diff --git a/parsers/s01-parse/LePresidente/adguardhome-logs.yaml b/parsers/s01-parse/LePresidente/adguardhome-logs.yaml index 906984e3d96..7b4911cb972 100644 --- a/parsers/s01-parse/LePresidente/adguardhome-logs.yaml +++ b/parsers/s01-parse/LePresidente/adguardhome-logs.yaml @@ -4,6 +4,12 @@ name: LePresidente/adguardhome-logs description: "Parse adguardhome logs" filter: "evt.Parsed.program == 'adguardhome'" nodes: + - grok: + pattern: '%{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{TIME:time}\.%{GREEDYDATA:milliseconds} \[%{LOGLEVEL:level}\] %{WORD:service}: http error host=%{HOSTNAME:host} method=%{WORD:method} url=%{URIPATH:url} status=%{NUMBER:status} ip=%{IP:source_ip} err="%{GREEDYDATA:error_message}"' + apply_on: message + statics: + - meta: log_type + value: adguardhome_failed_auth - grok: pattern: '%{DATE_X:date} %{TIME:time}.* POST %{HOSTNAME} /control/login: from ip %{IP:source_ip}: invalid username or password$' apply_on: message @@ -24,4 +30,4 @@ statics: - meta: source_ip expression: "evt.Parsed.source_ip" - target: evt.StrTime - expression: "evt.Parsed.date + ' ' + evt.Parsed.time" \ No newline at end of file + expression: "evt.Parsed.date + ' ' + evt.Parsed.time"