Skip to content

fix(stirling-pdf-logs): add support for Stirling-PDF 2.9.2+ log format#1795

Merged
buixor merged 3 commits into
masterfrom
copilot/update-grok-pattern-compatibility
May 26, 2026
Merged

fix(stirling-pdf-logs): add support for Stirling-PDF 2.9.2+ log format#1795
buixor merged 3 commits into
masterfrom
copilot/update-grok-pattern-compatibility

Conversation

Copilot AI commented May 12, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Stirling-PDF 2.9.2+ changed the failed-login log format: the emitting class changed from CustomAuthenticationFailureHandler to AuthController, the level dropped from ERROR to WARN, and the message structure changed from Failed login attempt from IP: [X] to Invalid password for user: X from IP: Y.

Changes

  • parsers/s01-parse/crowdsecurity/stirling-pdf-logs.yaml: adds a second grok node alongside the existing one to match the new format, preserving backwards compatibility:
- grok:
    pattern: "%{TIMESTAMP_ISO8601:timestamp} %{WORD:log_level} %{DATA:logger} \\[%{DATA:thread}\\] Invalid password for user: %{DATA:username} from IP: %{IP:source_ip}"
    apply_on: message
  statics:
    - meta: log_type
      value: failed_authentication
  • .tests/stirling-pdf-logs/stirling-pdf.log: adds three new-format log samples (private IPs).
  • .tests/stirling-pdf-logs/parser.assert: updated to cover the 3 additional entries across all parser stages (s00-raw, s01-parse, s02-enrich).

Checklist

  • I have read the contributing guide
  • I have tested my changes locally
  • For new parsers or scenarios, tests have been added
  • I have run the hub linter and no issues were reported (see contributing guide)
  • Automated tests are passing
  • AI was used to generate any/all content of this PR

Copilot AI linked an issue May 12, 2026 that may be closed by this pull request
crowdsecurity/stirling-pdf-logs | Since Stirling-PDF Version 2.9.2-fat grok Pattern does not match #1756
Closed
Copilot AI changed the title [WIP] Update grok pattern for Stirling-PDF logs compatibility fix(stirling-pdf-logs): add support for Stirling-PDF 2.9.2+ log format May 12, 2026
Copilot finished work on behalf of buixor May 12, 2026 08:51
Copilot AI requested a review from buixor May 12, 2026 08:51
@buixor buixor marked this pull request as ready for review May 26, 2026 08:34
Copilot AI review requested due to automatic review settings May 26, 2026 08:34
@github-actions

github-actions Bot commented May 26, 2026

Copy link
Copy Markdown

Hello @buixor and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2024-1061 🔴
🔴 crowdsecurity/vpatch-CVE-2023-23488 🔴
🔴 crowdsecurity/vpatch-CVE-2023-6567 🔴
🔴 crowdsecurity/vpatch-CVE-2024-1071 🔴
🔴 crowdsecurity/vpatch-CVE-2023-0600 🔴
🔴 crowdsecurity/vpatch-CVE-2023-3197 🔴
🔴 crowdsecurity/vpatch-CVE-2023-2009 🔴
🔴 crowdsecurity/vpatch-CVE-2023-6360 🔴
🔴 crowdsecurity/vpatch-CVE-2023-6623 🔴
🔴 crowdsecurity/vpatch-CVE-2022-3254 🔴
🔴 crowdsecurity/vpatch-CVE-2023-4634 🔴
🔴 crowdsecurity/vpatch-CVE-2023-23489 🔴
🔴 crowdsecurity/vpatch-CVE-2023-0900 🔴
🔴 crowdsecurity/vpatch-CVE-2025-40552 🔴

@github-actions

github-actions Bot commented May 26, 2026

Copy link
Copy Markdown

Hello @buixor,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

Copilot AI reviewed May 26, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the crowdsecurity/stirling-pdf-logs parser to handle Stirling-PDF 2.9.2+ failed-login log lines while keeping compatibility with the pre-2.9.2 format.

Changes:

  • Added an additional grok node to parse the new AuthController “Invalid password for user … from IP …” failed-login format.
  • Extended the Stirling-PDF test log fixture with new-format samples.
  • Regenerated/updated hubtest assertions to validate parsing and enrichment across all stages for the added samples.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File Description
parsers/s01-parse/crowdsecurity/stirling-pdf-logs.yaml Adds a second grok pattern to match Stirling-PDF 2.9.2+ failed-login log messages.
.tests/stirling-pdf-logs/stirling-pdf.log Adds new-format failed-login log samples (using private IP space).
.tests/stirling-pdf-logs/parser.assert Updates expected hubtest results to include the additional log entries through s00/s01/s02.

@buixor buixor merged commit 06315bc into master May 26, 2026
8 of 9 checks passed
@buixor buixor deleted the copilot/update-grok-pattern-compatibility branch May 26, 2026 08:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@buixor buixor Awaiting requested review from buixor

Assignees

@buixor buixor

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

crowdsecurity/stirling-pdf-logs | Since Stirling-PDF Version 2.9.2-fat grok Pattern does not match

3 participants

@buixor