20T08:42:20Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "wireguard-logs.log" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"][4:] == "-06-20T08:42:20Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2025-06-20T08:42:20Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2025-06-20T08:42:20Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/zimbra-bf/parser.assert b/.tests/zimbra-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/zimbra-logs/parser.assert b/.tests/zimbra-logs/parser.assert index 783497c00c0..8f9a0622901 100644 --- a/.tests/zimbra-logs/parser.assert +++ b/.tests/zimbra-logs/parser.assert @@ -1,51 +1,84 @@ +len(results) == 3 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 4 +results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2021-03-03 19:26:38,616 INFO [qtp93314457-137:https://test.fr:7071/service/admin/soap/AuthRequest] [name=toto@test.fr;oip=192.168.7.101;port=52016;ua=ZimbraWebClient - GC88 (Linux);soapId=9fd8101;] SoapEngine - handler exception: authentication failed for [toto@test.fr], invalid password" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "zimbra" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "zimbra-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2021-03-03 19:51:53,762 INFO [qtp93314457-324:smtp://smtp.test.fr:7073/service/admin/soap/] [oip=192.168.7.15;oport=57752;oproto=smtp;soapId=688cb579;] SoapEngine - handler exception: authentication failed for [toto.tata], account not found" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "zimbra" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "zimbra-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "2021-03-03 19:53:15,744 INFO [qtp93314457-589:smtp://smtp.test.fr:7073/service/admin/soap/] [oip=192.168.7.15;oport=24304;oproto=smtp;soapId=688cb584;] SoapEngine - handler exception: authentication failed for [toto@test.fr], account not found" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "zimbra" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "zimbra-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "2021-03-03 19:53:06,536 WARN [qtp93314457-589:smtp://smtp.test.fr:7073/service/admin/soap/] [name=tata@test.fr;oip=192.168.7.15;oport=41496;oproto=smtp;soapId=688cb582;] SoapEngine - handler exception" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "zimbra" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "zimbra-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false len(results["s01-parse"]["firewallservices/zimbra-logs"]) == 4 results["s01-parse"]["firewallservices/zimbra-logs"][0].Success == true -results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Parsed["server"] == "test.fr" -results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Parsed["src_ip"] == "192.168.7.101" -results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Parsed["time_local"] == "2021-03-03 19:26" -results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Parsed["user"] == "toto@test.fr" results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Parsed["message"] == "2021-03-03 19:26:38,616 INFO [qtp93314457-137:https://test.fr:7071/service/admin/soap/AuthRequest] [name=toto@test.fr;oip=192.168.7.101;port=52016;ua=ZimbraWebClient - GC88 (Linux);soapId=9fd8101;] SoapEngine - handler exception: authentication failed for [toto@test.fr], invalid password" results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Parsed["port"] == "7071" results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Parsed["program"] == "zimbra" results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Parsed["proto"] == "https" -results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Meta["datasource_path"] == "zimbra-logs.log" +results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Parsed["server"] == "test.fr" +results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Parsed["src_ip"] == "192.168.7.101" +results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Parsed["time_local"] == "2021-03-03 19:26" +results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Parsed["user"] == "toto@test.fr" +basename(results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Meta["datasource_path"]) == "zimbra-logs.log" results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Meta["log_type"] == "zimbra_auth_fail" results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Meta["service"] == "zimbra" results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Meta["source_ip"] == "192.168.7.101" results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Meta["user"] == "toto@test.fr" +results["s01-parse"]["firewallservices/zimbra-logs"][0].Evt.Whitelisted == false results["s01-parse"]["firewallservices/zimbra-logs"][1].Success == true -results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Parsed["src_ip"] == "192.168.7.15" -results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Parsed["time_local"] == "2021-03-03 19:51" -results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Parsed["user"] == "toto.tata" results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Parsed["message"] == "2021-03-03 19:51:53,762 INFO [qtp93314457-324:smtp://smtp.test.fr:7073/service/admin/soap/] [oip=192.168.7.15;oport=57752;oproto=smtp;soapId=688cb579;] SoapEngine - handler exception: authentication failed for [toto.tata], account not found" results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Parsed["port"] == "7073" results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Parsed["program"] == "zimbra" results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Parsed["proto"] == "smtp" results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Parsed["server"] == "smtp.test.fr" -results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Meta["datasource_path"] == "zimbra-logs.log" +results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Parsed["src_ip"] == "192.168.7.15" +results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Parsed["time_local"] == "2021-03-03 19:51" +results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Parsed["user"] == "toto.tata" +basename(results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Meta["datasource_path"]) == "zimbra-logs.log" results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Meta["log_type"] == "zimbra_auth_fail" results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Meta["service"] == "zimbra" results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Meta["source_ip"] == "192.168.7.15" results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Meta["user"] == "toto.tata" +results["s01-parse"]["firewallservices/zimbra-logs"][1].Evt.Whitelisted == false results["s01-parse"]["firewallservices/zimbra-logs"][2].Success == true -results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Parsed["server"] == "smtp.test.fr" -results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Parsed["src_ip"] == "192.168.7.15" -results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Parsed["time_local"] == "2021-03-03 19:53" -results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Parsed["user"] == "toto@test.fr" results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Parsed["message"] == "2021-03-03 19:53:15,744 INFO [qtp93314457-589:smtp://smtp.test.fr:7073/service/admin/soap/] [oip=192.168.7.15;oport=24304;oproto=smtp;soapId=688cb584;] SoapEngine - handler exception: authentication failed for [toto@test.fr], account not found" results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Parsed["port"] == "7073" results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Parsed["program"] == "zimbra" results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Parsed["proto"] == "smtp" -results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Meta["user"] == "toto@test.fr" -results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Meta["datasource_path"] == "zimbra-logs.log" +results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Parsed["server"] == "smtp.test.fr" +results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Parsed["src_ip"] == "192.168.7.15" +results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Parsed["time_local"] == "2021-03-03 19:53" +results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Parsed["user"] == "toto@test.fr" +basename(results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Meta["datasource_path"]) == "zimbra-logs.log" results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Meta["log_type"] == "zimbra_auth_fail" results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Meta["service"] == "zimbra" results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Meta["source_ip"] == "192.168.7.15" +results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Meta["user"] == "toto@test.fr" +results["s01-parse"]["firewallservices/zimbra-logs"][2].Evt.Whitelisted == false results["s01-parse"]["firewallservices/zimbra-logs"][3].Success == true -results["s01-parse"]["firewallservices/zimbra-logs"][3].Evt.Parsed["user"] == "tata@test.fr" results["s01-parse"]["firewallservices/zimbra-logs"][3].Evt.Parsed["message"] == "2021-03-03 19:53:06,536 WARN [qtp93314457-589:smtp://smtp.test.fr:7073/service/admin/soap/] [name=tata@test.fr;oip=192.168.7.15;oport=41496;oproto=smtp;soapId=688cb582;] SoapEngine - handler exception" results["s01-parse"]["firewallservices/zimbra-logs"][3].Evt.Parsed["port"] == "7073" results["s01-parse"]["firewallservices/zimbra-logs"][3].Evt.Parsed["program"] == "zimbra" @@ -53,10 +86,12 @@ results["s01-parse"]["firewallservices/zimbra-logs"][3].Evt.Parsed["proto"] == " results["s01-parse"]["firewallservices/zimbra-logs"][3].Evt.Parsed["server"] == "smtp.test.fr" results["s01-parse"]["firewallservices/zimbra-logs"][3].Evt.Parsed["src_ip"] == "192.168.7.15" results["s01-parse"]["firewallservices/zimbra-logs"][3].Evt.Parsed["time_local"] == "2021-03-03 19:53" -results["s01-parse"]["firewallservices/zimbra-logs"][3].Evt.Meta["datasource_path"] == "zimbra-logs.log" +results["s01-parse"]["firewallservices/zimbra-logs"][3].Evt.Parsed["user"] == "tata@test.fr" +basename(results["s01-parse"]["firewallservices/zimbra-logs"][3].Evt.Meta["datasource_path"]) == "zimbra-logs.log" results["s01-parse"]["firewallservices/zimbra-logs"][3].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["firewallservices/zimbra-logs"][3].Evt.Meta["log_type"] == "zimbra_auth_fail" results["s01-parse"]["firewallservices/zimbra-logs"][3].Evt.Meta["service"] == "zimbra" results["s01-parse"]["firewallservices/zimbra-logs"][3].Evt.Meta["source_ip"] == "192.168.7.15" results["s01-parse"]["firewallservices/zimbra-logs"][3].Evt.Meta["user"] == "tata@test.fr" - +results["s01-parse"]["firewallservices/zimbra-logs"][3].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/zoneminder-bf/parser.assert b/.tests/zoneminder-bf/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/zoneminder-bf/scenario.assert b/.tests/zoneminder-bf/scenario.assert index 384d10f57a8..5c718cdee78 100644 --- a/.tests/zoneminder-bf/scenario.assert +++ b/.tests/zoneminder-bf/scenario.assert @@ -1,87 +1,191 @@ -len(results) == 2 +len(results) == 5 "2222:3333:444a:a300:3c65:1111:1111:1112" in results[0].Overflow.GetSources() results[0].Overflow.Sources["2222:3333:444a:a300:3c65:1111:1111:1112"].IP == "2222:3333:444a:a300:3c65:1111:1111:1112" results[0].Overflow.Sources["2222:3333:444a:a300:3c65:1111:1111:1112"].Range == "" results[0].Overflow.Sources["2222:3333:444a:a300:3c65:1111:1111:1112"].GetScope() == "Ip" results[0].Overflow.Sources["2222:3333:444a:a300:3c65:1111:1111:1112"].GetValue() == "2222:3333:444a:a300:3c65:1111:1111:1112" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "zoneminder-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "zoneminder-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_subtype") == "zm_bad_user" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "zm_failed_auth" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "zoneminder" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1112" -results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-01-25T16:08:02.393003Z" -results[0].Overflow.Alert.Events[0].GetMeta("username") == "user1" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "zoneminder-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "user1" +results[0].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "zoneminder-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_subtype") == "zm_bad_user" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "zm_failed_auth" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "zoneminder" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1112" -results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-01-25T16:08:03.393003Z" -results[0].Overflow.Alert.Events[1].GetMeta("username") == "user2" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "zoneminder-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "user2" +results[0].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "zoneminder-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_subtype") == "zm_bad_user" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "zm_failed_auth" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "zoneminder" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1112" -results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-01-25T16:08:03.393003Z" -results[0].Overflow.Alert.Events[2].GetMeta("username") == "user3" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "zoneminder-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "user3" +results[0].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "zoneminder-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_subtype") == "zm_bad_user" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "zm_failed_auth" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "zoneminder" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1112" -results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-01-25T16:08:03.531511Z" -results[0].Overflow.Alert.Events[3].GetMeta("username") == "user4" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "zoneminder-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "user4" +results[0].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "zoneminder-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[4].GetMeta("log_subtype") == "zm_bad_user" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "zm_failed_auth" +results[0].Overflow.Alert.Events[4].GetMeta("service") == "zoneminder" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1112" -results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-01-25T16:08:03.531511Z" -results[0].Overflow.Alert.Events[4].GetMeta("username") == "user5" -results[0].Overflow.Alert.GetScenario() == "baudneo/zoneminder-bf" +results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "user5" +results[0].Overflow.Alert.GetScenario() == "baudneo/zoneminder-bf_user-enum" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 5 -"2222:3333:444a:a300:3c65:1111:1111:1111" in results[1].Overflow.GetSources() -results[1].Overflow.Sources["2222:3333:444a:a300:3c65:1111:1111:1111"].IP == "2222:3333:444a:a300:3c65:1111:1111:1111" -results[1].Overflow.Sources["2222:3333:444a:a300:3c65:1111:1111:1111"].Range == "" -results[1].Overflow.Sources["2222:3333:444a:a300:3c65:1111:1111:1111"].GetScope() == "Ip" -results[1].Overflow.Sources["2222:3333:444a:a300:3c65:1111:1111:1111"].GetValue() == "2222:3333:444a:a300:3c65:1111:1111:1111" -results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "zoneminder-bf.log" +"10.0.1.5" in results[1].Overflow.GetSources() +results[1].Overflow.Sources["10.0.1.5"].IP == "10.0.1.5" +results[1].Overflow.Sources["10.0.1.5"].Range == "" +results[1].Overflow.Sources["10.0.1.5"].GetScope() == "Ip" +results[1].Overflow.Sources["10.0.1.5"].GetValue() == "10.0.1.5" +results[1].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "zoneminder-bf.log" results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[0].GetMeta("log_subtype") == "zm_bad_password" -results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "zm_failed_auth" -results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1111" -results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-01-25T16:22:17.359785Z" -results[1].Overflow.Alert.Events[0].GetMeta("username") == "test_user" -results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "zoneminder-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("service") == "zoneminder" +results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.0.1.5" +results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "aaaa" +results[1].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "zoneminder-bf.log" results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[1].GetMeta("log_subtype") == "zm_bad_password" -results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "zm_failed_auth" -results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1111" -results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-01-25T16:22:17.359785Z" -results[1].Overflow.Alert.Events[1].GetMeta("username") == "test_user" -results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "zoneminder-bf.log" +results[1].Overflow.Alert.Events[1].GetMeta("service") == "zoneminder" +results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "10.0.1.5" +results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "bbbb" +results[1].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "zoneminder-bf.log" results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[2].GetMeta("log_subtype") == "zm_bad_password" -results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "zm_failed_auth" -results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1111" -results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-01-25T16:22:17.359785Z" -results[1].Overflow.Alert.Events[2].GetMeta("username") == "test_user" -results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "zoneminder-bf.log" +results[1].Overflow.Alert.Events[2].GetMeta("service") == "zoneminder" +results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "10.0.1.5" +results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "cccc" +results[1].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "zoneminder-bf.log" results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[3].GetMeta("log_subtype") == "zm_bad_password" -results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "zm_failed_auth" -results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1111" -results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-01-25T16:22:17.359785Z" -results[1].Overflow.Alert.Events[3].GetMeta("username") == "test_user" -results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "zoneminder-bf.log" +results[1].Overflow.Alert.Events[3].GetMeta("service") == "zoneminder" +results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "10.0.1.5" +results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "validuser1" +results[1].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "zoneminder-bf.log" results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" -results[1].Overflow.Alert.Events[4].GetMeta("log_subtype") == "zm_bad_password" -results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "zm_failed_auth" -results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1111" -results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-01-25T16:22:17.359785Z" -results[1].Overflow.Alert.Events[4].GetMeta("username") == "test_user" -results[1].Overflow.Alert.GetScenario() == "baudneo/zoneminder-bf" +results[1].Overflow.Alert.Events[4].GetMeta("service") == "zoneminder" +results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "10.0.1.5" +results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "validuser2" +results[1].Overflow.Alert.GetScenario() == "baudneo/zoneminder-bf_user-enum" results[1].Overflow.Alert.Remediation == true results[1].Overflow.Alert.GetEventsCount() == 5 +"2222:3333:444a:a300:3c65:1111:1111:1112" in results[2].Overflow.GetSources() +results[2].Overflow.Sources["2222:3333:444a:a300:3c65:1111:1111:1112"].IP == "2222:3333:444a:a300:3c65:1111:1111:1112" +results[2].Overflow.Sources["2222:3333:444a:a300:3c65:1111:1111:1112"].Range == "" +results[2].Overflow.Sources["2222:3333:444a:a300:3c65:1111:1111:1112"].GetScope() == "Ip" +results[2].Overflow.Sources["2222:3333:444a:a300:3c65:1111:1111:1112"].GetValue() == "2222:3333:444a:a300:3c65:1111:1111:1112" +results[2].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "zoneminder-bf.log" +results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[2].Overflow.Alert.Events[0].GetMeta("service") == "zoneminder" +results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1112" +results[2].Overflow.Alert.Events[0].GetMeta("target_user") == "user1" +results[2].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "zoneminder-bf.log" +results[2].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" +results[2].Overflow.Alert.Events[1].GetMeta("service") == "zoneminder" +results[2].Overflow.Alert.Events[1].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1112" +results[2].Overflow.Alert.Events[1].GetMeta("target_user") == "user1" +results[2].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "zoneminder-bf.log" +results[2].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" +results[2].Overflow.Alert.Events[2].GetMeta("service") == "zoneminder" +results[2].Overflow.Alert.Events[2].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1112" +results[2].Overflow.Alert.Events[2].GetMeta("target_user") == "user2" +results[2].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "zoneminder-bf.log" +results[2].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" +results[2].Overflow.Alert.Events[3].GetMeta("service") == "zoneminder" +results[2].Overflow.Alert.Events[3].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1112" +results[2].Overflow.Alert.Events[3].GetMeta("target_user") == "user3" +results[2].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[2].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "zoneminder-bf.log" +results[2].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" +results[2].Overflow.Alert.Events[4].GetMeta("service") == "zoneminder" +results[2].Overflow.Alert.Events[4].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1112" +results[2].Overflow.Alert.Events[4].GetMeta("target_user") == "user4" +results[2].Overflow.Alert.GetScenario() == "baudneo/zoneminder-bf" +results[2].Overflow.Alert.Remediation == true +results[2].Overflow.Alert.GetEventsCount() == 5 +"2222:3333:444a:a300:3c65:1111:1111:1111" in results[3].Overflow.GetSources() +results[3].Overflow.Sources["2222:3333:444a:a300:3c65:1111:1111:1111"].IP == "2222:3333:444a:a300:3c65:1111:1111:1111" +results[3].Overflow.Sources["2222:3333:444a:a300:3c65:1111:1111:1111"].Range == "" +results[3].Overflow.Sources["2222:3333:444a:a300:3c65:1111:1111:1111"].GetScope() == "Ip" +results[3].Overflow.Sources["2222:3333:444a:a300:3c65:1111:1111:1111"].GetValue() == "2222:3333:444a:a300:3c65:1111:1111:1111" +results[3].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "zoneminder-bf.log" +results[3].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[3].Overflow.Alert.Events[0].GetMeta("service") == "zoneminder" +results[3].Overflow.Alert.Events[0].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1111" +results[3].Overflow.Alert.Events[0].GetMeta("target_user") == "test_user" +results[3].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "zoneminder-bf.log" +results[3].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" +results[3].Overflow.Alert.Events[1].GetMeta("service") == "zoneminder" +results[3].Overflow.Alert.Events[1].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1111" +results[3].Overflow.Alert.Events[1].GetMeta("target_user") == "test_user" +results[3].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "zoneminder-bf.log" +results[3].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" +results[3].Overflow.Alert.Events[2].GetMeta("service") == "zoneminder" +results[3].Overflow.Alert.Events[2].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1111" +results[3].Overflow.Alert.Events[2].GetMeta("target_user") == "test_user" +results[3].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "zoneminder-bf.log" +results[3].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" +results[3].Overflow.Alert.Events[3].GetMeta("service") == "zoneminder" +results[3].Overflow.Alert.Events[3].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1111" +results[3].Overflow.Alert.Events[3].GetMeta("target_user") == "test_user" +results[3].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[3].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "zoneminder-bf.log" +results[3].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" +results[3].Overflow.Alert.Events[4].GetMeta("service") == "zoneminder" +results[3].Overflow.Alert.Events[4].GetMeta("source_ip") == "2222:3333:444a:a300:3c65:1111:1111:1111" +results[3].Overflow.Alert.Events[4].GetMeta("target_user") == "test_user" +results[3].Overflow.Alert.GetScenario() == "baudneo/zoneminder-bf" +results[3].Overflow.Alert.Remediation == true +results[3].Overflow.Alert.GetEventsCount() == 5 +"10.0.1.5" in results[4].Overflow.GetSources() +results[4].Overflow.Sources["10.0.1.5"].IP == "10.0.1.5" +results[4].Overflow.Sources["10.0.1.5"].Range == "" +results[4].Overflow.Sources["10.0.1.5"].GetScope() == "Ip" +results[4].Overflow.Sources["10.0.1.5"].GetValue() == "10.0.1.5" +results[4].Overflow.Alert.Events[0].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "zoneminder-bf.log" +results[4].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[4].Overflow.Alert.Events[0].GetMeta("service") == "zoneminder" +results[4].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.0.1.5" +results[4].Overflow.Alert.Events[0].GetMeta("target_user") == "aaaa" +results[4].Overflow.Alert.Events[1].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "zoneminder-bf.log" +results[4].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" +results[4].Overflow.Alert.Events[1].GetMeta("service") == "zoneminder" +results[4].Overflow.Alert.Events[1].GetMeta("source_ip") == "10.0.1.5" +results[4].Overflow.Alert.Events[1].GetMeta("target_user") == "bbbb" +results[4].Overflow.Alert.Events[2].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "zoneminder-bf.log" +results[4].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" +results[4].Overflow.Alert.Events[2].GetMeta("service") == "zoneminder" +results[4].Overflow.Alert.Events[2].GetMeta("source_ip") == "10.0.1.5" +results[4].Overflow.Alert.Events[2].GetMeta("target_user") == "cccc" +results[4].Overflow.Alert.Events[3].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "zoneminder-bf.log" +results[4].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" +results[4].Overflow.Alert.Events[3].GetMeta("service") == "zoneminder" +results[4].Overflow.Alert.Events[3].GetMeta("source_ip") == "10.0.1.5" +results[4].Overflow.Alert.Events[3].GetMeta("target_user") == "validuser1" +results[4].Overflow.Alert.Events[4].GetMeta("auth_status") == "failed" +basename(results[4].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "zoneminder-bf.log" +results[4].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" +results[4].Overflow.Alert.Events[4].GetMeta("service") == "zoneminder" +results[4].Overflow.Alert.Events[4].GetMeta("source_ip") == "10.0.1.5" +results[4].Overflow.Alert.Events[4].GetMeta("target_user") == "validuser2" +results[4].Overflow.Alert.GetScenario() == "baudneo/zoneminder-bf" +results[4].Overflow.Alert.Remediation == true +results[4].Overflow.Alert.GetEventsCount() == 5 diff --git a/.tests/zoneminder-logs/config.yaml b/.tests/zoneminder-logs/config.yaml index afa364a21e5..c8616181c5c 100644 --- a/.tests/zoneminder-logs/config.yaml +++ b/.tests/zoneminder-logs/config.yaml @@ -1,7 +1,6 @@ parsers: - crowdsecurity/syslog-logs - ./parsers/s01-parse/baudneo/zoneminder-logs.yaml -- crowdsecurity/dateparse-enrich scenarios: - "" postoverflows: diff --git a/.tests/zoneminder-logs/parser.assert b/.tests/zoneminder-logs/parser.assert index 772b38c8e8d..a59475b349b 100644 --- a/.tests/zoneminder-logs/parser.assert +++ b/.tests/zoneminder-logs/parser.assert @@ -1,90 +1,107 @@ -len(results) == 4 +len(results) == 3 len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 17 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "zoneminder" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "01/25/22 16:08:02.393003 web_php[118770].ERR [2222:3333:444a:a300:3c65:1111:1111:1111] [Could not retrieve user test_user details] at /usr/share/zoneminder/www/includes/auth.php line 313" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "zoneminder" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "01/25/22 16:08:03.531511 web_php[119601].ERR [2222:3333:444a:a300:3c65:1111:1111:1111] [Could not retrieve user test_user details] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "zoneminder" -results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "01/25/22 16:19:40.524258 web_php[118966].INF [127.0.0.1] [Login successful for user \"test_user\"] at /usr/share/zoneminder/www/api/app/Controller/AppController.php line 86" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "zoneminder" -results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "01/25/22 16:19:40.524931 web_php[118966].INF [127.0.0.1] [Creating token for \"test_user\"] at /usr/share/zoneminder/www/api/app/Controller/HostController.php line 157" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "zoneminder" -results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "01/25/22 16:19:40.701022 web_php[118768].ERR [10.0.1.139] [Unable to authenticate user. error decoding JWT token:Expired token] at /usr/share/zoneminder/www/includes/auth.php line 118" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "zoneminder" -results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "01/25/22 16:22:17.359785 web_php[118919].ERR [2222:3333:444a:a300:3c65:1111:1111:1111] [Login denied for user \"test_user\"] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "zoneminder" -results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][6].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["message"] == "01/25/22 16:23:17.359785 web_php[118919].ERR [2222:3333:444a:a300:3c65:1111:1111:1111] [Login denied for user \"test_user\"] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "zoneminder" -results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][7].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["message"] == "01/25/22 16:24:17.359785 web_php[118919].ERR [2222:3333:444a:a300:3c65:1111:1111:1111] [Login denied for user \"test_user\"] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["program"] == "zoneminder" -results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][8].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["message"] == "01/25/22 16:24:57.359785 web_php[118919].ERR [2222:3333:444a:a300:3c65:1111:1111:1111] [Login denied for user \"test_user\"] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["program"] == "zoneminder" -results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][9].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["message"] == "01/25/22 16:25:07.359785 web_php[118919].ERR [2222:3333:444a:a300:3c65:1111:1111:1111] [Login denied for user \"test_user\"] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["program"] == "zoneminder" -results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][10].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Parsed["message"] == "# New PHP datetime formatting" results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Parsed["program"] == "zoneminder" -results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][11].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Parsed["program"] == "zoneminder" results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Parsed["message"] == "12/17/22, 10:31:29 PM MST.557710 web_php[254894].ERR [10.0.1.5] [Could not retrieve user aaaa details] at /usr/share/zoneminder/www/includes/auth.php line 395" -results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Parsed["program"] == "zoneminder" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][12].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Parsed["message"] == "12/17/22, 10:31:30 PM MST.557710 web_php[254894].ERR [10.0.1.5] [Could not retrieve user bbbb details] at /usr/share/zoneminder/www/includes/auth.php line 395" results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Parsed["program"] == "zoneminder" -results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][13].Success == true -results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Parsed["program"] == "zoneminder" results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Parsed["message"] == "12/17/22, 10:31:31 PM MST.557710 web_php[254894].ERR [10.0.1.5] [Could not retrieve user cccc details] at /usr/share/zoneminder/www/includes/auth.php line 395" -results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Parsed["program"] == "zoneminder" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][13].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][14].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Parsed["message"] == "12/17/22, 10:31:32 PM MST.557710 web_php[254894].ERR [10.0.1.5] [Login denied for user \"validuser1\"] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Parsed["program"] == "zoneminder" -results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][14].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][15].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Parsed["message"] == "12/17/22, 10:31:33 PM MST.557710 web_php[254894].ERR [10.0.1.5] [Login denied for user \"validuser2\"] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Parsed["program"] == "zoneminder" -results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][15].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/non-syslog"][16].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Parsed["message"] == "12/17/22, 10:31:33 PM MST.557710 web_php[254894].ERR [10.0.1.5] [Login denied for user \"validuser3\"] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Parsed["program"] == "zoneminder" -results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][16].Evt.Whitelisted == false len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 17 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false @@ -105,6 +122,7 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][15].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][16].Success == false len(results["s01-parse"]["baudneo/zoneminder-logs"]) == 17 results["s01-parse"]["baudneo/zoneminder-logs"][0].Success == true +results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Parsed["day"] == "25" results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Parsed["message"] == "01/25/22 16:08:02.393003 web_php[118770].ERR [2222:3333:444a:a300:3c65:1111:1111:1111] [Could not retrieve user test_user details] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Parsed["month"] == "01" results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Parsed["program"] == "zoneminder" @@ -112,47 +130,50 @@ results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Parsed["source_ip"] == "2 results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Parsed["time"] == "16:08:02.393003" results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Parsed["username"] == "test_user" results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Parsed["year"] == "22" -results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Parsed["day"] == "25" -results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Meta["log_type"] == "zm_failed_auth" -results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Meta["source_ip"] == "2222:3333:444a:a300:3c65:1111:1111:1111" -results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Meta["username"] == "test_user" -results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Meta["log_subtype"] == "zm_bad_user" +results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Meta["service"] == "zoneminder" +results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Meta["source_ip"] == "2222:3333:444a:a300:3c65:1111:1111:1111" +results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Meta["target_user"] == "test_user" +results["s01-parse"]["baudneo/zoneminder-logs"][0].Evt.Whitelisted == false results["s01-parse"]["baudneo/zoneminder-logs"][1].Success == true -results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Parsed["time"] == "16:08:03.531511" -results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Parsed["username"] == "test_user" -results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Parsed["year"] == "22" results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Parsed["day"] == "25" results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Parsed["message"] == "01/25/22 16:08:03.531511 web_php[119601].ERR [2222:3333:444a:a300:3c65:1111:1111:1111] [Could not retrieve user test_user details] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Parsed["month"] == "01" results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Parsed["program"] == "zoneminder" results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Parsed["source_ip"] == "2222:3333:444a:a300:3c65:1111:1111:1111" -results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Parsed["time"] == "16:08:03.531511" +results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Parsed["username"] == "test_user" +results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Parsed["year"] == "22" +results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Meta["log_subtype"] == "zm_bad_user" -results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Meta["log_type"] == "zm_failed_auth" +results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Meta["service"] == "zoneminder" results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Meta["source_ip"] == "2222:3333:444a:a300:3c65:1111:1111:1111" -results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Meta["username"] == "test_user" +results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Meta["target_user"] == "test_user" +results["s01-parse"]["baudneo/zoneminder-logs"][1].Evt.Whitelisted == false results["s01-parse"]["baudneo/zoneminder-logs"][2].Success == false results["s01-parse"]["baudneo/zoneminder-logs"][3].Success == false results["s01-parse"]["baudneo/zoneminder-logs"][4].Success == false results["s01-parse"]["baudneo/zoneminder-logs"][5].Success == true +results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Parsed["day"] == "25" +results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Parsed["message"] == "01/25/22 16:22:17.359785 web_php[118919].ERR [2222:3333:444a:a300:3c65:1111:1111:1111] [Login denied for user \"test_user\"] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Parsed["month"] == "01" results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Parsed["program"] == "zoneminder" results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Parsed["source_ip"] == "2222:3333:444a:a300:3c65:1111:1111:1111" results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Parsed["time"] == "16:22:17.359785" results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Parsed["username"] == "test_user" results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Parsed["year"] == "22" -results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Parsed["day"] == "25" -results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Parsed["message"] == "01/25/22 16:22:17.359785 web_php[118919].ERR [2222:3333:444a:a300:3c65:1111:1111:1111] [Login denied for user \"test_user\"] at /usr/share/zoneminder/www/includes/auth.php line 313" -results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Meta["log_subtype"] == "zm_bad_password" -results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Meta["log_type"] == "zm_failed_auth" +results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Meta["service"] == "zoneminder" results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Meta["source_ip"] == "2222:3333:444a:a300:3c65:1111:1111:1111" -results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Meta["username"] == "test_user" +results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Meta["target_user"] == "test_user" +results["s01-parse"]["baudneo/zoneminder-logs"][5].Evt.Whitelisted == false results["s01-parse"]["baudneo/zoneminder-logs"][6].Success == true +results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Parsed["day"] == "25" results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Parsed["message"] == "01/25/22 16:23:17.359785 web_php[118919].ERR [2222:3333:444a:a300:3c65:1111:1111:1111] [Login denied for user \"test_user\"] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Parsed["month"] == "01" results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Parsed["program"] == "zoneminder" @@ -160,74 +181,78 @@ results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Parsed["source_ip"] == "2 results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Parsed["time"] == "16:23:17.359785" results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Parsed["username"] == "test_user" results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Parsed["year"] == "22" -results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Parsed["day"] == "25" -results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Meta["log_subtype"] == "zm_bad_password" -results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Meta["log_type"] == "zm_failed_auth" +results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Meta["service"] == "zoneminder" results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Meta["source_ip"] == "2222:3333:444a:a300:3c65:1111:1111:1111" -results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Meta["username"] == "test_user" +results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Meta["target_user"] == "test_user" +results["s01-parse"]["baudneo/zoneminder-logs"][6].Evt.Whitelisted == false results["s01-parse"]["baudneo/zoneminder-logs"][7].Success == true -results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Parsed["time"] == "16:24:17.359785" -results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Parsed["username"] == "test_user" -results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Parsed["year"] == "22" results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Parsed["day"] == "25" results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Parsed["message"] == "01/25/22 16:24:17.359785 web_php[118919].ERR [2222:3333:444a:a300:3c65:1111:1111:1111] [Login denied for user \"test_user\"] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Parsed["month"] == "01" results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Parsed["program"] == "zoneminder" results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Parsed["source_ip"] == "2222:3333:444a:a300:3c65:1111:1111:1111" -results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Meta["log_subtype"] == "zm_bad_password" -results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Meta["log_type"] == "zm_failed_auth" -results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Meta["source_ip"] == "2222:3333:444a:a300:3c65:1111:1111:1111" -results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Meta["username"] == "test_user" -results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Parsed["time"] == "16:24:17.359785" +results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Parsed["username"] == "test_user" +results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Parsed["year"] == "22" +results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Meta["service"] == "zoneminder" +results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Meta["source_ip"] == "2222:3333:444a:a300:3c65:1111:1111:1111" +results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Meta["target_user"] == "test_user" +results["s01-parse"]["baudneo/zoneminder-logs"][7].Evt.Whitelisted == false results["s01-parse"]["baudneo/zoneminder-logs"][8].Success == true -results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Parsed["username"] == "test_user" -results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Parsed["year"] == "22" results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Parsed["day"] == "25" results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Parsed["message"] == "01/25/22 16:24:57.359785 web_php[118919].ERR [2222:3333:444a:a300:3c65:1111:1111:1111] [Login denied for user \"test_user\"] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Parsed["month"] == "01" results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Parsed["program"] == "zoneminder" results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Parsed["source_ip"] == "2222:3333:444a:a300:3c65:1111:1111:1111" results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Parsed["time"] == "16:24:57.359785" -results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Meta["username"] == "test_user" -results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Parsed["username"] == "test_user" +results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Parsed["year"] == "22" +results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Meta["log_subtype"] == "zm_bad_password" -results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Meta["log_type"] == "zm_failed_auth" +results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Meta["service"] == "zoneminder" results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Meta["source_ip"] == "2222:3333:444a:a300:3c65:1111:1111:1111" +results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Meta["target_user"] == "test_user" +results["s01-parse"]["baudneo/zoneminder-logs"][8].Evt.Whitelisted == false results["s01-parse"]["baudneo/zoneminder-logs"][9].Success == true -results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Parsed["time"] == "16:25:07.359785" -results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Parsed["username"] == "test_user" -results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Parsed["year"] == "22" results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Parsed["day"] == "25" results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Parsed["message"] == "01/25/22 16:25:07.359785 web_php[118919].ERR [2222:3333:444a:a300:3c65:1111:1111:1111] [Login denied for user \"test_user\"] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Parsed["month"] == "01" results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Parsed["program"] == "zoneminder" results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Parsed["source_ip"] == "2222:3333:444a:a300:3c65:1111:1111:1111" -results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Meta["log_type"] == "zm_failed_auth" -results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Meta["source_ip"] == "2222:3333:444a:a300:3c65:1111:1111:1111" -results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Meta["username"] == "test_user" -results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Parsed["time"] == "16:25:07.359785" +results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Parsed["username"] == "test_user" +results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Parsed["year"] == "22" +results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Meta["log_subtype"] == "zm_bad_password" +results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Meta["service"] == "zoneminder" +results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Meta["source_ip"] == "2222:3333:444a:a300:3c65:1111:1111:1111" +results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Meta["target_user"] == "test_user" +results["s01-parse"]["baudneo/zoneminder-logs"][9].Evt.Whitelisted == false results["s01-parse"]["baudneo/zoneminder-logs"][10].Success == false results["s01-parse"]["baudneo/zoneminder-logs"][11].Success == true +results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Parsed["day"] == "17" +results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Parsed["message"] == "12/17/22, 10:31:29 PM MST.557710 web_php[254894].ERR [10.0.1.5] [Could not retrieve user aaaa details] at /usr/share/zoneminder/www/includes/auth.php line 395" results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Parsed["month"] == "12" results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Parsed["program"] == "zoneminder" results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Parsed["source_ip"] == "10.0.1.5" results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Parsed["time"] == "10:31:29 PM MST.557710" results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Parsed["username"] == "aaaa" results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Parsed["year"] == "22" -results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Parsed["day"] == "17" -results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Parsed["message"] == "12/17/22, 10:31:29 PM MST.557710 web_php[254894].ERR [10.0.1.5] [Could not retrieve user aaaa details] at /usr/share/zoneminder/www/includes/auth.php line 395" -results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Meta["source_ip"] == "10.0.1.5" -results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Meta["username"] == "aaaa" -results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Meta["log_subtype"] == "zm_bad_user" -results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Meta["log_type"] == "zm_failed_auth" +results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Meta["service"] == "zoneminder" +results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Meta["source_ip"] == "10.0.1.5" +results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Meta["target_user"] == "aaaa" +results["s01-parse"]["baudneo/zoneminder-logs"][11].Evt.Whitelisted == false results["s01-parse"]["baudneo/zoneminder-logs"][12].Success == true results["s01-parse"]["baudneo/zoneminder-logs"][12].Evt.Parsed["day"] == "17" results["s01-parse"]["baudneo/zoneminder-logs"][12].Evt.Parsed["message"] == "12/17/22, 10:31:30 PM MST.557710 web_php[254894].ERR [10.0.1.5] [Could not retrieve user bbbb details] at /usr/share/zoneminder/www/includes/auth.php line 395" @@ -237,70 +262,75 @@ results["s01-parse"]["baudneo/zoneminder-logs"][12].Evt.Parsed["source_ip"] == " results["s01-parse"]["baudneo/zoneminder-logs"][12].Evt.Parsed["time"] == "10:31:30 PM MST.557710" results["s01-parse"]["baudneo/zoneminder-logs"][12].Evt.Parsed["username"] == "bbbb" results["s01-parse"]["baudneo/zoneminder-logs"][12].Evt.Parsed["year"] == "22" +results["s01-parse"]["baudneo/zoneminder-logs"][12].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["baudneo/zoneminder-logs"][12].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s01-parse"]["baudneo/zoneminder-logs"][12].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/zoneminder-logs"][12].Evt.Meta["log_subtype"] == "zm_bad_user" -results["s01-parse"]["baudneo/zoneminder-logs"][12].Evt.Meta["log_type"] == "zm_failed_auth" +results["s01-parse"]["baudneo/zoneminder-logs"][12].Evt.Meta["service"] == "zoneminder" results["s01-parse"]["baudneo/zoneminder-logs"][12].Evt.Meta["source_ip"] == "10.0.1.5" -results["s01-parse"]["baudneo/zoneminder-logs"][12].Evt.Meta["username"] == "bbbb" -results["s01-parse"]["baudneo/zoneminder-logs"][12].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +results["s01-parse"]["baudneo/zoneminder-logs"][12].Evt.Meta["target_user"] == "bbbb" +results["s01-parse"]["baudneo/zoneminder-logs"][12].Evt.Whitelisted == false results["s01-parse"]["baudneo/zoneminder-logs"][13].Success == true +results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Parsed["day"] == "17" +results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Parsed["message"] == "12/17/22, 10:31:31 PM MST.557710 web_php[254894].ERR [10.0.1.5] [Could not retrieve user cccc details] at /usr/share/zoneminder/www/includes/auth.php line 395" results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Parsed["month"] == "12" results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Parsed["program"] == "zoneminder" results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Parsed["source_ip"] == "10.0.1.5" results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Parsed["time"] == "10:31:31 PM MST.557710" results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Parsed["username"] == "cccc" results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Parsed["year"] == "22" -results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Parsed["day"] == "17" -results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Parsed["message"] == "12/17/22, 10:31:31 PM MST.557710 web_php[254894].ERR [10.0.1.5] [Could not retrieve user cccc details] at /usr/share/zoneminder/www/includes/auth.php line 395" -results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Meta["log_subtype"] == "zm_bad_user" -results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Meta["log_type"] == "zm_failed_auth" -results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Meta["source_ip"] == "10.0.1.5" -results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Meta["username"] == "cccc" -results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Meta["service"] == "zoneminder" +results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Meta["source_ip"] == "10.0.1.5" +results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Meta["target_user"] == "cccc" +results["s01-parse"]["baudneo/zoneminder-logs"][13].Evt.Whitelisted == false results["s01-parse"]["baudneo/zoneminder-logs"][14].Success == true +results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Parsed["day"] == "17" +results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Parsed["message"] == "12/17/22, 10:31:32 PM MST.557710 web_php[254894].ERR [10.0.1.5] [Login denied for user \"validuser1\"] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Parsed["month"] == "12" results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Parsed["program"] == "zoneminder" results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Parsed["source_ip"] == "10.0.1.5" results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Parsed["time"] == "10:31:32 PM MST.557710" results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Parsed["username"] == "validuser1" results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Parsed["year"] == "22" -results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Parsed["day"] == "17" -results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Parsed["message"] == "12/17/22, 10:31:32 PM MST.557710 web_php[254894].ERR [10.0.1.5] [Login denied for user \"validuser1\"] at /usr/share/zoneminder/www/includes/auth.php line 313" -results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Meta["log_subtype"] == "zm_bad_password" -results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Meta["log_type"] == "zm_failed_auth" +results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Meta["service"] == "zoneminder" results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Meta["source_ip"] == "10.0.1.5" -results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Meta["username"] == "validuser1" +results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Meta["target_user"] == "validuser1" +results["s01-parse"]["baudneo/zoneminder-logs"][14].Evt.Whitelisted == false results["s01-parse"]["baudneo/zoneminder-logs"][15].Success == true -results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Parsed["time"] == "10:31:33 PM MST.557710" -results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Parsed["username"] == "validuser2" -results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Parsed["year"] == "22" results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Parsed["day"] == "17" results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Parsed["message"] == "12/17/22, 10:31:33 PM MST.557710 web_php[254894].ERR [10.0.1.5] [Login denied for user \"validuser2\"] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Parsed["month"] == "12" results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Parsed["program"] == "zoneminder" results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Parsed["source_ip"] == "10.0.1.5" -results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Parsed["time"] == "10:31:33 PM MST.557710" +results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Parsed["username"] == "validuser2" +results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Parsed["year"] == "22" +results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Meta["log_subtype"] == "zm_bad_password" -results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Meta["log_type"] == "zm_failed_auth" +results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Meta["service"] == "zoneminder" results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Meta["source_ip"] == "10.0.1.5" -results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Meta["username"] == "validuser2" +results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Meta["target_user"] == "validuser2" +results["s01-parse"]["baudneo/zoneminder-logs"][15].Evt.Whitelisted == false results["s01-parse"]["baudneo/zoneminder-logs"][16].Success == true -results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Parsed["source_ip"] == "10.0.1.5" -results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Parsed["time"] == "10:31:33 PM MST.557710" -results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Parsed["username"] == "validuser3" -results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Parsed["year"] == "22" results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Parsed["day"] == "17" results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Parsed["message"] == "12/17/22, 10:31:33 PM MST.557710 web_php[254894].ERR [10.0.1.5] [Login denied for user \"validuser3\"] at /usr/share/zoneminder/www/includes/auth.php line 313" results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Parsed["month"] == "12" results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Parsed["program"] == "zoneminder" +results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Parsed["source_ip"] == "10.0.1.5" +results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Parsed["time"] == "10:31:33 PM MST.557710" +results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Parsed["username"] == "validuser3" +results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Parsed["year"] == "22" +results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Meta["auth_status"] == "failed" +basename(results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Meta["datasource_path"]) == "zoneminder-web_php.log" results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Meta["log_subtype"] == "zm_bad_password" -results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Meta["log_type"] == "zm_failed_auth" +results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Meta["service"] == "zoneminder" results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Meta["source_ip"] == "10.0.1.5" -results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Meta["username"] == "validuser3" -results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Meta["datasource_path"] == "zoneminder-web_php.log" +results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Meta["target_user"] == "validuser3" +results["s01-parse"]["baudneo/zoneminder-logs"][16].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/.tests/zoneminder_cve-39285/parser.assert b/.tests/zoneminder_cve-39285/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/zoneminder_cve-39290/parser.assert b/.tests/zoneminder_cve-39290/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/.tests/zoneminder_cve-39291/parser.assert b/.tests/zoneminder_cve-39291/parser.assert deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/parsers/s00-raw/crowdsecurity/unifi-logs.yaml b/parsers/s00-raw/crowdsecurity/unifi-logs.yaml index efc0c0cc628..da2300d9c94 100644 --- a/parsers/s00-raw/crowdsecurity/unifi-logs.yaml +++ b/parsers/s00-raw/crowdsecurity/unifi-logs.yaml @@ -31,4 +31,4 @@ statics: - meta: action expression: 'evt.Parsed.action == "" ? "" : evt.Parsed.action == "A" ? "accept" : (evt.Parsed.action == "D" ? "drop" : (evt.Parsed.action == "R" ? "reject" : "unknown"))' - meta: log_type - expression: 'evt.Meta.action not in ["accept", "unknown"] ? "iptables_drop" : "iptables_event"' \ No newline at end of file + expression: 'evt.Meta.action not in ["accept", "unknown"] ? "iptables_drop" : "iptables_event"' diff --git a/parsers/s01-parse/Azlaroc/sftpgo-logs.yaml b/parsers/s01-parse/Azlaroc/sftpgo-logs.yaml index 66748aed8ff..37e708cf958 100644 --- a/parsers/s01-parse/Azlaroc/sftpgo-logs.yaml +++ b/parsers/s01-parse/Azlaroc/sftpgo-logs.yaml @@ -12,11 +12,11 @@ statics: nodes: - filter: "evt.Unmarshaled.sftpgo.sender == 'login'" statics: - - meta: log_type - value: auth_success + - meta: auth_status + value: success - meta: source_ip expression: evt.Unmarshaled.sftpgo.ip - - meta: user + - meta: target_user expression: evt.Unmarshaled.sftpgo.username - meta: protocol expression: evt.Unmarshaled.sftpgo.protocol @@ -27,16 +27,16 @@ nodes: expression: evt.Unmarshaled.sftpgo.message pattern: 'User "%{DATA:username}" logged in.* from ip "%{IP:source_ip}"' statics: - - meta: log_type - value: auth_success + - meta: auth_status + value: success - meta: source_ip expression: evt.Parsed.source_ip - - meta: user + - meta: target_user expression: evt.Parsed.username - filter: "evt.Unmarshaled.sftpgo.sender == 'connection_failed'" statics: - - meta: log_type - value: sftpgo_auth + - meta: auth_status + value: failed - meta: source_ip expression: evt.Unmarshaled.sftpgo.client_ip - meta: target_user diff --git a/parsers/s01-parse/Dominic-Wagner/vaultwarden-logs.yaml b/parsers/s01-parse/Dominic-Wagner/vaultwarden-logs.yaml index bbbe963ab73..408ef989eee 100644 --- a/parsers/s01-parse/Dominic-Wagner/vaultwarden-logs.yaml +++ b/parsers/s01-parse/Dominic-Wagner/vaultwarden-logs.yaml @@ -9,28 +9,28 @@ nodes: pattern: '^\[%{TIMESTAMP_ISO8601:datetimestamp}\]\[vaultwarden::api::identity\]\[ERROR\] Username or password is incorrect\. Try again\. IP: %{IP:source_ip}\. Username: %{EMAILADDRESS:username}\.$' apply_on: message statics: - - meta: log_type - value: vaultwarden_failed_auth - - meta: username + - meta: auth_status + value: failed + - meta: target_user expression: evt.Parsed.username - grok: pattern: '^\[%{TIMESTAMP_ISO8601:datetimestamp}\]\[vaultwarden::api::admin\]\[ERROR\] Invalid admin token. IP: %{IP:source_ip}' apply_on: message statics: - - meta: log_type - value: vaultwarden_failed_admin_auth + - meta: auth_status + value: failed - grok: pattern: '^\[%{TIMESTAMP_ISO8601:datetimestamp}\]\[vaultwarden::api::core::two_factor::authenticator\]\[ERROR\] Invalid TOTP code! Server time: %{DATE_YMD:server_date} %{TIME:server_time} %{TZ:server_tz} IP: %{IP:source_ip}' apply_on: message statics: - - meta: log_type - value: vaultwarden_failed_2fa_totp + - meta: auth_status + value: failed - grok: pattern: '^\[%{TIMESTAMP_ISO8601:datetimestamp}\]\[vaultwarden::api::core::two_factor::email\]\[ERROR\] Token is invalid! IP: %{IP:source_ip}' apply_on: message statics: - - meta: log_type - value: vaultwarden_failed_2fa_email + - meta: auth_status + value: failed statics: - meta: service diff --git a/parsers/s01-parse/Jgigantino31/calibre-web-logs.yaml b/parsers/s01-parse/Jgigantino31/calibre-web-logs.yaml index acda965ff8d..096c0df73a0 100644 --- a/parsers/s01-parse/Jgigantino31/calibre-web-logs.yaml +++ b/parsers/s01-parse/Jgigantino31/calibre-web-logs.yaml @@ -10,13 +10,13 @@ nodes: pattern: '(\[%{CALIBREWEB_CUSTOMDATE:timestamp}.*\])?.*Login failed for user "%{HTTPDUSER:username}" IP-address: %{IP:source_ip}' apply_on: message statics: - - meta: log_type - value: calibre-web_failed_auth + - meta: auth_status + value: failed statics: - meta: service value: calibre-web - - meta: user + - meta: target_user expression: "evt.Parsed.username" - meta: source_ip expression: "evt.Parsed.source_ip" diff --git a/parsers/s01-parse/Jgigantino31/ntfy-logs.yaml b/parsers/s01-parse/Jgigantino31/ntfy-logs.yaml index a77b2ff327b..3a9041e186b 100644 --- a/parsers/s01-parse/Jgigantino31/ntfy-logs.yaml +++ b/parsers/s01-parse/Jgigantino31/ntfy-logs.yaml @@ -5,8 +5,8 @@ filter: "evt.Parsed.program == 'ntfy'" nodes: - filter: "JsonExtract(evt.Parsed.message, 'error_code') in ['40101', '40301']" statics: - - meta: log_type - value: ntfy_failed_auth + - meta: auth_status + value: failed statics: - meta: service diff --git a/parsers/s01-parse/LePresidente/adguardhome-logs.yaml b/parsers/s01-parse/LePresidente/adguardhome-logs.yaml index 906984e3d96..e9d2aa0dce4 100644 --- a/parsers/s01-parse/LePresidente/adguardhome-logs.yaml +++ b/parsers/s01-parse/LePresidente/adguardhome-logs.yaml @@ -8,14 +8,14 @@ nodes: pattern: '%{DATE_X:date} %{TIME:time}.* POST %{HOSTNAME} /control/login: from ip %{IP:source_ip}: invalid username or password$' apply_on: message statics: - - meta: log_type - value: adguardhome_failed_auth + - meta: auth_status + value: failed - grok: pattern: '%{DATE_X:date} %{TIME:time}.* POST %{IP:source_ip} /control/login: invalid username or password$' apply_on: message statics: - - meta: log_type - value: adguardhome_failed_auth + - meta: auth_status + value: failed statics: diff --git a/parsers/s01-parse/LePresidente/authelia-logs.yaml b/parsers/s01-parse/LePresidente/authelia-logs.yaml index f8e8e228193..bbe89ec6604 100644 --- a/parsers/s01-parse/LePresidente/authelia-logs.yaml +++ b/parsers/s01-parse/LePresidente/authelia-logs.yaml @@ -20,15 +20,15 @@ nodes: pattern: "%{WORD:auth_status} (1FA|Duo|TOTP|U2F) authentication attempt (made )?by user '%{AUTHELIA_USER:user}'" expression: evt.Unmarshaled.authelia.msg statics: - - meta: log_type - expression: 'evt.Parsed.auth_status == "Unsuccessful" ? "auth_failed" : "auth_success"' + - meta: auth_status + expression: 'evt.Parsed.auth_status == "Unsuccessful" ? "failed" : "success"' - grok: pattern: "Error .* getting details for user with username input '%{AUTHELIA_USER:user}'.*" expression: evt.Unmarshaled.authelia.msg statics: - - meta: log_type - value: auth_failed + - meta: auth_status + value: failed ## This section is a hack to allow all authelia logs to pass to next stage, if you set onsuccess next stage at root level all successful attempts will not be passed, so we could do some impossible trave sceanrios - filter: evt.Unmarshaled.authelia != nil @@ -37,7 +37,7 @@ nodes: - meta: service value: authelia statics: - - meta: user + - meta: target_user expression: evt.Parsed.user - target: evt.StrTime expression: evt.Unmarshaled.authelia.time diff --git a/parsers/s01-parse/LePresidente/emby-logs.yaml b/parsers/s01-parse/LePresidente/emby-logs.yaml index fbd7357a066..39efc6ee826 100644 --- a/parsers/s01-parse/LePresidente/emby-logs.yaml +++ b/parsers/s01-parse/LePresidente/emby-logs.yaml @@ -8,8 +8,8 @@ nodes: pattern: '%{TIMESTAMP_ISO8601:timestamp}.*?AUTH-ERROR: %{IP:source_ip} - Invalid username or password entered\.$' apply_on: message statics: - - meta: log_type - value: emby_failed_auth + - meta: auth_status + value: failed statics: - meta: service diff --git a/parsers/s01-parse/LePresidente/gitea-logs.yaml b/parsers/s01-parse/LePresidente/gitea-logs.yaml index aab8c17ade9..71011dcc199 100644 --- a/parsers/s01-parse/LePresidente/gitea-logs.yaml +++ b/parsers/s01-parse/LePresidente/gitea-logs.yaml @@ -11,43 +11,43 @@ nodes: pattern: '^%{GITEA_CUSTOMDATE:timestamp}.*?Failed authentication attempt for %{GITEA_CUSTOMUSER:username} from %{IP:remote_ip}:%{NUMBER:remote_port}.* user does not exist' apply_on: message statics: - - meta: log_type - value: gitea_failed_auth + - meta: auth_status + value: failed - grok: pattern: '^%{GITEA_CUSTOMDATE:timestamp}.*?Failed authentication attempt for %{GITEA_CUSTOMUSER:username} from \[%{IP:remote_ip}\].* user does not exist' apply_on: message statics: - - meta: log_type - value: gitea_failed_auth + - meta: auth_status + value: failed - grok: pattern: '^%{GITEA_CUSTOMDATE:timestamp}.*?Failed authentication attempt from %{IP:remote_ip}:%{NUMBER:remote_port}' apply_on: message statics: - - meta: log_type - value: gitea_failed_auth + - meta: auth_status + value: failed - grok: pattern: '^%{GITEA_CUSTOMDATE:timestamp}.*?Failed authentication attempt from \[%{IP:remote_ip}\]' apply_on: message statics: - - meta: log_type - value: gitea_failed_auth + - meta: auth_status + value: failed - grok: pattern: "^%{GITEA_CUSTOMDATE:timestamp}.*?Failed authentication attempt for %{GITEA_CUSTOMUSER:username} from %{IP:remote_ip}:%{NUMBER:remote_port}.* user's password is invalid" apply_on: message statics: - - meta: log_type - value: gitea_failed_auth + - meta: auth_status + value: failed - grok: pattern: "^%{GITEA_CUSTOMDATE:timestamp}.*?Failed authentication attempt for %{GITEA_CUSTOMUSER:username} from %{IP:remote_ip}:%{NUMBER:remote_port}.* (user|Email address) does not exist" apply_on: message statics: - - meta: log_type - value: gitea_failed_auth + - meta: auth_status + value: failed statics: - meta: service value: gitea - - meta: user + - meta: target_user expression: "evt.Parsed.username" - target: evt.StrTime expression: evt.Parsed.timestamp diff --git a/parsers/s01-parse/LePresidente/grafana-logs.yaml b/parsers/s01-parse/LePresidente/grafana-logs.yaml index d26f514b8ef..4783b44c571 100644 --- a/parsers/s01-parse/LePresidente/grafana-logs.yaml +++ b/parsers/s01-parse/LePresidente/grafana-logs.yaml @@ -20,14 +20,14 @@ nodes: pattern: "%{GRAFANA_AUTH_WORD:auth_status}( username or password)?" expression: evt.Unmarshaled.grafana.msg statics: - - meta: log_type - expression: 'evt.Parsed.auth_status == "Unauthorized" || evt.Parsed.auth_status == "Invalid" ? "auth_failed" : "auth_success"' + - meta: auth_status + expression: 'evt.Parsed.auth_status == "Unauthorized" || evt.Parsed.auth_status == "Invalid" ? "failed" : "success"' - ## We filter to see if we have a log_type set from above, if not we detect if new log format - - filter: evt.Meta.log_type == '' + ## We filter to see if we have a auth_status set from above, if not we detect if new log format + - filter: evt.Meta.auth_status == '' statics: - - meta: log_type - expression: 'evt.Unmarshaled.grafana.errorMessageID == "password-auth.failed" && evt.Unmarshaled.grafana.errorReason in ["Unauthorized", "Invalid"] ? "auth_failed" : "auth_success"' + - meta: auth_status + expression: 'evt.Unmarshaled.grafana.errorMessageID == "password-auth.failed" && evt.Unmarshaled.grafana.errorReason in ["Unauthorized", "Invalid"] ? "failed" : "success"' ## This section is a hack to allow all grafana logs to pass to next stage, if you set onsuccess next stage at root level all successful attempts will not be passed, so we could do some impossible trave sceanrios - filter: evt.Unmarshaled.grafana != nil diff --git a/parsers/s01-parse/LePresidente/harbor-logs.yaml b/parsers/s01-parse/LePresidente/harbor-logs.yaml index 6e00aff57e4..b59ba2037c6 100644 --- a/parsers/s01-parse/LePresidente/harbor-logs.yaml +++ b/parsers/s01-parse/LePresidente/harbor-logs.yaml @@ -10,12 +10,12 @@ nodes: pattern: '.*core\[%{GREEDYDATA:PID}\]: %{RFC3339:timestamp} \[%{GREEDYDATA:ERROR}\] .*\[client IP="%{IP:remote_ip}, %{IP:internal_ip}".*failed to authenticate user:%{HARBOR_CUSTOMUSER:username}, error:Failed to authenticate user, due to error \SInvalid credentials\S' apply_on: message statics: - - meta: log_type - value: harbor_failed_auth + - meta: auth_status + value: failed statics: - meta: service value: harbor - - meta: user + - meta: target_user expression: "evt.Parsed.username" - target: evt.StrTime expression: evt.Parsed.timestamp diff --git a/parsers/s01-parse/LePresidente/jellyfin-logs.yaml b/parsers/s01-parse/LePresidente/jellyfin-logs.yaml index 21744b8af7b..0c5fea10473 100644 --- a/parsers/s01-parse/LePresidente/jellyfin-logs.yaml +++ b/parsers/s01-parse/LePresidente/jellyfin-logs.yaml @@ -11,13 +11,13 @@ nodes: pattern: '(\[%{JELLYFIN_CUSTOMDATE:timestamp}.*\])?.*Authentication request for "?%{JELLYFIN_CUSTOMUSER:username}"? has been denied \(IP: "?%{IP:source_ip}"?\).*' apply_on: message statics: - - meta: log_type - value: jellyfin_failed_auth + - meta: auth_status + value: failed statics: - meta: service value: jellyfin - - meta: user + - meta: target_user expression: "evt.Parsed.username" - meta: source_ip expression: "evt.Parsed.source_ip" diff --git a/parsers/s01-parse/LePresidente/jellyseerr-logs.yaml b/parsers/s01-parse/LePresidente/jellyseerr-logs.yaml index ca6de77027b..9cf78009ad4 100644 --- a/parsers/s01-parse/LePresidente/jellyseerr-logs.yaml +++ b/parsers/s01-parse/LePresidente/jellyseerr-logs.yaml @@ -10,33 +10,33 @@ nodes: pattern: '%{RFC3339:timestamp}.*Failed sign-in attempt using invalid .* password.*{"ip":"::ffff:%{IP:source_ip}","email":"%{JELLYSEERR_CUSTOMUSER:username}"}' apply_on: message statics: - - meta: log_type - value: jellyseerr_failed_auth + - meta: auth_status + value: failed - grok: pattern: '%{RFC3339:timestamp}.*Failed login attempt from user with incorrect.*credentials {"account":{"ip":"::ffff:%{IP:source_ip}","email":"%{JELLYSEERR_CUSTOMUSER:username}","password":"__REDACTED__"}}' apply_on: message statics: - - meta: log_type - value: jellyseerr_failed_auth + - meta: auth_status + value: failed - grok: pattern: '%{RFC3339:timestamp}.*Failed sign-in attempt using invalid .* password.*{"ip":"%{IP:source_ip}","email":"%{JELLYSEERR_CUSTOMUSER:username}"}' apply_on: message statics: - - meta: log_type - value: jellyseerr_failed_auth + - meta: auth_status + value: failed - grok: pattern: '%{RFC3339:timestamp}.*Failed login attempt from user with incorrect.*credentials {"account":{"ip":"%{IP:source_ip}","email":"%{JELLYSEERR_CUSTOMUSER:username}","password":"__REDACTED__"}}' apply_on: message statics: - - meta: log_type - value: jellyseerr_failed_auth + - meta: auth_status + value: failed statics: - meta: service value: jellyseerr - meta: source_ip expression: "evt.Parsed.source_ip" - - meta: user + - meta: target_user expression: "evt.Parsed.username" - target: evt.StrTime expression: evt.Parsed.timestamp \ No newline at end of file diff --git a/parsers/s01-parse/LePresidente/ombi-logs.yaml b/parsers/s01-parse/LePresidente/ombi-logs.yaml index c548310d363..315feb92bb2 100644 --- a/parsers/s01-parse/LePresidente/ombi-logs.yaml +++ b/parsers/s01-parse/LePresidente/ombi-logs.yaml @@ -9,8 +9,8 @@ nodes: apply_on: message statics: - - meta: log_type - value: ombi_auth_failed + - meta: auth_status + value: failed statics: - meta: service diff --git a/parsers/s01-parse/LePresidente/overseerr-logs.yaml b/parsers/s01-parse/LePresidente/overseerr-logs.yaml index 003ab01135d..198943e23ba 100644 --- a/parsers/s01-parse/LePresidente/overseerr-logs.yaml +++ b/parsers/s01-parse/LePresidente/overseerr-logs.yaml @@ -10,33 +10,33 @@ nodes: pattern: '(%{RFC3339:timestamp})?.*Failed sign-in attempt using invalid .* password.*{"ip":"::ffff:%{IP:source_ip}","email":"%{OVERSEERR_CUSTOMUSER:username}"}' apply_on: message statics: - - meta: log_type - value: overseerr_failed_auth + - meta: auth_status + value: failed - grok: pattern: '(%{RFC3339:timestamp})?.*Failed login attempt from user with incorrect.*credentials {"account":{"ip":"::ffff:%{IP:source_ip}","email":"%{OVERSEERR_CUSTOMUSER:username}","password":"__REDACTED__"}}' apply_on: message statics: - - meta: log_type - value: overseerr_failed_auth + - meta: auth_status + value: failed - grok: pattern: '(%{RFC3339:timestamp})?.*Failed sign-in attempt using invalid .* password.*{"ip":"%{IP:source_ip}","email":"%{OVERSEERR_CUSTOMUSER:username}"}' apply_on: message statics: - - meta: log_type - value: overseerr_failed_auth + - meta: auth_status + value: failed - grok: pattern: '(%{RFC3339:timestamp})?.*Failed login attempt from user with incorrect.*credentials {"account":{"ip":"%{IP:source_ip}","email":"%{OVERSEERR_CUSTOMUSER:username}","password":"__REDACTED__"}}' apply_on: message statics: - - meta: log_type - value: overseerr_failed_auth + - meta: auth_status + value: failed statics: - meta: service value: overseerr - meta: source_ip expression: "evt.Parsed.source_ip" - - meta: user + - meta: target_user expression: "evt.Parsed.username" - target: evt.StrTime expression: evt.Parsed.timestamp diff --git a/parsers/s01-parse/LePresidente/redmine-logs.yaml b/parsers/s01-parse/LePresidente/redmine-logs.yaml index 3c471fe2230..d8356dfcda1 100644 --- a/parsers/s01-parse/LePresidente/redmine-logs.yaml +++ b/parsers/s01-parse/LePresidente/redmine-logs.yaml @@ -10,8 +10,10 @@ nodes: pattern: '\[%{TIMESTAMP_ISO8601:timestamp} .*\] %{LOGLEVEL:loglevel} .*: Failed login for \S%{REDMINE_CUSTOMUSER:username}\S from %{IP:source_ip} at %{GREEDYDATA:date}' apply_on: message statics: - - meta: log_type - value: redmine_failed_auth + - meta: auth_status + value: failed + - meta: target_user + expression: "evt.Parsed.username" statics: - meta: service diff --git a/parsers/s01-parse/LearningSpot/dockge-logs.yaml b/parsers/s01-parse/LearningSpot/dockge-logs.yaml index 43609a8c677..f09c3bf1cf9 100644 --- a/parsers/s01-parse/LearningSpot/dockge-logs.yaml +++ b/parsers/s01-parse/LearningSpot/dockge-logs.yaml @@ -7,11 +7,11 @@ nodes: pattern: '%{TIMESTAMP_ISO8601:timestamp} \[AUTH\] WARN: Incorrect username or password for user %{DATA:username}.? IP=%{IP:source_ip}' apply_on: message statics: - - meta: log_type - value: dockge_failed_auth + - meta: auth_status + value: failed - target: evt.StrTime expression: evt.Parsed.timestamp - - meta: username + - meta: target_user expression: evt.Parsed.username statics: - meta: service diff --git a/parsers/s01-parse/LearningSpot/hestiacp-logs.yaml b/parsers/s01-parse/LearningSpot/hestiacp-logs.yaml index 635763e270d..6a29b6a648b 100644 --- a/parsers/s01-parse/LearningSpot/hestiacp-logs.yaml +++ b/parsers/s01-parse/LearningSpot/hestiacp-logs.yaml @@ -7,8 +7,8 @@ nodes: pattern: '%{TIMESTAMP_ISO8601:timestamp} %{USERNAME:username} %{IP:source_ip} failed to login' apply_on: message statics: - - meta: log_type - value: hestiacp_failed_auth + - meta: auth_status + value: failed statics: - meta: service value: hestiacp diff --git a/parsers/s01-parse/LearningSpot/litellm-logs.yaml b/parsers/s01-parse/LearningSpot/litellm-logs.yaml index ccfecf8f8d9..bcf8262e4ab 100644 --- a/parsers/s01-parse/LearningSpot/litellm-logs.yaml +++ b/parsers/s01-parse/LearningSpot/litellm-logs.yaml @@ -7,8 +7,8 @@ nodes: pattern: 'INFO:%{SPACE}%{IP:source_ip}:%{INT} - "%{WORD:method} %{DATA:query} %{URIPROTO}/%{NUMBER:http_version}" %{NUMBER:status} Unauthorized' apply_on: message statics: - - meta: log_type - value: litellm_failed_auth + - meta: auth_status + value: failed statics: - meta: service value: litellm diff --git a/parsers/s01-parse/MariuszKociubinski/bitwarden-logs.yaml b/parsers/s01-parse/MariuszKociubinski/bitwarden-logs.yaml index ff94c8baefd..657d01083de 100644 --- a/parsers/s01-parse/MariuszKociubinski/bitwarden-logs.yaml +++ b/parsers/s01-parse/MariuszKociubinski/bitwarden-logs.yaml @@ -8,14 +8,14 @@ nodes: pattern: '^%{EXIM_DATE:timestamp}.*Failed login attempt\. %{IP:source_ip}.*$' apply_on: message statics: - - meta: log_type - value: bitwarden_failed_auth + - meta: auth_status + value: failed - grok: pattern: '^%{EXIM_DATE:timestamp}.*Failed login attempt\, 2FA invalid\. %{IP:source_ip}.*$' apply_on: message statics: - - meta: log_type - value: bitwarden_failed_auth + - meta: auth_status + value: failed statics: - meta: service diff --git a/parsers/s01-parse/MrShippeR/filebrowser-logs.yaml b/parsers/s01-parse/MrShippeR/filebrowser-logs.yaml index 1e7490531af..4cef54057d0 100644 --- a/parsers/s01-parse/MrShippeR/filebrowser-logs.yaml +++ b/parsers/s01-parse/MrShippeR/filebrowser-logs.yaml @@ -11,8 +11,8 @@ nodes: name: "FILEBROWSER_FAILED_AUTH" apply_on: message statics: - - meta: log_type - value: filebrowser_failed_auth + - meta: auth_status + value: failed - meta: log_subtype value: filebrowser_invalid_credentials - target: evt.StrTime diff --git a/parsers/s01-parse/PintjesB/technitium-logs.yaml b/parsers/s01-parse/PintjesB/technitium-logs.yaml index ddb0251534c..a14eba18872 100644 --- a/parsers/s01-parse/PintjesB/technitium-logs.yaml +++ b/parsers/s01-parse/PintjesB/technitium-logs.yaml @@ -9,8 +9,8 @@ nodes: pattern: '^\[%{TECHNITIUM_DATETIME}\] \[%{IP:source_ip}:%{INT:source_port}\] DnsServerCore.DnsWebServiceException: Invalid username or password for user: %{USERNAME:username}' apply_on: message statics: - - meta: log_type - value: technitium_failed_auth + - meta: auth_status + value: failed statics: - meta: service @@ -21,5 +21,5 @@ statics: expression: "evt.Parsed.source_ip" - meta: source_port expression: "evt.Parsed.source_port" - - meta: username + - meta: target_user expression: "evt.Parsed.username" \ No newline at end of file diff --git a/parsers/s01-parse/a1ad/meshcentral-logs.yaml b/parsers/s01-parse/a1ad/meshcentral-logs.yaml index 3fedf30a5a7..f8d0402a9ec 100644 --- a/parsers/s01-parse/a1ad/meshcentral-logs.yaml +++ b/parsers/s01-parse/a1ad/meshcentral-logs.yaml @@ -12,13 +12,13 @@ nodes: pattern: '%{MESHCENTRAL_CUSTOMDATE:timestamp}.*Failed password for %{MESHCENTRAL_CUSTOMUSER:username} from %{IP:source_ip}.*' apply_on: message statics: - - meta: log_type - value: meshcentral_failed_auth + - meta: auth_status + value: failed statics: - meta: service value: meshcentral - - meta: user + - meta: target_user expression: "evt.Parsed.username" - meta: source_ip expression: "evt.Parsed.source_ip" diff --git a/parsers/s01-parse/a1ad/mikrotik-logs.yaml b/parsers/s01-parse/a1ad/mikrotik-logs.yaml index 7ca0890bf39..94cd5146406 100644 --- a/parsers/s01-parse/a1ad/mikrotik-logs.yaml +++ b/parsers/s01-parse/a1ad/mikrotik-logs.yaml @@ -23,9 +23,9 @@ nodes: statics: - meta: service value: mikrotik - - meta: log_type - value: mikrotik_failed_auth - - meta: user + - meta: auth_status + value: failed + - meta: target_user expression: "evt.Parsed.invalid_user" statics: - meta: source_ip diff --git a/parsers/s01-parse/andreasbrett/baikal-logs.yaml b/parsers/s01-parse/andreasbrett/baikal-logs.yaml index 23678ad08c1..9668226d369 100644 --- a/parsers/s01-parse/andreasbrett/baikal-logs.yaml +++ b/parsers/s01-parse/andreasbrett/baikal-logs.yaml @@ -10,16 +10,16 @@ nodes: pattern: "%{BAIKAL_FAILED_AUTH}" apply_on: message statics: - - meta: log_type - value: baikal_failed_auth - - meta: username + - meta: auth_status + value: failed + - meta: target_user expression: evt.Parsed.username - grok: pattern: "%{BAIKAL_FAILED_AUTH_NO_USER}" apply_on: message statics: - - meta: log_type - value: baikal_failed_auth_no_user + - meta: auth_status + value: failed statics: - meta: service diff --git a/parsers/s01-parse/andreasbrett/paperless-ngx-logs.yaml b/parsers/s01-parse/andreasbrett/paperless-ngx-logs.yaml index 5174c4672ca..0aa87e3e15b 100644 --- a/parsers/s01-parse/andreasbrett/paperless-ngx-logs.yaml +++ b/parsers/s01-parse/andreasbrett/paperless-ngx-logs.yaml @@ -11,18 +11,18 @@ nodes: pattern: '\[%{DATE_YMD:date} %{TIME:time}\] \[INFO\] \[paperless\.auth\] Login failed for user `%{PAPERLESS_NGX_USER:username}` from (private )?IP `%{IP:source_ip}\.`' apply_on: message statics: - - meta: log_type - value: paperless_ngx_failed_auth - - meta: username + - meta: auth_status + value: failed + - meta: target_user expression: evt.Parsed.username - grok: # Paperless-ngx v1.16.6+ pattern: '\[%{DATE_YMD:date} %{TIME:time}\] \[INFO\] \[paperless\.auth\] Login failed for user `%{PAPERLESS_NGX_USER:username}` from (private )?IP `%{IP:source_ip}`\.' apply_on: message statics: - - meta: log_type - value: paperless_ngx_failed_auth - - meta: username + - meta: auth_status + value: failed + - meta: target_user expression: evt.Parsed.username statics: diff --git a/parsers/s01-parse/andreasbrett/webmin-logs.yaml b/parsers/s01-parse/andreasbrett/webmin-logs.yaml index adfa01780ab..a86ec0f1aa2 100644 --- a/parsers/s01-parse/andreasbrett/webmin-logs.yaml +++ b/parsers/s01-parse/andreasbrett/webmin-logs.yaml @@ -11,19 +11,19 @@ nodes: pattern: "%{WEBMIN_AUTH_WRONG_PASS}" apply_on: message statics: - - meta: log_type - value: webmin_failed_auth_wrong_pass + - meta: auth_status + value: failed - grok: pattern: "%{WEBMIN_AUTH_TWOFACTOR}" apply_on: message statics: - - meta: log_type - value: webmin_failed_auth_twofactor + - meta: auth_status + value: failed statics: - meta: service value: webmin - - meta: username + - meta: target_user expression: evt.Parsed.username - meta: source_ip expression: "evt.Parsed.source_ip" diff --git a/parsers/s01-parse/baudneo/gotify-logs.yaml b/parsers/s01-parse/baudneo/gotify-logs.yaml index 68241ce043d..0b70b455b97 100644 --- a/parsers/s01-parse/baudneo/gotify-logs.yaml +++ b/parsers/s01-parse/baudneo/gotify-logs.yaml @@ -22,7 +22,9 @@ nodes: - target: StrTime expression: evt.Parsed.timestamp statics: + - meta: service + value: gotify - meta: source_ip expression: evt.Parsed.source_ip - - meta: log_type - value: gotify_failed_auth + - meta: auth_status + value: failed diff --git a/parsers/s01-parse/baudneo/zoneminder-logs.yaml b/parsers/s01-parse/baudneo/zoneminder-logs.yaml index 0c6142949c4..19dcd9fbe44 100644 --- a/parsers/s01-parse/baudneo/zoneminder-logs.yaml +++ b/parsers/s01-parse/baudneo/zoneminder-logs.yaml @@ -18,24 +18,22 @@ nodes: name: "ZM_BADPASSWORD" apply_on: message statics: - - meta: log_type - value: zm_failed_auth - - meta: log_subtype - value: zm_bad_password - - meta: username + - meta: auth_status + value: failed + - meta: target_user expression: evt.Parsed.username - grok: name: "ZM_BADUSER" apply_on: message statics: - - meta: log_type - value: zm_failed_auth - - meta: log_subtype - value: zm_bad_user - - meta: username + - meta: auth_status + value: failed + - meta: target_user expression: evt.Parsed.username statics: + - meta: service + value: zoneminder - meta: source_ip expression: evt.Parsed.source_ip - target: StrTime diff --git a/parsers/s01-parse/bouddha-fr/opensearch-dashboard-logs.yaml b/parsers/s01-parse/bouddha-fr/opensearch-dashboard-logs.yaml index 15b150c008b..e2bf588c50a 100644 --- a/parsers/s01-parse/bouddha-fr/opensearch-dashboard-logs.yaml +++ b/parsers/s01-parse/bouddha-fr/opensearch-dashboard-logs.yaml @@ -7,14 +7,14 @@ statics: value: opensearch - meta: source_ip expression: evt.Unmarshaled.opensearch.req.remoteAddress - - meta: log_type + - meta: auth_status expression: | ( evt.Unmarshaled.opensearch.type == 'response' && evt.Unmarshaled.opensearch.method == 'post' && evt.Unmarshaled.opensearch.statusCode in [401, '401'] && evt.Unmarshaled.opensearch.req.url == '/auth/login?dataSourceId=' - ) ? 'opensearch_failed_auth' : '' + ) ? 'failed' : '' - meta: timestamp expression: evt.Unmarshaled.opensearch['@timestamp'] - meta: status_code diff --git a/parsers/s01-parse/corvese/apache-guacamole-logs.yaml b/parsers/s01-parse/corvese/apache-guacamole-logs.yaml index 26e38df79e2..f816e2a152c 100644 --- a/parsers/s01-parse/corvese/apache-guacamole-logs.yaml +++ b/parsers/s01-parse/corvese/apache-guacamole-logs.yaml @@ -9,8 +9,8 @@ nodes: pattern: '%{TIMESTAMP_ISO8601:timestamp}.*Authentication attempt from \[?%{IP:source_ip}.*for user "%{GUAC_CUSTOMUSER:username}" failed' apply_on: message statics: - - meta: log_type - value: apache-guacamole_failed_auth + - meta: auth_status + value: failed - meta: target_user expression: evt.Parsed.username statics: diff --git a/parsers/s01-parse/crowdsecurity/asterisk-logs.yaml b/parsers/s01-parse/crowdsecurity/asterisk-logs.yaml index 89334aca548..bc7024cba5c 100644 --- a/parsers/s01-parse/crowdsecurity/asterisk-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/asterisk-logs.yaml @@ -7,8 +7,8 @@ nodes: pattern: '(\[%{DATA:timestamp}\] )?SECURITY\[%{NUMBER}\].* SecurityEvent="InvalidAccountID",EventTV="%{DATA:event_timestamp}",Severity="Error",Service="%{NOTDQUOTE:asterisk_service}",EventVersion="%{NUMBER}",AccountID="%{NOTDQUOTE:username}",SessionID="%{NOTDQUOTE:asterisk_session_id}",LocalAddress="IPV%{NUMBER}/(UDP|TCP|TLS)/%{IPORHOST:target_ip}/%{NUMBER:target_port}",RemoteAddress="IPV%{NUMBER}/(UDP|TCP|TLS)/%{IPORHOST:source_ip}/%{NUMBER:source_port}"' apply_on: message statics: - - meta: log_type - value: asterisk_failed_auth + - meta: auth_status + value: failed - target: evt.StrTime expression: evt.Parsed.timestamp - meta: target_user @@ -21,8 +21,8 @@ nodes: pattern: '(\[%{DATA:timestamp}\] )?SECURITY\[%{NUMBER}\].* SecurityEvent="ChallengeResponseFailed",EventTV="%{DATA:event_timestamp}",Severity="Error",Service="%{NOTDQUOTE:asterisk_service}",EventVersion="%{NUMBER}",AccountID="%{NOTDQUOTE:username}",SessionID="%{NOTDQUOTE:asterisk_session_id}",LocalAddress="IPV%{NUMBER}/(UDP|TCP|TLS)/%{IPORHOST:target_ip}/%{NUMBER:target_port}",RemoteAddress="IPV%{NUMBER}/(UDP|TCP|TLS)/%{IPORHOST:source_ip}/%{NUMBER:source_port}"' apply_on: message statics: - - meta: log_type - value: asterisk_failed_auth + - meta: auth_status + value: failed - target: evt.StrTime expression: evt.Parsed.timestamp - meta: target_user @@ -35,8 +35,8 @@ nodes: pattern: '(\[%{DATA:timestamp}\] )?SECURITY\[%{NUMBER}\].* SecurityEvent="InvalidPassword",EventTV="%{DATA:event_timestamp}",Severity="Error",Service="%{NOTDQUOTE:asterisk_service}",EventVersion="%{NUMBER}",AccountID="%{NOTDQUOTE:username}",SessionID="%{NOTDQUOTE:asterisk_session_id}",LocalAddress="IPV%{NUMBER}/(UDP|TCP|TLS)/%{IPORHOST:target_ip}/%{NUMBER:target_port}",RemoteAddress="IPV%{NUMBER}/(UDP|TCP|TLS)/%{IPORHOST:source_ip}/%{NUMBER:source_port}"' apply_on: message statics: - - meta: log_type - value: asterisk_failed_auth + - meta: auth_status + value: failed - target: evt.StrTime expression: evt.Parsed.timestamp - meta: target_user diff --git a/parsers/s01-parse/crowdsecurity/cpanel-logs.yaml b/parsers/s01-parse/crowdsecurity/cpanel-logs.yaml index b69e17f442a..9c8a7de2227 100644 --- a/parsers/s01-parse/crowdsecurity/cpanel-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/cpanel-logs.yaml @@ -10,48 +10,48 @@ nodes: pattern: '%{CPANEL_HEADER} FAILED LOGIN cpaneld: brute force attempt \(user %{DATA}\) has locked out IP %{IP}' apply_on: message statics: - - meta: log_type - value: auth_bf_attempt + - meta: auth_status + value: failed - target: evt.StrTime expression: evt.Parsed.date - grok: pattern: '%{CPANEL_HEADER} FAILED LOGIN cpaneld: brute force attempt \(user %{DATA:target_user}\) has locked out IP %{IP}' apply_on: message statics: - - meta: log_type - value: auth_bf_log + - meta: auth_status + value: failed - target: evt.StrTime expression: evt.Parsed.date - grok: pattern: '%{CPANEL_HEADER} FAILED LOGIN cpaneld: invalid cpanel user %{DATA:target_user}' apply_on: message statics: - - meta: log_type - value: auth_bf_log + - meta: auth_status + value: failed - target: evt.StrTime expression: evt.Parsed.date - grok: pattern: '%{CPANEL_HEADER} FAILED LOGIN cpaneld: %{DATA:target_user} login is not permitted to cpaneld' apply_on: message statics: - - meta: log_type - value: auth_bf_log + - meta: auth_status + value: failed - target: evt.StrTime expression: evt.Parsed.date - grok: pattern: '%{CPANEL_HEADER} FAILED LOGIN whostmgrd: login attempt to whm by a non-reseller/root' apply_on: message statics: - - meta: log_type - value: auth_bf_log + - meta: auth_status + value: failed - target: evt.StrTime expression: evt.Parsed.date - grok: pattern: '%{CPANEL_HEADER} FAILED LOGIN whostmgrd: user password incorrect' apply_on: message statics: - - meta: log_type - value: auth_bf_log + - meta: auth_status + value: failed - target: evt.StrTime expression: evt.Parsed.date - grok: # see https://docs.cpanel.net/knowledge-base/cpanel-product/the-cpanel-log-files/ @@ -73,5 +73,5 @@ statics: expression: "evt.Parsed.http_user_agent" - meta: http_status expression: "evt.Parsed.status" - - meta: username + - meta: target_user expression: "evt.Parsed.username" \ No newline at end of file diff --git a/parsers/s01-parse/crowdsecurity/dovecot-logs.yaml b/parsers/s01-parse/crowdsecurity/dovecot-logs.yaml index f750be71dab..87f36e38eaa 100644 --- a/parsers/s01-parse/crowdsecurity/dovecot-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/dovecot-logs.yaml @@ -20,9 +20,13 @@ nodes: pattern: "auth: passwd-file\\(%{DATA:dovecot_user},%{IP:dovecot_remote_ip}\\): (%{AUTH_FUNC:auth_func} failed: )?%{DATA:dovecot_login_message}$" apply_on: message statics: + - meta: service + value: dovecot - meta: log_type value: dovecot_logs - meta: source_ip expression: "evt.Parsed.dovecot_remote_ip" - - meta: dovecot_login_result - expression: "any(['Authentication failure', 'Password mismatch', 'password mismatch', 'auth failed', 'unknown user'], {evt.Parsed.dovecot_login_message contains #}) ? 'auth_failed' : ''" + - meta: auth_status + expression: "any(['Authentication failure', 'Password mismatch', 'password mismatch', 'auth failed', 'unknown user'], {evt.Parsed.dovecot_login_message contains #}) ? 'failed' : ''" + - meta: target_user + expression: "evt.Parsed.dovecot_user" diff --git a/parsers/s01-parse/crowdsecurity/dropbear-logs.yaml b/parsers/s01-parse/crowdsecurity/dropbear-logs.yaml index faced73437f..e489a8cb11f 100644 --- a/parsers/s01-parse/crowdsecurity/dropbear-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/dropbear-logs.yaml @@ -19,5 +19,5 @@ statics: expression: evt.Parsed.user - meta: source_ip expression: evt.Parsed.source_ip - - meta: log_type - value: ssh_failed-auth + - meta: auth_status + value: failed diff --git a/parsers/s01-parse/crowdsecurity/exim-logs.yaml b/parsers/s01-parse/crowdsecurity/exim-logs.yaml index 05528d236e3..9526fafca0f 100644 --- a/parsers/s01-parse/crowdsecurity/exim-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/exim-logs.yaml @@ -16,8 +16,8 @@ nodes: pattern: '%{EXIM_OPT_DATE}%{EXIM_AUTH:exim_auth} authenticator failed for %{EXIM_SOURCE}:(?:%{POSINT:source_port}:)? 535 Incorrect authentication data \(set_id=%{NO_END_PAR:target_user}\)' apply_on: message statics: - - meta: log_type - value: exim_failed_auth + - meta: auth_status + value: failed - grok: pattern: '%{EXIM_OPT_DATE}%{EXIM_SOURCE_TLS}F=<%{EMAILADDRESS:source_user}> rejected RCPT <%{EMAILADDRESS:target_user}>: "JunkMail rejected - %{NOTSPACE} \[%{NO_END_BRACKET}\]:%{INT} is in an RBL: %{NO_DOUBLE_QUOTE:rbl_url}"' apply_on: message @@ -26,8 +26,6 @@ nodes: value: spam-attempt - meta: rbl_url expression: evt.Parsed.rbl_url - - meta: source_user - expression: evt.Parsed.source_user - grok: pattern: '%{EXIM_OPT_DATE}%{EXIM_SOURCE_TLS}F=<%{EMAILADDRESS:source_user}> rejected RCPT <%{EMAILADDRESS:target_user}>: Email blocked by %{HOSTNAME:rbl_url}' apply_on: message @@ -36,16 +34,12 @@ nodes: value: spam-attempt - meta: rbl_url expression: evt.Parsed.rbl_url - - meta: source_user - expression: evt.Parsed.source_user - grok: pattern: '%{EXIM_OPT_DATE}%{EXIM_SOURCE_TLS}F=<%{EMAILADDRESS:source_user}> rejected RCPT <%{EMAILADDRESS:target_user}>: No Such User Here' apply_on: message statics: - - meta: log_type - value: exim_failed_auth - - meta: source_user - expression: evt.Parsed.source_user + - meta: auth_status + value: failed - grok: pattern: '%{EXIM_OPT_DATE}%{EXIM_SOURCE_TLS}temporarily rejected connection in "%{NO_DOUBLE_QUOTE:acl}" ACL: "Host is ratelimited \(%{NO_END_PAR:rate_limit}\)' apply_on: message @@ -58,24 +52,18 @@ nodes: statics: - meta: log_type value: spam-attempt - - meta: source_user - expression: evt.Parsed.source_user - grok: pattern: '%{EXIM_OPT_DATE}%{EXIM_SOURCE_TLS}F=<%{EMAILADDRESS:source_user}> rejected RCPT <%{EMAILADDRESS:target_user}>: Sender verify failed' apply_on: message statics: - meta: log_type value: spam-attempt - - meta: source_user - expression: evt.Parsed.source_user - grok: pattern: '%{EXIM_OPT_DATE}%{EXIM_SOURCE_TLS}F=<%{EMAILADDRESS:source_user}> rejected RCPT <%{EMAILADDRESS:target_user}>: SMTP AUTH is required for message submission on port %{POSINT:target_port}' apply_on: message statics: - meta: log_type value: spam-attempt - - meta: source_user - expression: evt.Parsed.source_user - meta: target_port expression: evt.Parsed.target_port statics: @@ -89,5 +77,5 @@ statics: expression: evt.Parsed.source_dns - meta: source_helo expression: evt.Parsed.source_helo - - meta: username - expression: evt.Parsed.target_user + - meta: target_user + expression: evt.Parsed.source_user diff --git a/parsers/s01-parse/crowdsecurity/home-assistant-logs.yaml b/parsers/s01-parse/crowdsecurity/home-assistant-logs.yaml index 096e408e3c4..d07a0442f84 100644 --- a/parsers/s01-parse/crowdsecurity/home-assistant-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/home-assistant-logs.yaml @@ -9,19 +9,19 @@ nodes: pattern: "%{TIMESTAMP:time} WARNING \\(%{DATA:threadName}\\) \\[homeassistant.components.http.ban\\] Login attempt or request with invalid authentication from %{DATA:source_rdns} \\(%{IPORHOST:source_ip}\\). \\(%{GREEDYDATA:http_user_agent}\\)" apply_on: message statics: - - meta: log_type - value: home-assistant_failed_auth + - meta: auth_status + value: failed - grok: pattern: "%{TIMESTAMP:time} WARNING \\(%{DATA:threadName}\\) \\[homeassistant.components.http.ban\\] Login attempt or request with invalid authentication from %{DATA:source_rdns} \\(%{IPORHOST:source_ip}\\). Requested URL: '%{GREEDYDATA:url}'. \\(%{GREEDYDATA:http_user_agent}\\)" apply_on: message statics: - - meta: log_type - value: home-assistant_failed_auth + - meta: auth_status + value: failed statics: - target: StrTime expression: "evt.Parsed.time" - meta: service - value: http + value: home-assistant - meta: source_ip expression: "evt.Parsed.source_ip" - meta: source_rdns diff --git a/parsers/s01-parse/crowdsecurity/mariadb-logs.yaml b/parsers/s01-parse/crowdsecurity/mariadb-logs.yaml index 27495a61813..7ea75b86ed1 100644 --- a/parsers/s01-parse/crowdsecurity/mariadb-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/mariadb-logs.yaml @@ -19,11 +19,13 @@ nodes: value: "060102 15:04:05" onsuccess: next_stage statics: + - meta: service + value: mariadb - target: evt.StrTime expression: "evt.Parsed.date + ' ' + evt.Parsed.time" - - meta: log_type - value: "mariadb_failed_auth" + - meta: auth_status + value: failed - meta: source_ip expression: "evt.Parsed.source_ip" - - meta: user + - meta: target_user expression: "evt.Parsed.user" diff --git a/parsers/s01-parse/crowdsecurity/mssql-logs.yaml b/parsers/s01-parse/crowdsecurity/mssql-logs.yaml index 649582408fa..84475fc9051 100644 --- a/parsers/s01-parse/crowdsecurity/mssql-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/mssql-logs.yaml @@ -30,9 +30,11 @@ nodes: - meta: subtype value: bad_user statics: - - meta: log_type - value: mssql_failed_auth - - meta: user + - meta: service + value: mssql + - meta: auth_status + value: failed + - meta: target_user expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[1]") --- onsuccess: next_stage @@ -60,8 +62,8 @@ nodes: statics: - meta: service value: mssql - - meta: log_type - value: mssql_failed_auth + - meta: auth_status + value: failed - meta: source_ip expression: "evt.Parsed.source_ip" - target: evt.StrTime diff --git a/parsers/s01-parse/crowdsecurity/mysql-logs.yaml b/parsers/s01-parse/crowdsecurity/mysql-logs.yaml index 4589cd3a21d..16e0e48de0b 100644 --- a/parsers/s01-parse/crowdsecurity/mysql-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/mysql-logs.yaml @@ -12,11 +12,13 @@ nodes: pattern: "%{TIMESTAMP_ISO8601:time}.*%{NUMBER} Connect.*%{MYSQL_ACCESS_DENIED}" apply_on: message statics: - - meta: log_type - value: mysql_failed_auth + - meta: service + value: mysql + - meta: auth_status + value: failed - meta: source_ip expression: "evt.Parsed.source_ip" - target: evt.StrTime expression: evt.Parsed.time - - meta: user + - meta: target_user expression: "evt.Parsed.user" diff --git a/parsers/s01-parse/crowdsecurity/nextcloud-logs.yaml b/parsers/s01-parse/crowdsecurity/nextcloud-logs.yaml index c2fe9b1dd3f..4eb4e3b79b4 100644 --- a/parsers/s01-parse/crowdsecurity/nextcloud-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/nextcloud-logs.yaml @@ -12,8 +12,8 @@ nodes: statics: - meta: target_user expression: "evt.Parsed.target_user" - - meta: log_type - value: nextcloud_failed_auth + - meta: auth_status + value: failed - grok: pattern: 'Bruteforce attempt from \\?"%{IP:source_ip}\\?" detected for action \\?"%{DATA:action}\\?"' expression: JsonExtract(evt.Parsed.message, "message") diff --git a/parsers/s01-parse/crowdsecurity/odoo-logs.yaml b/parsers/s01-parse/crowdsecurity/odoo-logs.yaml index 39fab5053a9..016bf6faa90 100644 --- a/parsers/s01-parse/crowdsecurity/odoo-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/odoo-logs.yaml @@ -7,11 +7,13 @@ nodes: pattern: '%{TIMESTAMP_ISO8601:timestamp} %{INT:PID} INFO %{DATA:db_name} odoo.addons.base.models.res_users: Login failed for db:%{DATA} login:%{DATA:user} from %{IP:source_ip}' apply_on: message statics: - - meta: log_type - value: odoo_failed_auth + - meta: service + value: odoo + - meta: auth_status + value: failed - meta: source_ip expression: "evt.Parsed.source_ip" - - meta: user + - meta: target_user expression: "evt.Parsed.user" - meta: db expression: "evt.Parsed.db_name" diff --git a/parsers/s01-parse/crowdsecurity/opnsense-gui-logs.yaml b/parsers/s01-parse/crowdsecurity/opnsense-gui-logs.yaml index 55f4453663a..cbde0579aef 100644 --- a/parsers/s01-parse/crowdsecurity/opnsense-gui-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/opnsense-gui-logs.yaml @@ -9,9 +9,9 @@ grok: statics: - meta: service value: opnsense-gui - - meta: username + - meta: target_user expression: "evt.Parsed.username" - meta: source_ip expression: evt.Parsed.source_ip - - meta: log_type - value: opnsense-gui-failed-auth + - meta: auth_status + value: failed diff --git a/parsers/s01-parse/crowdsecurity/pam-logs.yaml b/parsers/s01-parse/crowdsecurity/pam-logs.yaml index 987a467b650..5edaebf0884 100644 --- a/parsers/s01-parse/crowdsecurity/pam-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/pam-logs.yaml @@ -13,10 +13,10 @@ nodes: pattern: 'pam_unix\(sudo:auth\): authentication failure; logname=%{NOTSPACE:logname} uid=%{NUMBER:uid} euid=%{NUMBER:euid} tty=%{NOTSPACE:tty} ruser=%{NOTSPACE:ruser} rhost=%{GREEDYDATA:rhost} user=%{NOTSPACE:username}' apply_on: message statics: - - meta: log_type - value: pam_failed_auth + - meta: auth_status + value: failed statics: - meta: service value: pam - - meta: username + - meta: target_user expression: "evt.Parsed.username" diff --git a/parsers/s01-parse/crowdsecurity/pfsense-gui-logs.yaml b/parsers/s01-parse/crowdsecurity/pfsense-gui-logs.yaml index 22ca41bc45d..aceab29ac93 100644 --- a/parsers/s01-parse/crowdsecurity/pfsense-gui-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/pfsense-gui-logs.yaml @@ -8,9 +8,9 @@ grok: statics: - meta: service value: pfsense-gui - - meta: username + - meta: target_user expression: "evt.Parsed.username" - meta: source_ip expression: evt.Parsed.source_ip - - meta: log_type - value: pfsense-gui-failed-auth + - meta: auth_status + value: failed diff --git a/parsers/s01-parse/crowdsecurity/pgsql-logs.yaml b/parsers/s01-parse/crowdsecurity/pgsql-logs.yaml index d7bbcd45805..7d09a034766 100644 --- a/parsers/s01-parse/crowdsecurity/pgsql-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/pgsql-logs.yaml @@ -13,15 +13,17 @@ nodes: pattern: '%{DATESTAMP:timestamp} %{WORD:zone}:%{IP:source_ip}\(%{INT:source_port}\):%{USERNAME:pgsql_user}@%{GREEDYDATA:pgsql_dbname}:\[%{INT:pid}\]:FATAL: %{WORD:auth_method} authentication failed for user "%{USERNAME:pgsql_target_user}"' apply_on: message statics: - - meta: log_type - value: pgsql_failed_auth + - meta: service + value: pgsql + - meta: auth_status + value: failed - meta: auth_method expression: "evt.Parsed.auth_method" - meta: source_ip expression: "evt.Parsed.source_ip" - - meta: user + - meta: target_user expression: "evt.Parsed.pgsql_target_user" - meta: db expression: "evt.Parsed.pgsql_dbname" - target: evt.StrTime - expression: evt.Parsed.timestamp \ No newline at end of file + expression: evt.Parsed.timestamp diff --git a/parsers/s01-parse/crowdsecurity/proftpd-logs.yaml b/parsers/s01-parse/crowdsecurity/proftpd-logs.yaml index 720d177f449..8405c0da12b 100644 --- a/parsers/s01-parse/crowdsecurity/proftpd-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/proftpd-logs.yaml @@ -22,8 +22,10 @@ nodes: pattern: "%{PROFTPD_BAD_USER_PLESK}" apply_on: message statics: - - meta: log_type - value: ftp_failed_auth + - meta: service + value: proftpd + - meta: auth_status + value: failed - meta: source_ip expression: "evt.Parsed.source_ip" - meta: target_user diff --git a/parsers/s01-parse/crowdsecurity/sabnzbd-logs.yaml b/parsers/s01-parse/crowdsecurity/sabnzbd-logs.yaml index 2f5019e8c86..fdc25737099 100644 --- a/parsers/s01-parse/crowdsecurity/sabnzbd-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/sabnzbd-logs.yaml @@ -15,26 +15,26 @@ nodes: pattern: 'Unsuccessful login attempt from %{IP:first_ip}%{SABNZBD_SUFFIX}' apply_on: sabnzbd_message statics: - - meta: log_type - value: sabnzbd_failed_auth + - meta: auth_status + value: failed - grok: pattern: 'Fehlerhafter Login Versuch von %{IP:first_ip}%{SABNZBD_SUFFIX}' apply_on: sabnzbd_message statics: - - meta: log_type - value: sabnzbd_failed_auth + - meta: auth_status + value: failed - grok: pattern: 'Echec de la tentative de connexion de %{IP:first_ip}%{SABNZBD_SUFFIX}' apply_on: sabnzbd_message statics: - - meta: log_type - value: sabnzbd_failed_auth + - meta: auth_status + value: failed - grok: pattern: 'Mislukte login poging van %{IP:first_ip}%{SABNZBD_SUFFIX}' apply_on: sabnzbd_message statics: - - meta: log_type - value: sabnzbd_failed_auth + - meta: auth_status + value: failed statics: - meta: service diff --git a/parsers/s01-parse/crowdsecurity/smb-logs.yaml b/parsers/s01-parse/crowdsecurity/smb-logs.yaml index 01fea439a98..b32b8f62d50 100644 --- a/parsers/s01-parse/crowdsecurity/smb-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/smb-logs.yaml @@ -18,9 +18,11 @@ nodes: - meta: subtype value: smb_bad_password statics: - - meta: log_type - value: smb_failed_auth + - meta: service + value: smb + - meta: auth_status + value: failed - meta: source_ip expression: "evt.Parsed.ip_source" - - meta: user + - meta: target_user expression: "evt.Parsed.user" \ No newline at end of file diff --git a/parsers/s01-parse/crowdsecurity/sshd-logs.yaml b/parsers/s01-parse/crowdsecurity/sshd-logs.yaml index 986a7b58563..365775f3f06 100644 --- a/parsers/s01-parse/crowdsecurity/sshd-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/sshd-logs.yaml @@ -27,24 +27,24 @@ nodes: name: "SSHD_FAIL" apply_on: message statics: - - meta: log_type - value: ssh_failed-auth + - meta: auth_status + value: failed - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - grok: name: "SSHD_PREAUTH_AUTHENTICATING_USER_ALT" apply_on: message statics: - - meta: log_type - value: ssh_failed-auth + - meta: auth_status + value: failed - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - grok: name: "SSHD_PREAUTH_AUTHENTICATING_USER" apply_on: message statics: - - meta: log_type - value: ssh_failed-auth + - meta: auth_status + value: failed - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - grok: @@ -57,56 +57,54 @@ nodes: name: "SSHD_INVALID_USER" apply_on: message statics: - - meta: log_type - value: ssh_failed-auth + - meta: auth_status + value: failed - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - grok: name: "SSHD_INVALID_USER_ALT" apply_on: message statics: - - meta: log_type - value: ssh_failed-auth + - meta: auth_status + value: failed - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - grok: name: "SSHD_NOT_ALLOWED_USER" apply_on: message statics: - - meta: log_type - value: ssh_failed-auth + - meta: auth_status + value: failed - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - grok: name: "SSHD_INVALID_BANNER" apply_on: message statics: - - meta: log_type - value: ssh_failed-auth - - meta: extra_log_type - value: ssh_bad_banner + - meta: auth_status + value: failed - grok: name: "SSHD_USER_FAIL" apply_on: message statics: - - meta: log_type - value: ssh_failed-auth + - meta: auth_status + value: failed - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - grok: name: "SSHD_AUTH_FAIL" apply_on: message statics: - - meta: log_type - value: ssh_failed-auth + - meta: auth_status + value: failed - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - grok: name: "SSHD_MAGIC_VALUE_FAILED" apply_on: message statics: - - meta: log_type - value: ssh_failed-auth + - meta: auth_status + value: failed - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - grok: diff --git a/parsers/s01-parse/crowdsecurity/sshd-success-logs.yaml b/parsers/s01-parse/crowdsecurity/sshd-success-logs.yaml index 907e2acd2c9..1c8cf8d0db3 100644 --- a/parsers/s01-parse/crowdsecurity/sshd-success-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/sshd-success-logs.yaml @@ -15,7 +15,7 @@ statics: value: ssh - meta: source_ip expression: "evt.Parsed.sshd_client_ip" - - meta: user + - meta: target_user expression: "evt.Parsed.sshd_auth_user" - - meta: log_type - value: auth_success + - meta: auth_status + value: success diff --git a/parsers/s01-parse/crowdsecurity/stirling-pdf-logs.yaml b/parsers/s01-parse/crowdsecurity/stirling-pdf-logs.yaml index 3dfa13fa7f3..2373546a1c5 100644 --- a/parsers/s01-parse/crowdsecurity/stirling-pdf-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/stirling-pdf-logs.yaml @@ -7,9 +7,9 @@ nodes: - grok: pattern: "%{TIMESTAMP_ISO8601:timestamp} %{WORD:log_level} .*CustomAuthenticationFailureHandler \\[.*\\] Failed login attempt from IP: \\[?%{IP:source_ip}\\]?" apply_on: message - statics: - - meta: log_type - value: failed_authentication + statics: + - meta: auth_status + value: failed statics: - meta: service value: stirling-pdf diff --git a/parsers/s01-parse/crowdsecurity/supabase-docker-pgsql.yaml b/parsers/s01-parse/crowdsecurity/supabase-docker-pgsql.yaml index 5ece326b5fa..d5a6dd296d0 100644 --- a/parsers/s01-parse/crowdsecurity/supabase-docker-pgsql.yaml +++ b/parsers/s01-parse/crowdsecurity/supabase-docker-pgsql.yaml @@ -9,15 +9,17 @@ nodes: apply_on: message statics: - - meta: log_type - value: pgsql_failed_auth + - meta: service + value: pgsql + - meta: auth_status + value: failed - meta: auth_method expression: "evt.Parsed.auth_method" - meta: source_ip expression: "evt.Parsed.source_ip" - - meta: user + - meta: target_user expression: "evt.Parsed.pgsql_target_user" - meta: db expression: "evt.Parsed.pgsql_dbname" - target: evt.StrTime - expression: evt.Parsed.timestamp \ No newline at end of file + expression: evt.Parsed.timestamp diff --git a/parsers/s01-parse/crowdsecurity/synology-dsm-logs.yaml b/parsers/s01-parse/crowdsecurity/synology-dsm-logs.yaml index d46e3bb52dc..5c7e1b4c825 100644 --- a/parsers/s01-parse/crowdsecurity/synology-dsm-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/synology-dsm-logs.yaml @@ -16,12 +16,12 @@ grok: pattern: "%{AUTH_LOG_FAIL}" apply_on: message statics: - - meta: log_type - value: synology-dsm_failed_auth + - meta: auth_status + value: failed statics: - - meta: log_type - value: synology-dsm_failed_auth - meta: service value: synology-dsm + - meta: auth_status + value: failed - meta: source_ip expression: "evt.Parsed.src_ip" diff --git a/parsers/s01-parse/crowdsecurity/teleport-logs.yaml b/parsers/s01-parse/crowdsecurity/teleport-logs.yaml index 7af8d792908..644a297e392 100644 --- a/parsers/s01-parse/crowdsecurity/teleport-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/teleport-logs.yaml @@ -11,12 +11,12 @@ statics: - meta: success expression: "evt.Unmarshaled.teleport.success ? 'true' : 'false'" ## Set for impossible travel scenario - - meta: log_type - expression: "evt.Unmarshaled.teleport.success ? 'auth_success' : 'auth_failed'" + - meta: auth_status + expression: "evt.Unmarshaled.teleport.success ? 'success' : 'failed'" ##Converting a bool with sprintf is very slow, so we use a ternary expression - target: evt.StrTime expression: evt.Unmarshaled.teleport.time - - meta: user + - meta: target_user expression: evt.Unmarshaled.teleport.user - meta: source_ip expression: Split(evt.Unmarshaled.teleport["addr.remote"], ':')[0] diff --git a/parsers/s01-parse/crowdsecurity/thehive-logs.yaml b/parsers/s01-parse/crowdsecurity/thehive-logs.yaml index d97441c2cd8..072789fdb9f 100644 --- a/parsers/s01-parse/crowdsecurity/thehive-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/thehive-logs.yaml @@ -7,8 +7,10 @@ nodes: pattern: '\[info\] o.t.s.AccessLogFilter \[.*\] %{IP:source_ip} POST /api/v1/login took %{INT}ms and returned 401 %{INT} bytes' apply_on: message statics: - - meta: log_type - value: thehive_failed_auth + - meta: service + value: thehive + - meta: auth_status + value: failed - meta: source_ip expression: "evt.Parsed.source_ip" - target: evt.StrTime diff --git a/parsers/s01-parse/crowdsecurity/vsftpd-logs.yaml b/parsers/s01-parse/crowdsecurity/vsftpd-logs.yaml index 993ab16afbd..eddcbf6f467 100644 --- a/parsers/s01-parse/crowdsecurity/vsftpd-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/vsftpd-logs.yaml @@ -19,11 +19,13 @@ nodes: statics: - meta: program value: vsftpd - - meta: log_type - value: ftp_failed_auth + - meta: service + value: vsftpd + - meta: auth_status + value: failed - meta: source_ip expression: "evt.Parsed.source_ip" - - meta: user + - meta: target_user expression: "evt.Parsed.user" - target: evt.StrTime expression: evt.Parsed.timestamp diff --git a/parsers/s01-parse/crowdsecurity/windows-auth.yaml b/parsers/s01-parse/crowdsecurity/windows-auth.yaml index 1f632f2eada..0d7696e0b57 100644 --- a/parsers/s01-parse/crowdsecurity/windows-auth.yaml +++ b/parsers/s01-parse/crowdsecurity/windows-auth.yaml @@ -4,9 +4,11 @@ filter: "evt.Parsed.Channel == 'Security' && evt.Parsed.EventID == '4625'" name: crowdsecurity/windows-auth description: "Parse windows authentication failure events (id 4625)" statics: + - meta: service + value: windows - meta: source_ip expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='IpAddress']") - - meta: username + - meta: target_user expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='TargetUserName']") - meta: status expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Status']") @@ -14,5 +16,5 @@ statics: expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SubStatus']") - meta: logon_type expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='LogonType']") - - meta: log_type - value: windows_failed_auth \ No newline at end of file + - meta: auth_status + value: failed \ No newline at end of file diff --git a/parsers/s01-parse/crowdsecurity/wireguard-logs.yaml b/parsers/s01-parse/crowdsecurity/wireguard-logs.yaml index 7b92803e073..12521623439 100644 --- a/parsers/s01-parse/crowdsecurity/wireguard-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/wireguard-logs.yaml @@ -11,16 +11,16 @@ nodes: name: "WIREGUARD_INVALID_HANDSHAKE" apply_on: message statics: - - meta: log_type - value: wireguard_failed_auth + - meta: auth_status + value: failed - meta: log_subtype value: wireguard_invalid_handshake - grok: name: "WIREGUARD_UNAUTHORIZED_PACKET" apply_on: message statics: - - meta: log_type - value: wireguard_failed_auth + - meta: auth_status + value: failed - meta: log_subtype value: wireguard_unauthorized_packet diff --git a/parsers/s01-parse/firix/authentik-logs.yaml b/parsers/s01-parse/firix/authentik-logs.yaml index 0bc2697e413..e8bd6684540 100644 --- a/parsers/s01-parse/firix/authentik-logs.yaml +++ b/parsers/s01-parse/firix/authentik-logs.yaml @@ -5,15 +5,15 @@ onsuccess: next_stage nodes: - filter: "JsonExtract(evt.Parsed.message, 'action') == 'login_failed'" statics: - - meta: log_type - value: authentik_failed_auth - - meta: username + - meta: auth_status + value: failed + - meta: target_user expression: JsonExtract(evt.Parsed.message, "context.username") - filter: "JsonExtract(evt.Parsed.message, 'action') == 'invalid_identifier'" statics: - - meta: log_type - value: authentik_invalid_username - - meta: username + - meta: auth_status + value: failed + - meta: target_user expression: JsonExtract(evt.Parsed.message, "identifier") statics: - meta: service diff --git a/parsers/s01-parse/fulljackz/proxmox-logs.yaml b/parsers/s01-parse/fulljackz/proxmox-logs.yaml index 81f296ea9e8..bca2965d74e 100644 --- a/parsers/s01-parse/fulljackz/proxmox-logs.yaml +++ b/parsers/s01-parse/fulljackz/proxmox-logs.yaml @@ -10,12 +10,12 @@ nodes: name: "PVE_AUTH_FAIL" apply_on: message statics: - - meta: log_type - value: pve_failed-auth - - meta: source_user + - meta: auth_status + value: failed + - meta: target_user expression: "evt.Parsed.source_user" statics: - meta: service - value: pvedaemon + value: proxmox - meta: source_ip expression: "evt.Parsed.client_ip" diff --git a/parsers/s01-parse/fulljackz/pureftpd-logs.yaml b/parsers/s01-parse/fulljackz/pureftpd-logs.yaml index 8d1881a231d..1bfbd3a838a 100644 --- a/parsers/s01-parse/fulljackz/pureftpd-logs.yaml +++ b/parsers/s01-parse/fulljackz/pureftpd-logs.yaml @@ -10,9 +10,9 @@ nodes: name: "PFTPD_AUTH_FAIL" apply_on: message statics: - - meta: log_type - value: pftpd_failed-auth - - meta: source_user + - meta: auth_status + value: failed + - meta: target_user expression: "evt.Parsed.user" statics: - meta: service diff --git a/parsers/s01-parse/gauth-fr/immich-logs.yaml b/parsers/s01-parse/gauth-fr/immich-logs.yaml index e49d3f2bfbb..b152512959c 100644 --- a/parsers/s01-parse/gauth-fr/immich-logs.yaml +++ b/parsers/s01-parse/gauth-fr/immich-logs.yaml @@ -13,8 +13,8 @@ nodes: apply_on: message statics: - - meta: log_type - value: immich_failed_auth + - meta: auth_status + value: failed - target: evt.StrTimeFormat value: "01/02/2006, 3:04:05 PM" - grok: @@ -23,15 +23,15 @@ nodes: apply_on: message statics: - - meta: log_type - value: immich_failed_auth + - meta: auth_status + value: failed - target: evt.StrTimeFormat value: "01/02/2006, 15:04:05" statics: - meta: service value: immich - - meta: user + - meta: target_user expression: "evt.Parsed.username" - meta: source_ip expression: "evt.Parsed.source_ip" diff --git a/parsers/s01-parse/hitech95/nginx-mail-logs.yaml b/parsers/s01-parse/hitech95/nginx-mail-logs.yaml index c06855f628e..99ed12dd5aa 100644 --- a/parsers/s01-parse/hitech95/nginx-mail-logs.yaml +++ b/parsers/s01-parse/hitech95/nginx-mail-logs.yaml @@ -20,15 +20,15 @@ nodes: statics: - target: evt.StrTime expression: evt.Parsed.time - - meta: username + - meta: target_user expression: evt.Parsed.username - meta: log_type value: "mail_auth" nodes: - filter: "evt.Parsed.message contains 'logged in'" statics: - - meta: sub_type - value: "auth_success" + - meta: auth_status + value: "success" - filter: "evt.Parsed.message contains 'login failed'" pattern_syntax: MAIL_HTTP_AUTH: 'client login failed: "%{NO_DOUBLE_QUOTE:auth_result}" while' @@ -36,14 +36,14 @@ nodes: pattern: '%{MAIL_HTTP_AUTH}' apply_on: message statics: - - meta: sub_type - value: "auth_fail" + - meta: auth_status + value: "failed" - meta: auth_result expression: evt.Parsed.auth_result # these ones apply for both grok patterns statics: - meta: service - value: mail + value: nginxmail - meta: source_ip expression: "evt.Parsed.remote_addr" - meta: dest_ip diff --git a/parsers/s01-parse/jbowdre/miniflux-logs.yaml b/parsers/s01-parse/jbowdre/miniflux-logs.yaml index 9c7b87bb2cf..bf6312df82d 100644 --- a/parsers/s01-parse/jbowdre/miniflux-logs.yaml +++ b/parsers/s01-parse/jbowdre/miniflux-logs.yaml @@ -10,8 +10,8 @@ nodes: # miniflux | time=2024-01-12T22:55:30.265Z level=WARN msg="Incorrect username or password" authentication_failed=true client_ip=192.168.0.254 user_agent="Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" username=user1 error="store: invalid password for \"user1\" (crypto/bcrypt: hashedPassword is not the hash of the given password)" apply_on: message statics: - - meta: log_type - value: miniflux_failed_auth + - meta: auth_status + value: failed - meta: log_subtype value: miniflux_bad_password - meta: evt.StrTimeFormat @@ -21,8 +21,8 @@ nodes: # miniflux | time=2024-01-12T22:54:56.307Z level=WARN msg="Incorrect username or password" authentication_failed=true client_ip=192.168.0.254 user_agent="Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" username=hacker1 error="store: unable to find this user: hacker1" apply_on: message statics: - - meta: log_type - value: miniflux_failed_auth + - meta: auth_status + value: failed - meta: log_subtype value: miniflux_bad_user - meta: evt.StrTimeFormat @@ -31,7 +31,7 @@ nodes: statics: - meta: service value: miniflux - - meta: user + - meta: target_user expression: evt.Parsed.username - meta: source_ip expression: evt.Parsed.source_ip diff --git a/parsers/s01-parse/jusabatier/apereo-cas-audit-logs.yaml b/parsers/s01-parse/jusabatier/apereo-cas-audit-logs.yaml index 469709f7b70..dbe446bc0c7 100644 --- a/parsers/s01-parse/jusabatier/apereo-cas-audit-logs.yaml +++ b/parsers/s01-parse/jusabatier/apereo-cas-audit-logs.yaml @@ -16,8 +16,8 @@ nodes: name: "CAS_AUTH_FAIL" apply_on: message statics: - - meta: log_type - value: cas_failed-auth + - meta: auth_status + value: failed - meta: target_user expression: "evt.Parsed.cas_invalid_user" - target: evt.StrTime diff --git a/parsers/s01-parse/plague-doctor/audiobookshelf-logs.yaml b/parsers/s01-parse/plague-doctor/audiobookshelf-logs.yaml index e77213063fd..f7578b1e78d 100644 --- a/parsers/s01-parse/plague-doctor/audiobookshelf-logs.yaml +++ b/parsers/s01-parse/plague-doctor/audiobookshelf-logs.yaml @@ -10,15 +10,15 @@ nodes: pattern: '\[%{TIMESTAMP_ISO8601:timestamp}\] ERROR: %{ABS_FAILED_AUTH}' apply_on: message statics: - - meta: log_type - value: abs_failed_auth + - meta: auth_status + value: failed - filter: 'UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "abs") in ["", nil]' grok: pattern: "%{ABS_FAILED_AUTH}" expression: evt.Unmarshaled.abs.message statics: - - meta: log_type - value: abs_failed_auth + - meta: auth_status + value: failed statics: - meta: service value: audiobookshelf @@ -27,5 +27,5 @@ statics: - target: evt.StrTime expression: 'evt.Parsed.timestamp != "" ? evt.Parsed.timestamp : evt.Unmarshaled.abs.timestamp' ## We check if the parser parsed the timestamp or if it within the json output - - meta: username + - meta: target_user expression: "evt.Parsed.username" diff --git a/parsers/s01-parse/schiz0phr3ne/prowlarr-logs.yaml b/parsers/s01-parse/schiz0phr3ne/prowlarr-logs.yaml index 9d3be83e5f8..cf99bf42670 100644 --- a/parsers/s01-parse/schiz0phr3ne/prowlarr-logs.yaml +++ b/parsers/s01-parse/schiz0phr3ne/prowlarr-logs.yaml @@ -16,13 +16,13 @@ nodes: expression: "evt.Parsed.date + ' ' + evt.Parsed.time" onsuccess: next_stage statics: - - meta: log_type - value: prowlarr_failed_authentication - meta: service value: prowlarr + - meta: auth_status + value: failed - meta: source_ip expression: "evt.Parsed.source_ip" - target: evt.StrTime expression: "evt.Parsed.timestamp" - - meta: username + - meta: target_user expression: evt.Parsed.username diff --git a/parsers/s01-parse/schiz0phr3ne/radarr-logs.yaml b/parsers/s01-parse/schiz0phr3ne/radarr-logs.yaml index 14cde1f2e0d..509dd41cf38 100644 --- a/parsers/s01-parse/schiz0phr3ne/radarr-logs.yaml +++ b/parsers/s01-parse/schiz0phr3ne/radarr-logs.yaml @@ -20,11 +20,11 @@ nodes: statics: - meta: service value: radarr + - meta: auth_status + value: failed - meta: source_ip expression: "evt.Parsed.source_ip" - target: evt.StrTime expression: "evt.Parsed.timestamp" - - meta: username + - meta: target_user expression: evt.Parsed.username - - meta: log_type - value: radarr_failed_authentication diff --git a/parsers/s01-parse/schiz0phr3ne/sonarr-logs.yaml b/parsers/s01-parse/schiz0phr3ne/sonarr-logs.yaml index 6385af6728e..ee6a2b85c54 100644 --- a/parsers/s01-parse/schiz0phr3ne/sonarr-logs.yaml +++ b/parsers/s01-parse/schiz0phr3ne/sonarr-logs.yaml @@ -17,13 +17,13 @@ nodes: onsuccess: next_stage statics: - - meta: log_type - value: sonarr_failed_authentication - meta: service value: sonarr + - meta: auth_status + value: failed - meta: source_ip expression: "evt.Parsed.source_ip" - target: evt.StrTime expression: "evt.Parsed.timestamp" - - meta: username + - meta: target_user expression: evt.Parsed.username diff --git a/parsers/s01-parse/sdwilsh/navidrome-logs.yaml b/parsers/s01-parse/sdwilsh/navidrome-logs.yaml index 896341b107f..20b7e3ee342 100644 --- a/parsers/s01-parse/sdwilsh/navidrome-logs.yaml +++ b/parsers/s01-parse/sdwilsh/navidrome-logs.yaml @@ -7,9 +7,9 @@ description: Parses logs from Navidrome statics: - meta: service value: navidrome - - meta: log_type + - meta: auth_status expression: | - evt.Unmarshaled.navidrome.httpStatus == '401' && evt.Unmarshaled.navidrome.msg contains '/auth/login' ? 'navidrome_failed_auth' : '' + evt.Unmarshaled.navidrome.httpStatus == '401' && evt.Unmarshaled.navidrome.msg contains '/auth/login' ? 'failed' : '' - meta: http_status expression: evt.Unmarshaled.navidrome.httpStatus - target: evt.StrTime diff --git a/parsers/s01-parse/thespad/sshesame-logs.yaml b/parsers/s01-parse/thespad/sshesame-logs.yaml index 435817fbd3b..9205bb36a6b 100644 --- a/parsers/s01-parse/thespad/sshesame-logs.yaml +++ b/parsers/s01-parse/thespad/sshesame-logs.yaml @@ -44,7 +44,7 @@ statics: value: sshesame - meta: source_ip expression: "evt.Parsed.source_ip" - - meta: username + - meta: target_user expression: "evt.Parsed.sshesame_user" - meta: command expression: "evt.Parsed.sshesame_cmd" diff --git a/parsers/s01-parse/timokoessler/mongodb-logs.yaml b/parsers/s01-parse/timokoessler/mongodb-logs.yaml index 6dd4d92abdc..001f64b7a59 100644 --- a/parsers/s01-parse/timokoessler/mongodb-logs.yaml +++ b/parsers/s01-parse/timokoessler/mongodb-logs.yaml @@ -7,8 +7,8 @@ nodes: JsonExtract(evt.Parsed.message, "c") == 'ACCESS' && JsonExtract(evt.Parsed.message, "msg") == 'Authentication failed' statics: - - meta: log_type - value: "mongodb_failed_auth" + - meta: auth_status + value: failed grok: pattern: '%{IPORHOST:remote_addr}' expression: JsonExtract(evt.Parsed.message, "attr.remote") @@ -22,7 +22,7 @@ statics: expression: JsonExtract(evt.Parsed.message, "t.$date") - target: evt.StrTime expression: "evt.Parsed.timestamp" - - meta: username + - meta: target_user expression: JsonExtract(evt.Parsed.message, "attr.principalName") - meta: authentication_database expression: JsonExtract(evt.Parsed.message, "attr.authenticationDatabase") \ No newline at end of file diff --git a/parsers/s01-parse/xs539/bookstack-logs.yaml b/parsers/s01-parse/xs539/bookstack-logs.yaml index d4ba1eb46d6..dc9873cab27 100644 --- a/parsers/s01-parse/xs539/bookstack-logs.yaml +++ b/parsers/s01-parse/xs539/bookstack-logs.yaml @@ -12,8 +12,8 @@ nodes: pattern: '\[%{APACHEERRORTIME:timestamp}\] \[php:%{WORD:log_level}\] \[pid %{INT:pid}\] \[client %{IPORHOST:remote_addr}(:%{INT:remote_port})?\] Failed login for %{BOOKSTACK_USER:target_user}(, referer: %{GREEDYDATA:http_referer})?' apply_on: message statics: - - meta: log_type - value: bookstack_failed_auth + - meta: auth_status + value: failed - meta: target_user expression: evt.Parsed.target_user - meta: service diff --git a/parsers/s01-parse/xs539/joplin-server-logs.yaml b/parsers/s01-parse/xs539/joplin-server-logs.yaml index 36581919774..7c09051dbbc 100644 --- a/parsers/s01-parse/xs539/joplin-server-logs.yaml +++ b/parsers/s01-parse/xs539/joplin-server-logs.yaml @@ -9,16 +9,16 @@ nodes: pattern: '%{JOPLIN_DATE:timestamp}%{GREEDYDATA}/api/sessions: %{IPORHOST:remote_addr}%{GREEDYDATA}Invalid username or password%{GREEDYDATA}"%{EMAILADDRESS:target_user}"' apply_on: message statics: - - meta: log_type - value: joplin_server_failed_auth + - meta: auth_status + value: failed - meta: target_user expression: evt.Parsed.target_user - grok: pattern: '%{JOPLIN_DATE:timestamp}: App: %{IPORHOST:remote_addr}: %{NUMBER:body_bytes_sent} B: %{WORD:http_method} %{URIPATH:http_path} \(%{NUMBER:http_status}\) \(%{NUMBER:response_time}ms\)' apply_on: message statics: - - meta: log_type - expression: 'evt.Parsed.http_status == "403" and evt.Parsed.http_path == "/login" ? "joplin_server_failed_auth" : ""' + - meta: auth_status + expression: 'evt.Parsed.http_status == "403" and evt.Parsed.http_path == "/login" ? "failed" : ""' statics: - meta: service value: joplin diff --git a/scenarios/Azlaroc/sftpgo-bf.yaml b/scenarios/Azlaroc/sftpgo-bf.yaml index e8047c032cd..99fd92a7f63 100644 --- a/scenarios/Azlaroc/sftpgo-bf.yaml +++ b/scenarios/Azlaroc/sftpgo-bf.yaml @@ -1,7 +1,7 @@ type: leaky name: Azlaroc/sftpgo-bf description: "Detect SFTPGo bruteforce attacks on FTP/SSH" -filter: "evt.Meta.log_type == 'sftpgo_auth' && evt.Meta.is_failed_login == 'true'" +filter: "evt.Meta.service == 'sftpgo' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip capacity: 3 leakspeed: "30s" diff --git a/scenarios/Dominic-Wagner/vaultwarden-bf.yaml b/scenarios/Dominic-Wagner/vaultwarden-bf.yaml index 505a942800c..e3fe78d93db 100644 --- a/scenarios/Dominic-Wagner/vaultwarden-bf.yaml +++ b/scenarios/Dominic-Wagner/vaultwarden-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: Dominic-Wagner/vaultwarden-bf description: "Detect vaultwarden bruteforce" -filter: "evt.Meta.log_type in ['vaultwarden_failed_auth', 'vaultwarden_failed_admin_auth', 'vaultwarden_failed_2fa_totp', 'vaultwarden_failed_2fa_email']" +filter: "evt.Meta.service == 'vaultwarden' && evt.Meta.auth_status == 'failed'" leakspeed: 1m capacity: 5 groupby: evt.Meta.source_ip @@ -22,9 +22,9 @@ labels: type: leaky name: Dominic-Wagner/vaultwarden-bf_user-enum description: "Detect vaultwarden user enum bruteforce" -filter: evt.Meta.log_type == 'vaultwarden_failed_auth' +filter: "evt.Meta.service == 'vaultwarden' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.username +distinct: evt.Meta.target_user leakspeed: 1m capacity: 5 blackhole: 5m diff --git a/scenarios/Jgigantino31/calibre-web-bf.yaml b/scenarios/Jgigantino31/calibre-web-bf.yaml index 7cfa66adead..3a82b38e452 100644 --- a/scenarios/Jgigantino31/calibre-web-bf.yaml +++ b/scenarios/Jgigantino31/calibre-web-bf.yaml @@ -1,7 +1,7 @@ # calibre-web BF scan name: Jgigantino31/calibre-web-bf description: "Detect calibre-web bruteforce" -filter: "evt.Meta.log_type == 'calibre-web_failed_auth'" +filter: "evt.Meta.service == 'calibre-web' && evt.Meta.auth_status == 'failed'" #debug: true type: leaky groupby: evt.Meta.source_ip @@ -22,9 +22,9 @@ labels: type: leaky name: Jgigantino31/calibre-web-bf_user-enum description: "Detect calibre-web user enum bruteforce" -filter: "evt.Meta.log_type == 'calibre-web_failed_auth'" +filter: "evt.Meta.service == 'calibre-web' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.user +distinct: evt.Meta.target_user leakspeed: 1m capacity: 5 blackhole: 1m diff --git a/scenarios/Jgigantino31/ntfy-bf.yaml b/scenarios/Jgigantino31/ntfy-bf.yaml index 573cc909201..c2d303ec498 100644 --- a/scenarios/Jgigantino31/ntfy-bf.yaml +++ b/scenarios/Jgigantino31/ntfy-bf.yaml @@ -1,7 +1,7 @@ # ntfy BF scan name: Jgigantino31/ntfy-bf description: "Detect ntfy bruteforce" -filter: "evt.Meta.log_type == 'ntfy_failed_auth'" +filter: "evt.Meta.service == 'ntfy' && evt.Meta.auth_status == 'failed'" #debug: true type: leaky groupby: evt.Meta.source_ip diff --git a/scenarios/LePresidente/adguardhome-bf.yaml b/scenarios/LePresidente/adguardhome-bf.yaml index 7a675ca846e..0abfdd6f5c3 100644 --- a/scenarios/LePresidente/adguardhome-bf.yaml +++ b/scenarios/LePresidente/adguardhome-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: LePresidente/adguardhome-bf description: "Detect AdGuardHome bruteforce attacks" -filter: "evt.Meta.log_type == 'adguardhome_failed_auth'" +filter: "evt.Meta.service == 'adguardhome' && evt.Meta.auth_status == 'failed'" leakspeed: 1m capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/LePresidente/authelia-bf.yaml b/scenarios/LePresidente/authelia-bf.yaml index 9cbc4f0e52d..bb60e5b4c50 100644 --- a/scenarios/LePresidente/authelia-bf.yaml +++ b/scenarios/LePresidente/authelia-bf.yaml @@ -1,7 +1,7 @@ # authelia BF scan name: LePresidente/authelia-bf description: "Detect authelia bruteforce" -filter: "evt.Meta.service == 'authelia' && evt.Meta.log_type == 'auth_failed'" +filter: "evt.Meta.service == 'authelia' && evt.Meta.auth_status == 'failed'" #debug: true type: leaky groupby: evt.Meta.source_ip @@ -22,9 +22,9 @@ labels: type: leaky name: LePresidente/authelia-bf_user-enum description: "Detect authelia user enum bruteforce" -filter: "evt.Meta.service == 'authelia' && evt.Meta.log_type == 'auth_failed'" +filter: "evt.Meta.service == 'authelia' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.user +distinct: evt.Meta.target_user leakspeed: 10s capacity: 5 blackhole: 1m diff --git a/scenarios/LePresidente/emby-bf.yaml b/scenarios/LePresidente/emby-bf.yaml index d88142fcaf5..34d80e0aa63 100644 --- a/scenarios/LePresidente/emby-bf.yaml +++ b/scenarios/LePresidente/emby-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: LePresidente/emby-bf description: "Detect emby bruteforce" -filter: "evt.Meta.log_type == 'emby_failed_auth'" +filter: "evt.Meta.service == 'emby' && evt.Meta.auth_status == 'failed'" leakspeed: 1m capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/LePresidente/gitea-bf.yaml b/scenarios/LePresidente/gitea-bf.yaml index 3b6a8f47574..ea59c6c430e 100644 --- a/scenarios/LePresidente/gitea-bf.yaml +++ b/scenarios/LePresidente/gitea-bf.yaml @@ -1,7 +1,7 @@ # gitea BF scan name: LePresidente/gitea-bf description: "Detect gitea bruteforce" -filter: "evt.Meta.log_type == 'gitea_failed_auth'" +filter: "evt.Meta.service == 'gitea' && evt.Meta.auth_status == 'failed'" #debug: true type: leaky groupby: evt.Meta.source_ip @@ -22,9 +22,9 @@ labels: type: leaky name: LePresidente/gitea-bf_user-enum description: "Detect gitea user enum bruteforce" -filter: "evt.Meta.log_type == 'gitea_failed_auth'" +filter: "evt.Meta.service == 'gitea' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.user +distinct: evt.Meta.target_user leakspeed: 10s capacity: 5 blackhole: 1m diff --git a/scenarios/LePresidente/grafana-bf.yaml b/scenarios/LePresidente/grafana-bf.yaml index c8b25ccbfe0..e73c2fcfc16 100644 --- a/scenarios/LePresidente/grafana-bf.yaml +++ b/scenarios/LePresidente/grafana-bf.yaml @@ -1,7 +1,7 @@ # grafana BF scan name: LePresidente/grafana-bf description: "Detect grafana bruteforce" -filter: "evt.Meta.service == 'grafana' && evt.Meta.log_type == 'auth_failed'" +filter: "evt.Meta.service == 'grafana' && evt.Meta.auth_status == 'failed'" #debug: true type: leaky groupby: evt.Meta.source_ip diff --git a/scenarios/LePresidente/harbor-bf.yaml b/scenarios/LePresidente/harbor-bf.yaml index 35922446247..1840ff51986 100644 --- a/scenarios/LePresidente/harbor-bf.yaml +++ b/scenarios/LePresidente/harbor-bf.yaml @@ -1,7 +1,7 @@ # harbor BF scan name: LePresidente/harbor-bf description: "Detect harbor bruteforce" -filter: "evt.Meta.log_type == 'harbor_failed_auth'" +filter: "evt.Meta.service == 'harbor' && evt.Meta.auth_status == 'failed'" #debug: true type: leaky groupby: evt.Meta.source_ip @@ -22,9 +22,9 @@ labels: type: leaky name: LePresidente/harbor-bf_user-enum description: "Detect harbor user enum bruteforce" -filter: "evt.Meta.log_type == 'harbor_failed_auth'" +filter: "evt.Meta.service == 'harbor' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.user +distinct: evt.Meta.target_user leakspeed: 10s capacity: 5 blackhole: 1m diff --git a/scenarios/LePresidente/jellyfin-bf.yaml b/scenarios/LePresidente/jellyfin-bf.yaml index 42d927db97e..efa82bf2bd3 100644 --- a/scenarios/LePresidente/jellyfin-bf.yaml +++ b/scenarios/LePresidente/jellyfin-bf.yaml @@ -1,7 +1,7 @@ # jellyfin BF scan name: LePresidente/jellyfin-bf description: "Detect jellyfin bruteforce" -filter: "evt.Meta.log_type == 'jellyfin_failed_auth'" +filter: "evt.Meta.service == 'jellyfin' && evt.Meta.auth_status == 'failed'" #debug: true type: leaky groupby: evt.Meta.source_ip @@ -22,9 +22,9 @@ labels: type: leaky name: LePresidente/jellyfin-bf_user-enum description: "Detect jellyfin user enum bruteforce" -filter: "evt.Meta.log_type == 'jellyfin_failed_auth'" +filter: "evt.Meta.service == 'jellyfin' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.user +distinct: evt.Meta.target_user leakspeed: 1m capacity: 5 blackhole: 1m diff --git a/scenarios/LePresidente/jellyseerr-bf.yaml b/scenarios/LePresidente/jellyseerr-bf.yaml index 68c92702349..927dbe4a5e0 100644 --- a/scenarios/LePresidente/jellyseerr-bf.yaml +++ b/scenarios/LePresidente/jellyseerr-bf.yaml @@ -1,7 +1,7 @@ # jellyseerr BF scan name: LePresidente/jellyseerr-bf description: "Detect jellyseerr bruteforce" -filter: "evt.Meta.log_type == 'jellyseerr_failed_auth'" +filter: "evt.Meta.service == 'jellyseerr' && evt.Meta.auth_status == 'failed'" #debug: true type: leaky groupby: evt.Meta.source_ip @@ -22,9 +22,9 @@ labels: type: leaky name: LePresidente/jellyseerr-bf_user-enum description: "Detect jellyseerr user enum bruteforce" -filter: "evt.Meta.log_type == 'jellyseerr_failed_auth'" +filter: "evt.Meta.service == 'jellyseerr' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.user +distinct: evt.Meta.target_user leakspeed: 1m capacity: 5 blackhole: 1m diff --git a/scenarios/LePresidente/ombi-bf.yaml b/scenarios/LePresidente/ombi-bf.yaml index 04c7f9c85b1..633685aab99 100644 --- a/scenarios/LePresidente/ombi-bf.yaml +++ b/scenarios/LePresidente/ombi-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: LePresidente/ombi-bf description: "Detect Ombi bruteforce" -filter: "evt.Meta.log_type == 'ombi_auth_failed'" +filter: "evt.Meta.service == 'ombi' && evt.Meta.auth_status == 'failed'" leakspeed: 1m capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/LePresidente/overseerr-bf.yaml b/scenarios/LePresidente/overseerr-bf.yaml index 0d9065a23c5..119b800f1ab 100644 --- a/scenarios/LePresidente/overseerr-bf.yaml +++ b/scenarios/LePresidente/overseerr-bf.yaml @@ -1,7 +1,7 @@ # overseerr BF scan name: LePresidente/overseerr-bf description: "Detect overseerr bruteforce" -filter: "evt.Meta.log_type == 'overseerr_failed_auth'" +filter: "evt.Meta.service == 'overseerr' && evt.Meta.auth_status == 'failed'" #debug: true type: leaky groupby: evt.Meta.source_ip @@ -22,9 +22,9 @@ labels: type: leaky name: LePresidente/overseerr-bf_user-enum description: "Detect overseerr user enum bruteforce" -filter: "evt.Meta.log_type == 'overseerr_failed_auth'" +filter: "evt.Meta.service == 'overseerr' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.user +distinct: evt.Meta.target_user leakspeed: 1m capacity: 5 blackhole: 1m diff --git a/scenarios/LePresidente/redmine-bf.yaml b/scenarios/LePresidente/redmine-bf.yaml index eac85c614ed..ded2576834f 100644 --- a/scenarios/LePresidente/redmine-bf.yaml +++ b/scenarios/LePresidente/redmine-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: LePresidente/redmine-bf description: "Detect Redmine bruteforce attacks" -filter: "evt.Meta.log_type == 'redmine_failed_auth'" +filter: "evt.Meta.service == 'redmine' && evt.Meta.auth_status == 'failed'" leakspeed: 1m capacity: 5 groupby: evt.Meta.source_ip @@ -22,9 +22,9 @@ labels: type: leaky name: LePresidente/redmine-bf_user-enum description: "Detect Redmine user enum bruteforce" -filter: "evt.Meta.log_type == 'redmine_failed_auth'" +filter: "evt.Meta.service == 'redmine' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.user +distinct: evt.Meta.target_user leakspeed: 10s capacity: 5 blackhole: 1m diff --git a/scenarios/LearningSpot/dockge-bf.yaml b/scenarios/LearningSpot/dockge-bf.yaml index 89050c1e895..bc94241fc50 100644 --- a/scenarios/LearningSpot/dockge-bf.yaml +++ b/scenarios/LearningSpot/dockge-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: LearningSpot/dockge-bf description: "Detect Dockge Bruteforce" -filter: evt.Meta.log_type == 'dockge_failed_auth' +filter: "evt.Meta.service == 'dockge' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip leakspeed: 1m capacity: 5 @@ -21,8 +21,8 @@ labels: type: leaky name: LearningSpot/dockge_bf_user_enum description: "Detect Dockge User Enumeration Bruteforce" -filter: evt.Meta.log_type == 'dockge_failed_auth' -distinct: evt.Meta.username +filter: "evt.Meta.service == 'dockge' && evt.Meta.auth_status == 'failed'" +distinct: evt.Meta.target_user groupby: evt.Meta.source_ip leakspeed: 1m capacity: 5 diff --git a/scenarios/LearningSpot/hestiacp-bf.yaml b/scenarios/LearningSpot/hestiacp-bf.yaml index b5cdc207307..d696f769f5f 100644 --- a/scenarios/LearningSpot/hestiacp-bf.yaml +++ b/scenarios/LearningSpot/hestiacp-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: LearningSpot/hestiacp-bf description: "Detect Hestiacp Bruteforce" -filter: evt.Meta.log_type == 'hestiacp_failed_auth' +filter: "evt.Meta.service == 'hestiacp' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip leakspeed: 1m capacity: 5 @@ -21,7 +21,7 @@ labels: type: leaky name: LearningSpot/hestiacp-bf-user-enum description: "Detect Hestiacp User Enumeration Bruteforce" -filter: evt.Meta.log_type == 'hestiacp_failed_auth' +filter: "evt.Meta.service == 'hestiacp' && evt.Meta.auth_status == 'failed'" distinct: evt.Meta.target_user groupby: evt.Meta.source_ip leakspeed: 1m diff --git a/scenarios/LearningSpot/litellm-bf.yaml b/scenarios/LearningSpot/litellm-bf.yaml index ccfe7549ce0..ffc540c8408 100644 --- a/scenarios/LearningSpot/litellm-bf.yaml +++ b/scenarios/LearningSpot/litellm-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: LearningSpot/litellm-bf description: "Detect bruteforce attempts to Litellm" -filter: "evt.Meta.log_type == 'litellm_failed_auth' && evt.Meta.status == '401'" +filter: "evt.Meta.service == 'litellm' && evt.Meta.auth_status == 'failed' && evt.Meta.status == '401'" groupby: evt.Meta.source_ip leakspeed: 1m capacity: 5 diff --git a/scenarios/MariuszKociubinski/bitwarden-bf.yaml b/scenarios/MariuszKociubinski/bitwarden-bf.yaml index 4243c88f515..527c43e759e 100644 --- a/scenarios/MariuszKociubinski/bitwarden-bf.yaml +++ b/scenarios/MariuszKociubinski/bitwarden-bf.yaml @@ -1,7 +1,7 @@ # bitwarden BF scan name: MariuszKociubinski/bitwarden-bf description: "Detect bitwarden bruteforce" -filter: "evt.Meta.log_type == 'bitwarden_failed_auth'" +filter: "evt.Meta.service == 'bitwarden' && evt.Meta.auth_status == 'failed'" #debug: false type: leaky groupby: evt.Meta.source_ip diff --git a/scenarios/MrShippeR/filebrowser-bf.yaml b/scenarios/MrShippeR/filebrowser-bf.yaml index 19443632c10..859c602f7d5 100644 --- a/scenarios/MrShippeR/filebrowser-bf.yaml +++ b/scenarios/MrShippeR/filebrowser-bf.yaml @@ -1,7 +1,7 @@ type: leaky name: MrShippeR/filebrowser-bf description: "Detect FileBrowser bruteforce login attempts" -filter: evt.Meta.log_type == 'filebrowser_failed_auth' +filter: "evt.Meta.service == 'filebrowser' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip leakspeed: 10s capacity: 5 diff --git a/scenarios/PintjesB/technitium-bf.yaml b/scenarios/PintjesB/technitium-bf.yaml index 5632502838f..9baebab49c6 100644 --- a/scenarios/PintjesB/technitium-bf.yaml +++ b/scenarios/PintjesB/technitium-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: PintjesB/technitium-bf description: "Detect Technitium bruteforce attacks" -filter: "evt.Meta.log_type == 'technitium_failed_auth'" +filter: "evt.Meta.service == 'technitium' && evt.Meta.auth_status == 'failed'" leakspeed: 1m capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/a1ad/meshcentral-bf.yaml b/scenarios/a1ad/meshcentral-bf.yaml index 0b6ad55eada..020abc996ed 100644 --- a/scenarios/a1ad/meshcentral-bf.yaml +++ b/scenarios/a1ad/meshcentral-bf.yaml @@ -1,7 +1,7 @@ # meshcentral BF scan name: a1ad/meshcentral-bf description: "Detect meshcentral bruteforce" -filter: "evt.Meta.log_type == 'meshcentral_failed_auth'" +filter: "evt.Meta.service == 'meshcentral' && evt.Meta.auth_status == 'failed'" #debug: true type: leaky groupby: evt.Meta.source_ip @@ -22,9 +22,9 @@ labels: type: leaky name: a1ad/meshcentral-bf_user-enum description: "Detect meshcentral user enum bruteforce" -filter: "evt.Meta.log_type == 'meshcentral_failed_auth'" +filter: "evt.Meta.service == 'meshcentral' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.user +distinct: evt.Meta.target_user leakspeed: 10s capacity: 5 blackhole: 1m diff --git a/scenarios/a1ad/mikrotik-bf.yaml b/scenarios/a1ad/mikrotik-bf.yaml index 4120669780d..6beb29682dd 100644 --- a/scenarios/a1ad/mikrotik-bf.yaml +++ b/scenarios/a1ad/mikrotik-bf.yaml @@ -1,7 +1,7 @@ # Mikrotik BF scan name: a1ad/mikrotik-bf description: "Detect Mikrotik bruteforce" -filter: "evt.Meta.log_type == 'mikrotik_failed_auth'" +filter: "evt.Meta.service == 'mikrotik' && evt.Meta.auth_status == 'failed'" #debug: true type: leaky groupby: evt.Meta.source_ip @@ -22,9 +22,9 @@ labels: type: leaky name: a1ad/mikrotik-bf_user-enum description: "Detect mikrotik user enum bruteforce" -filter: "evt.Meta.log_type == 'mikrotik_failed_auth'" +filter: "evt.Meta.service == 'mikrotik' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.user +distinct: evt.Meta.target_user leakspeed: 10s capacity: 5 blackhole: 1m diff --git a/scenarios/andreasbrett/baikal-bf.yaml b/scenarios/andreasbrett/baikal-bf.yaml index 16cb1dde082..65f85212e0e 100644 --- a/scenarios/andreasbrett/baikal-bf.yaml +++ b/scenarios/andreasbrett/baikal-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: andreasbrett/baikal-bf description: "Detect Baikal bruteforce attacks" -filter: "evt.Meta.log_type in ['baikal_failed_auth', 'baikal_failed_auth_no_user']" +filter: "evt.Meta.service == 'baikal' && evt.Meta.auth_status == 'failed'" leakspeed: 1m capacity: 5 groupby: evt.Meta.source_ip @@ -22,9 +22,9 @@ labels: type: leaky name: andreasbrett/baikal-bf_user-enum description: "Detect Baikal user enum bruteforce" -filter: "evt.Meta.log_type == 'baikal_failed_auth'" +filter: "evt.Meta.service == 'baikal' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.username +distinct: evt.Meta.target_user leakspeed: 1m capacity: 5 blackhole: 5m diff --git a/scenarios/andreasbrett/paperless-ngx-bf.yaml b/scenarios/andreasbrett/paperless-ngx-bf.yaml index 5ce07e3243a..dc9f05a27c8 100644 --- a/scenarios/andreasbrett/paperless-ngx-bf.yaml +++ b/scenarios/andreasbrett/paperless-ngx-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: andreasbrett/paperless-ngx-bf description: "Detect Paperless-ngx bruteforce attacks" -filter: "evt.Meta.log_type == 'paperless_ngx_failed_auth'" +filter: "evt.Meta.service == 'paperless-ngx' && evt.Meta.auth_status == 'failed'" leakspeed: 1m capacity: 5 groupby: evt.Meta.source_ip @@ -22,9 +22,9 @@ labels: type: leaky name: andreasbrett/paperless-ngx-bf_user-enum description: "Detect Paperless-ngx user enum bruteforce" -filter: "evt.Meta.log_type == 'paperless_ngx_failed_auth'" +filter: "evt.Meta.service == 'paperless-ngx' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.username +distinct: evt.Meta.target_user leakspeed: 1m capacity: 5 blackhole: 5m diff --git a/scenarios/andreasbrett/webmin-bf.yaml b/scenarios/andreasbrett/webmin-bf.yaml index dd146442fbb..b2778edd057 100644 --- a/scenarios/andreasbrett/webmin-bf.yaml +++ b/scenarios/andreasbrett/webmin-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: andreasbrett/webmin-bf description: "Detect Webmin bruteforce attacks" -filter: "evt.Meta.log_type == 'webmin_failed_auth_wrong_pass'" +filter: "evt.Meta.service == 'webmin' && evt.Meta.auth_status == 'failed'" leakspeed: 1m capacity: 5 groupby: evt.Meta.source_ip @@ -22,9 +22,9 @@ labels: type: leaky name: andreasbrett/webmin-bf_user-enum description: "Detect Webmin user enum bruteforce" -filter: "evt.Meta.log_type == 'webmin_failed_auth_wrong_pass'" +filter: "evt.Meta.service == 'webmin' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.username +distinct: evt.Meta.target_user leakspeed: 1m capacity: 5 blackhole: 5m diff --git a/scenarios/baudneo/gotify-bf.yaml b/scenarios/baudneo/gotify-bf.yaml index bd43c8c1227..ca2a7b04cc1 100644 --- a/scenarios/baudneo/gotify-bf.yaml +++ b/scenarios/baudneo/gotify-bf.yaml @@ -1,7 +1,7 @@ type: leaky name: baudneo/gotify-bf description: "Detect bruteforce" -filter: "evt.Meta.log_type == 'gotify_failed_auth'" +filter: "evt.Meta.service == 'gotify' && evt.Meta.auth_status == 'failed'" groupby: "evt.Meta.source_ip" capacity: 3 leakspeed: "10s" diff --git a/scenarios/baudneo/zoneminder-bf.yaml b/scenarios/baudneo/zoneminder-bf.yaml index d3a31847153..d2a08f153cd 100644 --- a/scenarios/baudneo/zoneminder-bf.yaml +++ b/scenarios/baudneo/zoneminder-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: baudneo/zoneminder-bf description: "Detect ZoneMinder bruteforce" -filter: "evt.Meta.log_subtype == 'zm_bad_password'" +filter: "evt.Meta.service == 'zoneminder' && evt.Meta.auth_status == 'failed'" groupby: "evt.Meta.source_ip" capacity: 4 leakspeed: "10s" @@ -20,11 +20,11 @@ labels: --- # user enum type: leaky -name: baudneo/zoneminder-bf +name: baudneo/zoneminder-bf_user-enum description: "Detect ZoneMinder user enumeration" -filter: "evt.Meta.log_subtype == 'zm_bad_user'" +filter: "evt.Meta.service == 'zoneminder' && evt.Meta.auth_status == 'failed'" groupby: "evt.Meta.source_ip" -distinct: "evt.Meta.username" +distinct: "evt.Meta.target_user" capacity: 4 leakspeed: "10s" blackhole: 1m diff --git a/scenarios/bouddha-fr/opensearch-dashboard-bf.yaml b/scenarios/bouddha-fr/opensearch-dashboard-bf.yaml index 741042b4755..0f6f48537cb 100644 --- a/scenarios/bouddha-fr/opensearch-dashboard-bf.yaml +++ b/scenarios/bouddha-fr/opensearch-dashboard-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: bouddha-fr/opensearch-dashboard-bf description: "Detect bruteforce attempts on OpenSearch web interface" -filter: evt.Meta.log_type == 'opensearch_failed_auth' +filter: "evt.Meta.service == 'opensearch' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/corvese/apache-guacamole_bf.yaml b/scenarios/corvese/apache-guacamole_bf.yaml index 46c127613b2..1f6c711d6c0 100644 --- a/scenarios/corvese/apache-guacamole_bf.yaml +++ b/scenarios/corvese/apache-guacamole_bf.yaml @@ -1,7 +1,7 @@ type: leaky name: corvese/apache-guacamole_bf description: "Detect Apache Guacamole user bruteforce" -filter: evt.Meta.log_type == 'apache-guacamole_failed_auth' +filter: "evt.Meta.service == 'apache-guacamole' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip leakspeed: 10s capacity: 5 diff --git a/scenarios/corvese/apache-guacamole_user_enum.yaml b/scenarios/corvese/apache-guacamole_user_enum.yaml index 91a9a98b3a1..e9d9f3397d2 100644 --- a/scenarios/corvese/apache-guacamole_user_enum.yaml +++ b/scenarios/corvese/apache-guacamole_user_enum.yaml @@ -1,7 +1,7 @@ type: leaky name: corvese/apache-guacamole_user_enum description: "Detect Apache Guacamole user enum bruteforce" -filter: evt.Meta.log_type == 'apache-guacamole_failed_auth' +filter: "evt.Meta.service == 'apache-guacamole' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip distinct: evt.Meta.target_user leakspeed: 10s diff --git a/scenarios/crowdsecurity/asterisk_bf.yaml b/scenarios/crowdsecurity/asterisk_bf.yaml index aa74218da3d..821f591c4b6 100644 --- a/scenarios/crowdsecurity/asterisk_bf.yaml +++ b/scenarios/crowdsecurity/asterisk_bf.yaml @@ -1,7 +1,7 @@ type: leaky name: crowdsecurity/asterisk_bf description: "Detect Asterisk user bruteforce" -filter: evt.Meta.log_type == 'asterisk_failed_auth' +filter: "evt.Meta.service == 'asterisk' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip leakspeed: 10s capacity: 5 diff --git a/scenarios/crowdsecurity/asterisk_user_enum.yaml b/scenarios/crowdsecurity/asterisk_user_enum.yaml index fae84314962..3e4f966d469 100644 --- a/scenarios/crowdsecurity/asterisk_user_enum.yaml +++ b/scenarios/crowdsecurity/asterisk_user_enum.yaml @@ -1,7 +1,7 @@ type: leaky name: crowdsecurity/asterisk_user_enum description: "Detect Asterisk user enumeration bruteforce" -filter: evt.Meta.log_type == 'asterisk_failed_auth' +filter: "evt.Meta.service == 'asterisk' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip distinct: evt.Meta.target_user leakspeed: 10s diff --git a/scenarios/crowdsecurity/auth-generic-test.md b/scenarios/crowdsecurity/auth-generic-test.md new file mode 100644 index 00000000000..c3d5f97c2e3 --- /dev/null +++ b/scenarios/crowdsecurity/auth-generic-test.md @@ -0,0 +1,53 @@ +# auth generic test + +This scenario is meant to check if CrowdSec is correctly configured for authentication services (excluding SSH, which has its own test scenario). This will trigger an alert, but no decision. + +## How to trigger + +Attempt a failed login with a username that starts with `crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl`. The scenario uses `startsWith` matching, so you can use either: + +- Plain username: `crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl` +- Email format: `crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl@example.com` + +### Examples for different services + +**Authentik / Authelia:** +- Try logging in with username: `crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl` or `crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl@example.com` +- Use any password (it should fail) + +**Gitea / Jellyfin / Jellyseerr / Grafana / Harbor:** +- Try logging in with username: `crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl` or `crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl@example.com` +- Use any password (it should fail) + +**Web-based authentication services:** +- Navigate to the login page of your service +- Enter username: `crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl` (or with `@domain.com` suffix) +- Enter any password +- Submit the login form (it should fail) + +**Note:** This scenario only works for authentication services other than SSH. For SSH testing, use the `crowdsecurity/ssh-generic-test` scenario instead. + +## Expected results + +You will see in your CrowdSec logs: + +``` +time="2025-06-12T16:59:45+02:00" level=info msg="Ip performed 'crowdsecurity/auth-generic-test' (1 events over 0s) at 2025-06-12 14:59:45.636887959 +0000 UTC" +time="2025-06-12T16:59:46+02:00" level=info msg="() alert : crowdsecurity/auth-generic-test by ip xxxxxx" +time="2025-06-12T16:59:47+02:00" level=info msg="Signal push: 1 signals to push" +``` + +`cscli alert list` will present you this alert as well. Please note that this scenario won't trigger any decision, and result in any remediation. + +If you don't see anything in logs nor in the alerts list, then you can assume an issue in your setup. + +## Requirements + +This scenario requires your parser to set the following meta fields: +- `auth_status`: set to `'failed'` for failed authentication attempts +- `target_user`: the username that attempted to log in (can be plain username or email format) +- `service`: the service name (e.g., `authentik`, `gitea`, `jellyfin`, `grafana`, `harbor`, etc.) +- `source_ip`: the IP address of the client + +Beware this WON'T work with local IPs (see [whitelists](https://github.com/crowdsecurity/hub/blob/master/parsers/s02-enrich/crowdsecurity/whitelists.md) that are installed by default). + diff --git a/scenarios/crowdsecurity/auth-generic-test.yaml b/scenarios/crowdsecurity/auth-generic-test.yaml new file mode 100644 index 00000000000..fe1882c1cf6 --- /dev/null +++ b/scenarios/crowdsecurity/auth-generic-test.yaml @@ -0,0 +1,17 @@ +type: trigger +name: crowdsecurity/auth-generic-test +description: "Crowdsec Generic Test Scenario: authentication failure trigger" +filter: | + evt.Meta.auth_status == 'failed' && + evt.Meta.service != 'ssh' && + evt.Meta.target_user startsWith 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl' +groupby: evt.Meta.source_ip +blackhole: 1m +labels: + service: authentication + remediation: false + confidence: 0 + spoofable: 3 + behavior: "auth:bruteforce" + label: "Crowdsec Generic Auth Test Scenario" + diff --git a/scenarios/crowdsecurity/cpanel-bf-attempt.yaml b/scenarios/crowdsecurity/cpanel-bf-attempt.yaml index 6ac778196ce..61cd8cf2c37 100644 --- a/scenarios/crowdsecurity/cpanel-bf-attempt.yaml +++ b/scenarios/crowdsecurity/cpanel-bf-attempt.yaml @@ -1,7 +1,7 @@ type: trigger name: crowdsecurity/cpanel-bf-attempt description: "Detect bruteforce attempt on cpanel login" -filter: "evt.Meta.log_type == 'auth_bf_attempt'" +filter: "evt.Parsed.program == 'cpanel' && evt.Meta.service == 'http' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip blackhole: 5m labels: diff --git a/scenarios/crowdsecurity/cpanel-bf.yaml b/scenarios/crowdsecurity/cpanel-bf.yaml index 8c8d36cd2d3..c0847d3050b 100644 --- a/scenarios/crowdsecurity/cpanel-bf.yaml +++ b/scenarios/crowdsecurity/cpanel-bf.yaml @@ -3,7 +3,7 @@ name: crowdsecurity/cpanel-bf capacity: 5 leakspeed: 10s description: "Detect bruteforce on cpanel login" -filter: "evt.Meta.log_type == 'auth_bf_log'" +filter: "evt.Parsed.program == 'cpanel' && evt.Meta.service == 'http' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip blackhole: 5m labels: diff --git a/scenarios/crowdsecurity/dovecot-spam.yaml b/scenarios/crowdsecurity/dovecot-spam.yaml index b421952cd7a..3138d8de52a 100644 --- a/scenarios/crowdsecurity/dovecot-spam.yaml +++ b/scenarios/crowdsecurity/dovecot-spam.yaml @@ -3,7 +3,7 @@ type: leaky name: crowdsecurity/dovecot-spam description: "Detect Dovecot bruteforce" debug: false -filter: "evt.Meta.log_type == 'dovecot_logs' && evt.Meta.dovecot_login_result == 'auth_failed'" +filter: "evt.Meta.service == 'dovecot' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip capacity: 3 leakspeed: "360s" diff --git a/scenarios/crowdsecurity/exim-bf.yaml b/scenarios/crowdsecurity/exim-bf.yaml index b926dbd6a43..74587fffe22 100644 --- a/scenarios/crowdsecurity/exim-bf.yaml +++ b/scenarios/crowdsecurity/exim-bf.yaml @@ -2,7 +2,7 @@ type: leaky #debug: true name: crowdsecurity/exim-bf description: "Detect Exim brute force" -filter: "evt.Meta.log_type == 'exim_failed_auth'" +filter: "evt.Meta.service == 'exim' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip capacity: 5 leakspeed: "10s" @@ -21,9 +21,9 @@ type: leaky #debug: true name: crowdsecurity/exim-user-bf description: "Detect Exim user email brute force" -filter: "evt.Meta.log_type == 'exim_failed_auth'" +filter: "evt.Meta.service == 'exim' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.username +distinct: evt.Meta.target_user capacity: 5 leakspeed: "10s" blackhole: 1m diff --git a/scenarios/crowdsecurity/home-assistant-bf.yaml b/scenarios/crowdsecurity/home-assistant-bf.yaml index 129443f3e5c..1ba3118249b 100644 --- a/scenarios/crowdsecurity/home-assistant-bf.yaml +++ b/scenarios/crowdsecurity/home-assistant-bf.yaml @@ -3,7 +3,7 @@ type: leaky #debug: true name: crowdsecurity/home-assistant-bf description: "Detect Home Assistant bruteforce" -filter: evt.Meta.log_type == 'home-assistant_failed_auth' +filter: "evt.Meta.service == 'home-assistant' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/crowdsecurity/impossible-travel-user.md b/scenarios/crowdsecurity/impossible-travel-user.md index 5f3e794e296..1104d4163c1 100644 --- a/scenarios/crowdsecurity/impossible-travel-user.md +++ b/scenarios/crowdsecurity/impossible-travel-user.md @@ -1,8 +1,17 @@ -Generic implementation of impossible travel to detect users logging in from two different locations in a short period of time. If you wish write a parser to fall into this generic bucket you must set the following attributes on the `meta` object: +Generic implementation of impossible travel to detect users logging in from two different locations in a short period of time. If you wish to write a parser to fall into this generic bucket you must set the following attributes on the `meta` object: -- `log_type`: `auth_success` -- `source_ip`: the IP address -- `user`: the user that logged in -- `service`: the service the user logged in to EG `ssh` +- `auth_status`: set to `'success'` for successful authentications +- `source_ip`: the IP address of the client (required for geoip enrichment) +- `target_user`: the username that logged in +- `service`: the service the user logged in to (e.g., `ssh`, `teleport`) -It is important to set the `service` attribute as this is how the buckets are separated. If you do not set the `service` attribute, all the events for the same user will fall into the same bucket not matter if it was a different service which could lead to false positives. \ No newline at end of file +It is important to set the `service` attribute as this is how the buckets are separated. If you do not set the `service` attribute, all the events for the same user will fall into the same bucket no matter if it was a different service which could lead to false positives. + +The scenario detects impossible travel when: +- At least 2 successful authentications are recorded +- The distance between consecutive login locations is greater than 1000 km +- All within a 3 hour window (leakspeed) + +Note: This scenario requires geoip enrichment to be enabled (via the `geoip-enrich` parser) to calculate the distance between login locations. + +This variant includes username scope remediation, meaning decisions can be scoped to the username rather than just the IP address. To enable username-based remediation, you must configure a profile in CrowdSec that handles username-scoped decisions. \ No newline at end of file diff --git a/scenarios/crowdsecurity/impossible-travel-user.yaml b/scenarios/crowdsecurity/impossible-travel-user.yaml index 438d2b09771..27dfa37cfe9 100644 --- a/scenarios/crowdsecurity/impossible-travel-user.yaml +++ b/scenarios/crowdsecurity/impossible-travel-user.yaml @@ -2,8 +2,8 @@ type: conditional name: crowdsecurity/impossible-travel-user description: "impossible travel user" -filter: "evt.Meta.log_type == 'auth_success' && evt.Meta.user not in ['', nil]" -groupby: "evt.Meta.service + evt.Meta.user" +filter: "evt.Meta.auth_status == 'success' && evt.Meta.target_user not in ['', nil]" +groupby: "evt.Meta.service + evt.Meta.target_user" # To make it generic we concatenate the service name and the user capacity: -1 condition: | @@ -13,7 +13,7 @@ condition: | leakspeed: 3h scope: type: username - expression: evt.Meta.user + expression: evt.Meta.target_user labels: remediation: false classification: diff --git a/scenarios/crowdsecurity/impossible-travel.md b/scenarios/crowdsecurity/impossible-travel.md index 5f3e794e296..b6743d007e5 100644 --- a/scenarios/crowdsecurity/impossible-travel.md +++ b/scenarios/crowdsecurity/impossible-travel.md @@ -1,8 +1,15 @@ -Generic implementation of impossible travel to detect users logging in from two different locations in a short period of time. If you wish write a parser to fall into this generic bucket you must set the following attributes on the `meta` object: +Generic implementation of impossible travel to detect users logging in from two different locations in a short period of time. If you wish to write a parser to fall into this generic bucket you must set the following attributes on the `meta` object: -- `log_type`: `auth_success` -- `source_ip`: the IP address -- `user`: the user that logged in -- `service`: the service the user logged in to EG `ssh` +- `auth_status`: set to `'success'` for successful authentications +- `source_ip`: the IP address of the client (required for geoip enrichment) +- `target_user`: the username that logged in +- `service`: the service the user logged in to (e.g., `ssh`, `teleport`) -It is important to set the `service` attribute as this is how the buckets are separated. If you do not set the `service` attribute, all the events for the same user will fall into the same bucket not matter if it was a different service which could lead to false positives. \ No newline at end of file +It is important to set the `service` attribute as this is how the buckets are separated. If you do not set the `service` attribute, all the events for the same user will fall into the same bucket no matter if it was a different service which could lead to false positives. + +The scenario detects impossible travel when: +- At least 2 successful authentications are recorded +- The distance between consecutive login locations is greater than 1000 km +- All within a 3 hour window (leakspeed) + +Note: This scenario requires geoip enrichment to be enabled (via the `geoip-enrich` parser) to calculate the distance between login locations. \ No newline at end of file diff --git a/scenarios/crowdsecurity/impossible-travel.yaml b/scenarios/crowdsecurity/impossible-travel.yaml index 5df137184dd..9473f727ecf 100644 --- a/scenarios/crowdsecurity/impossible-travel.yaml +++ b/scenarios/crowdsecurity/impossible-travel.yaml @@ -2,8 +2,8 @@ type: conditional name: crowdsecurity/impossible-travel description: "Detect Impossible Travel" -filter: "evt.Meta.log_type == 'auth_success' && evt.Meta.user not in ['', nil]" -groupby: "evt.Meta.service + evt.Meta.user" +filter: "evt.Meta.auth_status == 'success' && evt.Meta.target_user not in ['', nil]" +groupby: "evt.Meta.service + evt.Meta.target_user" # To make it generic we concatenate the service name and the user capacity: -1 condition: | diff --git a/scenarios/crowdsecurity/mariadb-bf.yaml b/scenarios/crowdsecurity/mariadb-bf.yaml index 83213edf5a0..e79119f05cb 100644 --- a/scenarios/crowdsecurity/mariadb-bf.yaml +++ b/scenarios/crowdsecurity/mariadb-bf.yaml @@ -3,7 +3,7 @@ type: leaky #debug: true name: crowdsecurity/mariadb-bf description: "Detect mariadb bruteforce" -filter: evt.Meta.log_type == 'mariadb_failed_auth' +filter: "evt.Meta.service == 'mariadb' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/crowdsecurity/mssql-bf.yaml b/scenarios/crowdsecurity/mssql-bf.yaml index 2310f2325ba..301c0765c33 100644 --- a/scenarios/crowdsecurity/mssql-bf.yaml +++ b/scenarios/crowdsecurity/mssql-bf.yaml @@ -3,7 +3,7 @@ type: leaky #debug: true name: crowdsecurity/mssql-bf description: "Detect mssql bruteforce" -filter: evt.Meta.log_type == 'mssql_failed_auth' +filter: "evt.Meta.service == 'mssql' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/crowdsecurity/mysql-bf.yaml b/scenarios/crowdsecurity/mysql-bf.yaml index 11e926b27a7..230317d148f 100644 --- a/scenarios/crowdsecurity/mysql-bf.yaml +++ b/scenarios/crowdsecurity/mysql-bf.yaml @@ -3,7 +3,7 @@ type: leaky #debug: true name: crowdsecurity/mysql-bf description: "Detect mysql bruteforce" -filter: evt.Meta.log_type == 'mysql_failed_auth' +filter: "evt.Meta.service == 'mysql' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/crowdsecurity/nextcloud-bf.yaml b/scenarios/crowdsecurity/nextcloud-bf.yaml index 636d00c970b..fe02c6f081a 100644 --- a/scenarios/crowdsecurity/nextcloud-bf.yaml +++ b/scenarios/crowdsecurity/nextcloud-bf.yaml @@ -2,13 +2,13 @@ type: leaky name: crowdsecurity/nextcloud-bf description: "Detect Nextcloud bruteforce" -filter: "evt.Meta.log_type in ['nextcloud_failed_auth', 'nextcloud_bruteforce_attempt']" +filter: "evt.Meta.service == 'nextcloud' && evt.Meta.auth_status == 'failed'" leakspeed: "1m" capacity: 5 # if we have bruteforce protection enabled in nextcloud, the same login attempt # can log # both login failure and bruteforce attempt at the same time, so # keep them in seperate buckets -groupby: evt.Meta.source_ip + '--' + evt.Meta.log_type +groupby: evt.Meta.source_ip blackhole: 5m reprocess: true labels: @@ -24,7 +24,7 @@ labels: type: leaky name: crowdsecurity/nextcloud-bf_user_enum description: "Detect Nextcloud user enum bruteforce" -filter: "evt.Meta.log_type == 'nextcloud_failed_auth'" +filter: "evt.Meta.service == 'nextcloud' && evt.Meta.auth_status == 'failed'" leakspeed: "1m" capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/crowdsecurity/odoo-bf_user-enum.yaml b/scenarios/crowdsecurity/odoo-bf_user-enum.yaml index 22ea7e0e52d..92585957c12 100644 --- a/scenarios/crowdsecurity/odoo-bf_user-enum.yaml +++ b/scenarios/crowdsecurity/odoo-bf_user-enum.yaml @@ -3,7 +3,7 @@ type: leaky #debug: true name: crowdsecurity/odoo-bf description: "Detect bruteforce on odoo web interface" -filter: evt.Meta.log_type == 'odoo_failed_auth' +filter: "evt.Meta.service == 'odoo' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 5 groupby: evt.Meta.source_ip @@ -22,9 +22,9 @@ labels: type: leaky name: crowdsecurity/odoo_user-enum description: "Detect odoo user enum" -filter: evt.Meta.log_type == 'odoo_failed_auth' +filter: "evt.Meta.service == 'odoo' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.user +distinct: evt.Meta.target_user leakspeed: 10s capacity: 5 blackhole: 1m diff --git a/scenarios/crowdsecurity/opnsense-gui-bf.yaml b/scenarios/crowdsecurity/opnsense-gui-bf.yaml index 7ce45b62931..ad25b8b3142 100644 --- a/scenarios/crowdsecurity/opnsense-gui-bf.yaml +++ b/scenarios/crowdsecurity/opnsense-gui-bf.yaml @@ -3,7 +3,7 @@ type: leaky #debug: true name: crowdsecurity/opnsense-gui-bf description: "Detect bruteforce on opnsense web interface" -filter: evt.Meta.log_type == 'opnsense-gui-failed-auth' +filter: "evt.Meta.service == 'opnsense-gui' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/crowdsecurity/pfsense-gui-bf.yaml b/scenarios/crowdsecurity/pfsense-gui-bf.yaml index 2ddaf1b8836..ee596fa3f5b 100644 --- a/scenarios/crowdsecurity/pfsense-gui-bf.yaml +++ b/scenarios/crowdsecurity/pfsense-gui-bf.yaml @@ -3,7 +3,7 @@ type: leaky #debug: true name: crowdsecurity/pfsense-gui-bf description: "Detect bruteforce on pfsense web interface" -filter: evt.Meta.log_type == 'pfsense-gui-failed-auth' +filter: "evt.Meta.service == 'pfsense-gui' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/crowdsecurity/pgsql-bf.yaml b/scenarios/crowdsecurity/pgsql-bf.yaml index 338b74e4b7c..cb4e4f3b6d2 100644 --- a/scenarios/crowdsecurity/pgsql-bf.yaml +++ b/scenarios/crowdsecurity/pgsql-bf.yaml @@ -3,7 +3,7 @@ type: leaky #debug: true name: crowdsecurity/pgsql-bf description: "Detect PgSQL bruteforce" -filter: evt.Meta.log_type == 'pgsql_failed_auth' +filter: "evt.Meta.service == 'pgsql' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/crowdsecurity/pgsql-user-enum.yaml b/scenarios/crowdsecurity/pgsql-user-enum.yaml index b8138a2e634..f9eca4f29e9 100644 --- a/scenarios/crowdsecurity/pgsql-user-enum.yaml +++ b/scenarios/crowdsecurity/pgsql-user-enum.yaml @@ -1,9 +1,9 @@ type: leaky name: crowdsecurity/pgsql-user-enum description: "Detect postgresql user enumeration" -filter: evt.Meta.log_type == 'pgsql_failed_auth' +filter: "evt.Meta.service == 'pgsql' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.user +distinct: evt.Meta.target_user leakspeed: 10s capacity: 5 blackhole: 1m diff --git a/scenarios/crowdsecurity/proftpd-bf.yaml b/scenarios/crowdsecurity/proftpd-bf.yaml index e233ba52cb7..72cfe4dc917 100644 --- a/scenarios/crowdsecurity/proftpd-bf.yaml +++ b/scenarios/crowdsecurity/proftpd-bf.yaml @@ -1,7 +1,7 @@ type: leaky name: crowdsecurity/proftpd-bf description: "Detect proftpd bruteforce" -filter: "evt.Meta.log_type == 'ftp_failed_auth'" +filter: "evt.Meta.service == 'proftpd' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/crowdsecurity/proftpd-bf_user-enum.yaml b/scenarios/crowdsecurity/proftpd-bf_user-enum.yaml index 6d453b16c19..46d68c545c5 100644 --- a/scenarios/crowdsecurity/proftpd-bf_user-enum.yaml +++ b/scenarios/crowdsecurity/proftpd-bf_user-enum.yaml @@ -1,7 +1,7 @@ type: leaky name: crowdsecurity/proftpd-bf_user-enum description: "Detect proftpd user enum bruteforce" -filter: evt.Meta.log_type == 'ftp_failed_auth' +filter: "evt.Meta.service == 'proftpd' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip distinct: evt.Meta.target_user leakspeed: 10s diff --git a/scenarios/crowdsecurity/sabnzbd-bf.yaml b/scenarios/crowdsecurity/sabnzbd-bf.yaml index 9a0aa69386b..b91d638960f 100644 --- a/scenarios/crowdsecurity/sabnzbd-bf.yaml +++ b/scenarios/crowdsecurity/sabnzbd-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: crowdsecurity/sabnzbd-bf description: "Detect sabnzbd bruteforce" -filter: "evt.Meta.service == 'sabnzbd' && evt.Meta.log_type == 'sabnzbd_failed_auth'" +filter: "evt.Meta.service == 'sabnzbd' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 3 groupby: evt.Meta.source_ip @@ -22,7 +22,7 @@ labels: type: leaky name: crowdsecurity/sabnzbd-slow-bf description: "Detect sabnzbd slow bruteforce" -filter: "evt.Meta.service == 'sabnzbd' && evt.Meta.log_type == 'sabnzbd_failed_auth'" +filter: "evt.Meta.service == 'sabnzbd' && evt.Meta.auth_status == 'failed'" leakspeed: "60s" capacity: 10 groupby: evt.Meta.source_ip diff --git a/scenarios/crowdsecurity/smb-bf.yaml b/scenarios/crowdsecurity/smb-bf.yaml index ad7171cd120..2ddd842f2c6 100644 --- a/scenarios/crowdsecurity/smb-bf.yaml +++ b/scenarios/crowdsecurity/smb-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: crowdsecurity/smb-bf description: "Detect smb bruteforce" -filter: evt.Meta.log_type == 'smb_failed_auth' +filter: "evt.Meta.service == 'smb' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/crowdsecurity/ssh-bf.yaml b/scenarios/crowdsecurity/ssh-bf.yaml index 0cb67f37573..009764de1da 100644 --- a/scenarios/crowdsecurity/ssh-bf.yaml +++ b/scenarios/crowdsecurity/ssh-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: crowdsecurity/ssh-bf description: "Detect ssh bruteforce" -filter: "evt.Meta.log_type == 'ssh_failed-auth'" +filter: "evt.Meta.service == 'ssh' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" references: - http://wikipedia.com/ssh-bf-is-bad @@ -24,7 +24,7 @@ labels: type: leaky name: crowdsecurity/ssh-bf_user-enum description: "Detect ssh user enum bruteforce" -filter: evt.Meta.log_type == 'ssh_failed-auth' +filter: "evt.Meta.service == 'ssh' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip distinct: evt.Meta.target_user leakspeed: 10s diff --git a/scenarios/crowdsecurity/ssh-generic-test.yaml b/scenarios/crowdsecurity/ssh-generic-test.yaml index 1a37052d06b..509cfe657f0 100644 --- a/scenarios/crowdsecurity/ssh-generic-test.yaml +++ b/scenarios/crowdsecurity/ssh-generic-test.yaml @@ -2,7 +2,7 @@ type: trigger name: crowdsecurity/ssh-generic-test description: "Crowdsec Generic Test Scenario: SSH brute force trigger" -filter: "evt.Meta.log_type == 'ssh_failed-auth' && evt.Meta.target_user == 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl'" +filter: "evt.Meta.service == 'ssh' && evt.Meta.auth_status == 'failed' && evt.Meta.target_user == 'crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl'" groupby: evt.Meta.source_ip blackhole: 1m labels: diff --git a/scenarios/crowdsecurity/ssh-slow-bf.yaml b/scenarios/crowdsecurity/ssh-slow-bf.yaml index 53c8967f550..6fa272f612e 100644 --- a/scenarios/crowdsecurity/ssh-slow-bf.yaml +++ b/scenarios/crowdsecurity/ssh-slow-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: crowdsecurity/ssh-slow-bf description: "Detect slow ssh bruteforce" -filter: "evt.Meta.log_type == 'ssh_failed-auth'" +filter: "evt.Meta.service == 'ssh' && evt.Meta.auth_status == 'failed'" leakspeed: "60s" references: - http://wikipedia.com/ssh-bf-is-bad @@ -24,7 +24,7 @@ labels: type: leaky name: crowdsecurity/ssh-slow-bf_user-enum description: "Detect slow ssh user enum bruteforce" -filter: evt.Meta.log_type == 'ssh_failed-auth' +filter: "evt.Meta.service == 'ssh' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip distinct: evt.Meta.target_user leakspeed: 60s diff --git a/scenarios/crowdsecurity/stirling-pdf-bf.yaml b/scenarios/crowdsecurity/stirling-pdf-bf.yaml index f77a9ced712..032affbcadb 100644 --- a/scenarios/crowdsecurity/stirling-pdf-bf.yaml +++ b/scenarios/crowdsecurity/stirling-pdf-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: crowdsecurity/stirling-pdf-bf description: "Detect stirling pdf bruteforce" -filter: "evt.Meta.service == 'stirling-pdf' && evt.Meta.log_type == 'failed_authentication'" +filter: "evt.Meta.service == 'stirling-pdf' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 3 groupby: evt.Meta.source_ip diff --git a/scenarios/crowdsecurity/synology-dsm-bf.yaml b/scenarios/crowdsecurity/synology-dsm-bf.yaml index 7925ce263cb..8e5f636980a 100644 --- a/scenarios/crowdsecurity/synology-dsm-bf.yaml +++ b/scenarios/crowdsecurity/synology-dsm-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: crowdsecurity/synology-dsm-bf description: "Detect Synology DSM web auth bruteforce" -filter: "evt.Meta.log_type == 'synology-dsm_failed_auth'" +filter: "evt.Meta.service == 'synology-dsm' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/crowdsecurity/thehive-bf.yaml b/scenarios/crowdsecurity/thehive-bf.yaml index c6b47800da3..c5c718ec5ae 100644 --- a/scenarios/crowdsecurity/thehive-bf.yaml +++ b/scenarios/crowdsecurity/thehive-bf.yaml @@ -2,13 +2,13 @@ type: leaky debug: false name: crowdsecurity/thehive-bf description: "Detect bruteforce on Thehive web interface" -filter: evt.Meta.log_type == 'thehive_failed_auth' +filter: "evt.Meta.service == 'thehive' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 5 groupby: evt.Meta.source_ip blackhole: 5m labels: - service: http + service: thehive confidence: 3 spoofable: 0 classification: diff --git a/scenarios/crowdsecurity/vsftpd-bf.yaml b/scenarios/crowdsecurity/vsftpd-bf.yaml index 43902fcbabd..32b6961a659 100644 --- a/scenarios/crowdsecurity/vsftpd-bf.yaml +++ b/scenarios/crowdsecurity/vsftpd-bf.yaml @@ -2,7 +2,7 @@ type: leaky #debug: true name: crowdsecurity/vsftpd-bf description: "Detect FTP bruteforce (vsftpd)" -filter: evt.Meta.log_type == 'ftp_failed_auth' +filter: "evt.Meta.service == 'vsftpd' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/crowdsecurity/windows-bf.yaml b/scenarios/crowdsecurity/windows-bf.yaml index 6610c00176b..32d120466c7 100644 --- a/scenarios/crowdsecurity/windows-bf.yaml +++ b/scenarios/crowdsecurity/windows-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: crowdsecurity/windows-bf description: "Detect windows auth bruteforce" -filter: "evt.Meta.log_type == 'windows_failed_auth'" +filter: "evt.Meta.service == 'windows' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/crowdsecurity/wireguard-auth.yaml b/scenarios/crowdsecurity/wireguard-auth.yaml index e54a19671da..073eb86caf1 100644 --- a/scenarios/crowdsecurity/wireguard-auth.yaml +++ b/scenarios/crowdsecurity/wireguard-auth.yaml @@ -1,7 +1,7 @@ type: leaky name: crowdsecurity/wireguard-auth description: "Detects rejected connections attempts and unauthorized packets through wireguard tunnels" -filter: "evt.Meta.log_type == 'wireguard_failed_auth'" +filter: "evt.Meta.service == 'wireguard' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip leakspeed: "30s" capacity: 3 diff --git a/scenarios/firix/authentik-bf.yaml b/scenarios/firix/authentik-bf.yaml index 9a96c67ace5..73ca8a5cf7e 100644 --- a/scenarios/firix/authentik-bf.yaml +++ b/scenarios/firix/authentik-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: firix/authentik-bf description: "Detect authentik bruteforce" -filter: evt.Meta.log_type in ['authentik_failed_auth', 'authentik_invalid_username'] +filter: "evt.Meta.service == 'authentik' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip leakspeed: 20s capacity: 5 @@ -21,9 +21,9 @@ labels: type: leaky name: firix/authentik-bf_user-enum description: "Detect authentik user enum bruteforce" -filter: evt.Meta.log_type in ['authentik_failed_auth', 'authentik_invalid_username'] +filter: "evt.Meta.service == 'authentik' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.username +distinct: evt.Meta.target_user leakspeed: 1m capacity: 5 blackhole: 1m diff --git a/scenarios/fulljackz/proxmox-bf.yaml b/scenarios/fulljackz/proxmox-bf.yaml index 4c60805a59a..4ed500c5a45 100644 --- a/scenarios/fulljackz/proxmox-bf.yaml +++ b/scenarios/fulljackz/proxmox-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: fulljackz/proxmox-bf description: "Detect proxmox bruteforce" -filter: "evt.Meta.log_type == 'pve_failed-auth'" +filter: "evt.Meta.service == 'proxmox' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 5 groupby: evt.Meta.source_ip @@ -23,11 +23,11 @@ labels: type: leaky name: fulljackz/proxmox-bf-user-enum description: "Detect proxmox wrong username" -filter: "evt.Meta.log_type == 'pve_failed-auth'" +filter: "evt.Meta.service == 'proxmox' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 5 groupby: evt.Meta.source_ip -distinct: evt.Meta.source_user +distinct: evt.Meta.target_user blackhole: 1m reprocess: true labels: diff --git a/scenarios/fulljackz/pureftpd-bf.yaml b/scenarios/fulljackz/pureftpd-bf.yaml index 40269ba08ca..6e40159b545 100644 --- a/scenarios/fulljackz/pureftpd-bf.yaml +++ b/scenarios/fulljackz/pureftpd-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: fulljackz/pureftpd-bf description: "Detect pureftpd bruteforce" -filter: "evt.Meta.log_type == 'pftpd_failed-auth'" +filter: "evt.Meta.service == 'pureftpd' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/gauth-fr/immich-bf.yaml b/scenarios/gauth-fr/immich-bf.yaml index 05b9ad7750d..a2eed289af8 100644 --- a/scenarios/gauth-fr/immich-bf.yaml +++ b/scenarios/gauth-fr/immich-bf.yaml @@ -1,7 +1,7 @@ # immich BF scan name: gauth-fr/immich-bf description: "Detect immich bruteforce" -filter: "evt.Meta.log_type == 'immich_failed_auth'" +filter: "evt.Meta.service == 'immich' && evt.Meta.auth_status == 'failed'" #debug: true type: leaky groupby: evt.Meta.source_ip @@ -22,9 +22,9 @@ labels: type: leaky name: gauth-fr/immich-bf_user-enum description: "Detect immich user enum bruteforce" -filter: "evt.Meta.log_type == 'immich_failed_auth'" +filter: "evt.Meta.service == 'immich' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.user +distinct: evt.Meta.target_user leakspeed: 10s capacity: 5 blackhole: 1m diff --git a/scenarios/hitech95/mail-generic-bf.yaml b/scenarios/hitech95/mail-generic-bf.yaml index f0cc6561925..82e6ad60bde 100644 --- a/scenarios/hitech95/mail-generic-bf.yaml +++ b/scenarios/hitech95/mail-generic-bf.yaml @@ -3,7 +3,7 @@ type: leaky #debug: true name: hitech95/email-generic-bf description: "Detect generic email brute force" -filter: "evt.Meta.log_type == 'mail_auth' && evt.Meta.sub_type == 'auth_fail'" +filter: "evt.Meta.service == 'nginxmail' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip capacity: 5 leakspeed: "10s" @@ -23,9 +23,9 @@ type: leaky #debug: true name: hitech95/email-user-bf description: "Detect specific user email brute force" -filter: "evt.Meta.log_type == 'mail_auth' && evt.Meta.sub_type == 'auth_fail'" +filter: "evt.Meta.service == 'nginxmail' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.username +distinct: evt.Meta.target_user capacity: 3 leakspeed: "30s" blackhole: 1m diff --git a/scenarios/jbowdre/miniflux-bf.yaml b/scenarios/jbowdre/miniflux-bf.yaml index 7bc8e19ef97..0ba8963e4f3 100644 --- a/scenarios/jbowdre/miniflux-bf.yaml +++ b/scenarios/jbowdre/miniflux-bf.yaml @@ -1,7 +1,7 @@ # miniflux BF scan name: jbowdre/miniflux-bf description: "Detect miniflux bruteforce" -filter: "evt.Meta.log_type == 'miniflux_failed_auth'" +filter: "evt.Meta.service == 'miniflux' && evt.Meta.auth_status == 'failed'" type: leaky groupby: evt.Meta.source_ip leakspeed: 20s @@ -21,9 +21,9 @@ labels: type: leaky name: jbowdre/miniflux-bf_user-enum description: "Detect miniflux user enum bruteforce" -filter: "evt.Meta.log_type == 'miniflux_failed_auth'" +filter: "evt.Meta.service == 'miniflux' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.user +distinct: evt.Meta.target_user leakspeed: 1m capacity: 5 blackhole: 1m diff --git a/scenarios/jusabatier/apereo-cas-bf.yaml b/scenarios/jusabatier/apereo-cas-bf.yaml index c9054e88976..138a3eed8d9 100644 --- a/scenarios/jusabatier/apereo-cas-bf.yaml +++ b/scenarios/jusabatier/apereo-cas-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: jusabatier/apereo-cas-bf description: "Detect CAS bruteforce" -filter: "evt.Meta.log_type == 'cas_failed-auth'" +filter: "evt.Meta.service == 'cas' && evt.Meta.auth_status == 'failed'" leakspeed: "10s" references: - http://wikipedia.com/cas-bf-is-bad @@ -24,7 +24,7 @@ labels: type: leaky name: jusabatier/apereo-cas-bf_user-enum description: "Detect CAS user enum bruteforce" -filter: evt.Meta.log_type == 'cas_failed-auth' +filter: "evt.Meta.service == 'cas' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip distinct: evt.Meta.target_user leakspeed: 10s diff --git a/scenarios/jusabatier/apereo-cas-slow-bf.yaml b/scenarios/jusabatier/apereo-cas-slow-bf.yaml index d86a3870cde..fedc022f0a1 100644 --- a/scenarios/jusabatier/apereo-cas-slow-bf.yaml +++ b/scenarios/jusabatier/apereo-cas-slow-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: jusabatier/cas-slow-bf description: "Detect slow CAS bruteforce" -filter: "evt.Meta.log_type == 'cas_failed-auth'" +filter: "evt.Meta.service == 'cas' && evt.Meta.auth_status == 'failed'" leakspeed: "60s" references: - http://wikipedia.com/cas-bf-is-bad @@ -24,7 +24,7 @@ labels: type: leaky name: jusabatier/cas-slow-bf_user-enum description: "Detect slow CAS user enum bruteforce" -filter: evt.Meta.log_type == 'cas_failed-auth' +filter: "evt.Meta.service == 'cas' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip distinct: evt.Meta.target_user leakspeed: 60s diff --git a/scenarios/jusabatier/cas-slow-bf.yaml b/scenarios/jusabatier/cas-slow-bf.yaml index 8383fb64984..4cdfd0bdc23 100644 --- a/scenarios/jusabatier/cas-slow-bf.yaml +++ b/scenarios/jusabatier/cas-slow-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: jusabatier/apereo-cas-slow-bf description: "Detect slow CAS bruteforce" -filter: "evt.Meta.log_type == 'cas_failed-auth'" +filter: "evt.Meta.service == 'cas' && evt.Meta.auth_status == 'failed'" leakspeed: "60s" references: - http://wikipedia.com/cas-bf-is-bad @@ -25,7 +25,7 @@ labels: type: leaky name: jusabatier/apereo-cas-slow-bf_user-enum description: "Detect slow CAS user enum bruteforce" -filter: evt.Meta.log_type == 'cas_failed-auth' +filter: "evt.Meta.service == 'cas' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip distinct: evt.Meta.target_user leakspeed: 60s diff --git a/scenarios/plague-doctor/audiobookshelf-bf.yaml b/scenarios/plague-doctor/audiobookshelf-bf.yaml index 254eb391905..0eaac26047e 100644 --- a/scenarios/plague-doctor/audiobookshelf-bf.yaml +++ b/scenarios/plague-doctor/audiobookshelf-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: plague-doctor/audiobookshelf-bf description: "Detect Audiobookshelf bruteforce attacks" -filter: "evt.Meta.service == 'audiobookshelf' && evt.Meta.log_type == 'abs_failed_auth'" +filter: "evt.Meta.service == 'audiobookshelf' && evt.Meta.auth_status == 'failed'" leakspeed: 1m capacity: 3 groupby: evt.Meta.source_ip diff --git a/scenarios/schiz0phr3ne/prowlarr-bf.yaml b/scenarios/schiz0phr3ne/prowlarr-bf.yaml index b328e4a242e..34c306520e9 100644 --- a/scenarios/schiz0phr3ne/prowlarr-bf.yaml +++ b/scenarios/schiz0phr3ne/prowlarr-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: schiz0phr3ne/prowlarr-bf description: "Detect Prowlarr bruteforce" -filter: "evt.Meta.log_type in ['prowlarr_failed_authentication']" +filter: "evt.Meta.service == 'prowlarr' && evt.Meta.auth_status == 'failed'" leakspeed: "15s" capacity: 5 groupby: evt.Meta.source_ip @@ -22,11 +22,11 @@ labels: type: leaky name: schiz0phr3ne/prowlarr-bf_user-enum description: "Detect Prowlarr user enum bruteforce" -filter: "evt.Meta.log_type in ['prowlarr_failed_authentication']" +filter: "evt.Meta.service == 'prowlarr' && evt.Meta.auth_status == 'failed'" leakspeed: "30s" capacity: 5 groupby: evt.Meta.source_ip -distinct: evt.Meta.username +distinct: evt.Meta.target_user blackhole: 1m reprocess: true labels: diff --git a/scenarios/schiz0phr3ne/radarr-bf.yaml b/scenarios/schiz0phr3ne/radarr-bf.yaml index 9ed1ce1b500..a3439c93b0f 100644 --- a/scenarios/schiz0phr3ne/radarr-bf.yaml +++ b/scenarios/schiz0phr3ne/radarr-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: schiz0phr3ne/radarr-bf description: "Detect Radarr bruteforce" -filter: "evt.Meta.log_type in ['radarr_failed_authentication']" +filter: "evt.Meta.service == 'radarr' && evt.Meta.auth_status == 'failed'" leakspeed: "15s" capacity: 5 groupby: evt.Meta.source_ip @@ -22,11 +22,11 @@ labels: type: leaky name: schiz0phr3ne/radarr-bf_user-enum description: "Detect Radarr user enum bruteforce" -filter: "evt.Meta.log_type in ['radarr_failed_authentication']" +filter: "evt.Meta.service == 'radarr' && evt.Meta.auth_status == 'failed'" leakspeed: "30s" capacity: 5 groupby: evt.Meta.source_ip -distinct: evt.Meta.username +distinct: evt.Meta.target_user blackhole: 1m reprocess: true labels: diff --git a/scenarios/schiz0phr3ne/sonarr-bf.yaml b/scenarios/schiz0phr3ne/sonarr-bf.yaml index f9f59ea955b..896feb25423 100644 --- a/scenarios/schiz0phr3ne/sonarr-bf.yaml +++ b/scenarios/schiz0phr3ne/sonarr-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: schiz0phr3ne/sonarr-bf description: "Detect Sonarr bruteforce" -filter: "evt.Meta.log_type in ['sonarr_failed_authentication']" +filter: "evt.Meta.service == 'sonarr' && evt.Meta.auth_status == 'failed'" leakspeed: "15s" capacity: 5 groupby: evt.Meta.source_ip @@ -22,11 +22,11 @@ labels: type: leaky name: schiz0phr3ne/sonarr-bf_user-enum description: "Detect Sonarr user enum bruteforce" -filter: "evt.Meta.log_type in ['sonarr_failed_authentication']" +filter: "evt.Meta.service == 'sonarr' && evt.Meta.auth_status == 'failed'" leakspeed: "30s" capacity: 5 groupby: evt.Meta.source_ip -distinct: evt.Meta.username +distinct: evt.Meta.target_user blackhole: 1m reprocess: true labels: diff --git a/scenarios/sdwilsh/navidrome-bf.yaml b/scenarios/sdwilsh/navidrome-bf.yaml index 7791733c4ff..718155a172a 100644 --- a/scenarios/sdwilsh/navidrome-bf.yaml +++ b/scenarios/sdwilsh/navidrome-bf.yaml @@ -2,7 +2,7 @@ blackhole: 1m capacity: 5 description: A scenario that detects excessive login attempts per unique IP -filter: evt.Meta.log_type == 'navidrome_failed_auth' +filter: "evt.Meta.service == 'navidrome' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip labels: behavior: generic:bruteforce diff --git a/scenarios/timokoessler/mongodb-bf.yaml b/scenarios/timokoessler/mongodb-bf.yaml index 053169e65ed..b0ddeed0d92 100644 --- a/scenarios/timokoessler/mongodb-bf.yaml +++ b/scenarios/timokoessler/mongodb-bf.yaml @@ -2,7 +2,7 @@ type: leaky name: timokoessler/mongodb-bf description: "Detect mongodb bruteforce" -filter: "evt.Meta.log_type == 'mongodb_failed_auth'" +filter: "evt.Meta.service == 'mongodb' && evt.Meta.auth_status == 'failed'" leakspeed: "20s" capacity: 5 groupby: evt.Meta.source_ip @@ -22,11 +22,11 @@ labels: type: leaky name: timokoessler/mongodb-bf_user-enum description: "Detect mongodb user enum bruteforce" -filter: "evt.Meta.log_type == 'mongodb_failed_auth'" +filter: "evt.Meta.service == 'mongodb' && evt.Meta.auth_status == 'failed'" leakspeed: "40s" capacity: 5 groupby: evt.Meta.source_ip -distinct: evt.Meta.username +distinct: evt.Meta.target_user blackhole: 1m reprocess: true labels: @@ -44,7 +44,7 @@ labels: type: leaky name: timokoessler/mongodb-bf_auth-db-enum description: "Detect mongodb authentication database enum bruteforce" -filter: "evt.Meta.log_type == 'mongodb_failed_auth'" +filter: "evt.Meta.service == 'mongodb' && evt.Meta.auth_status == 'failed'" leakspeed: "40s" capacity: 5 groupby: evt.Meta.source_ip diff --git a/scenarios/xs539/bookstack-bf.yaml b/scenarios/xs539/bookstack-bf.yaml index 04230fc97b3..058ba24a9cc 100644 --- a/scenarios/xs539/bookstack-bf.yaml +++ b/scenarios/xs539/bookstack-bf.yaml @@ -1,7 +1,7 @@ type: leaky name: xs539/bookstack-bf description: "Detect bookstack bruteforce" -filter: "evt.Meta.log_type == 'bookstack_failed_auth'" +filter: "evt.Meta.service == 'bookstack' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip leakspeed: 15m capacity: 3 @@ -19,7 +19,7 @@ labels: type: leaky name: xs539/bookstack-bf_user-enum description: "Detect bookstack bruteforce" -filter: "evt.Meta.log_type == 'bookstack_failed_auth'" +filter: "evt.Meta.service == 'bookstack' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip distinct: evt.Meta.target_user leakspeed: 15m diff --git a/scenarios/xs539/joplin-server-bf.yaml b/scenarios/xs539/joplin-server-bf.yaml index 0e4158828b5..d73487ac6fe 100644 --- a/scenarios/xs539/joplin-server-bf.yaml +++ b/scenarios/xs539/joplin-server-bf.yaml @@ -1,7 +1,7 @@ type: leaky name: xs539/joplin-server-bf description: "Detect Joplin Server bruteforce" -filter: "evt.Meta.log_type == 'joplin_server_failed_auth'" +filter: "evt.Meta.service == 'joplin' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip leakspeed: 15m capacity: 3 @@ -19,7 +19,7 @@ labels: type: leaky name: xs539/joplin-server-bf_user-enum description: "Detect Joplin Server bruteforce" -filter: "evt.Meta.log_type == 'joplin_server_failed_auth'" +filter: "evt.Meta.service == 'joplin' && evt.Meta.auth_status == 'failed'" groupby: evt.Meta.source_ip distinct: evt.Meta.target_user leakspeed: 15m