Logo-amall

Meshcentral parser is not parsing..

Last active a month ago

55 replies

8 views

  • AE

    +-------------------------------------------------+------------+--------------+----------------+------------------------+ | Source | Lines read | Lines parsed | Lines unparsed | Lines poured to bucket | +-------------------------------------------------+------------+--------------+----------------+------------------------+ | file:/var/logs/homeassistant/home-assistant.log | 4 | - | 4 | - | | file:/var/logs/meshcentral/auth.log | 5 | - | 5 | - |
    logline: Feb 13 15:39:30 meshcentral https[18]: Failed password for Jeroen from 172.18.0.200 port 58726

    Its the same logline as in my tests so i dont know what i did wrong.

  • II

    Never wasted time learning things

  • AE

    yes that is true! appreciated tho ๐Ÿ™‚

  • AE

    nice find btw

  • AE

    @iiamloz still no cigarโ€ฆ
    Logline: Feb 13 18:04:36 meshcentral https[18]: Failed password for jeredozajdj from 81.82.208.17 port 58560
    Metrics:
    Acquisition Metrics: +-------------------------------------------------+------------+--------------+----------------+------------------------+ | Source | Lines read | Lines parsed | Lines unparsed | Lines poured to bucket | +-------------------------------------------------+------------+--------------+----------------+------------------------+ | file:/var/logs/homeassistant/home-assistant.log | 26 | - | 26 | - | | file:/var/logs/meshcentral/auth.log | 20 | - | 20 | - |

  • II

    What does your acquis.yaml look like?

  • AE

    or the full file?

  • AE

    Full in case you need it
    `
    filenames:

    • /var/logs/default-host_access.log
    • /var/logs/proxy-host-*_access.log
    • /var/logs/proxy-host-*_error.log
      labels:
      type: nginx-proxy-manager

    filenames:

    • /var/logs/nextcloud/nextcloud.log
      labels:
      type: Nextcloud

    filenames:

    • /var/logs/homeassistant/home-assistant.log
      labels:
      type: home-assistant

    filenames:

    • /var/logs/jellyfin/log_*.log
      labels:
      type: jellyfin

    filenames:

    • /var/logs/meshcentral/auth.log
      labels:
      type: meshcentral
      `
  • AE

    Its in a docker container, the real logs are ofc mounted, like this:
    - /home/jeroen/docker/ssd-data/meshcentral/data/auth.log:/var/logs/meshcentral/auth.log:ro

  • AE

    they are readable by the container bc i can do this:
    docker container exec crowdsec_lapi tail -f /var/logs/meshcentral/auth.log Feb 13 17:55:53 meshcentral mps[18]: Server listening on 0.0.0.0 port 4433. Feb 13 18:01:25 meshcentral http[18]: Server listening on 0.0.0.0 port 80. Feb 13 18:01:27 meshcentral mps[18]: Server listening on 0.0.0.0 port 4433. Feb 13 18:01:31 meshcentral https[18]: Accepted password for Jeroen from 10.30.52.182 port 32910 Feb 13 18:02:18 meshcentral https[18]: User Jeroen logout from 10.30.52.182 port 39106 Feb 13 18:02:23 meshcentral https[18]: Failed password for Jeroen from 10.30.52.182 port 39156 Feb 13 18:04:36 meshcentral https[18]: Failed password for jeredozajdj from 81.82.208.17 port 58560 Feb 13 18:07:14 meshcentral https[18]: Failed password for Jeroen from 10.30.52.182 port 54204 Feb 13 18:07:20 meshcentral https[18]: Accepted password for Jeroen from 10.30.52.182 port 46954 Feb 13 18:07:27 meshcentral https[18]: Failed password for Jeroen from 10.30.52.182 port 47670

  • AE

    @iiamloz all looks fine, no?

  • LE

    what happens if you run the following

    cscli explain  -l "Feb 13 18:02:23 meshcentral https[18]: Failed password for Jeroen from 10.30.52.182 port 39156" -t meshcentral
    

    or the actual log file

    cscli explain  -f /var/logs/meshcentral/auth.log -t meshcentral
    
  • LE

    example output to show that it is working

    line: Feb 13 18:02:23 meshcentral https[18]: Failed password for Jeroen from 10.30.52.182 port 39156
            โ”œ s00-raw
            |       โ”œ ๐ŸŸข crowdsecurity/non-syslog (first_parser)
            |       โ”” ๐Ÿ”ด crowdsecurity/syslog-logs
            โ”œ s01-parse
            |       โ”” ๐ŸŸข a1ad/meshcentral-logs (+7 ~2)
            โ”œ s02-enrich
            |       โ”œ ๐ŸŸข crowdsecurity/dateparse-enrich (+2 ~1)
            |       โ”œ ๐ŸŸข crowdsecurity/geoip-enrich (+9)
            |       โ”” ๐ŸŸข crowdsecurity/whitelists (~2 [whitelisted])
            โ””-------- parser failure ๐Ÿ”ด
    
  • AE

    line: Feb 13 19:01:10 meshcentral https[18]: Failed password for jeredozajdj from 81.82.208.17 port 53408 โ”œ s00-raw | โ”œ ๐Ÿ”ด crowdsecurity/docker-logs | โ”œ ๐ŸŸข crowdsecurity/non-syslog (first_parser) | โ”” ๐Ÿ”ด crowdsecurity/syslog-logs โ”œ s01-parse | โ”œ ๐Ÿ”ด LePresidente/jellyfin-logs | โ”œ ๐Ÿ”ด a1ad/meshcentral-logs | โ”œ ๐Ÿ”ด crowdsecurity/home-assistant-logs | โ”œ ๐Ÿ”ด crowdsecurity/nextcloud-logs | โ”œ ๐Ÿ”ด crowdsecurity/nginx-proxy-manager-logs | โ”” ๐Ÿ”ด crowdsecurity/sshd-logs โ””-------- parser failure ๐Ÿ”ด

  • AE

    so what is the difference โ€ฆ with the test data ..
    docker container exec crowdsec_lapi cscli explain -l "Feb 13 19:29:59 meshcentral https[18]: Failed password for vzefvzefze from 81.82.208.17 port 48964" -t meshcentral line: Feb 13 19:29:59 meshcentral https[18]: Failed password for vzefvzefze from 81.82.208.17 port 48964 โ”œ s00-raw | โ”œ ๐Ÿ”ด crowdsecurity/docker-logs | โ”œ ๐ŸŸข crowdsecurity/non-syslog (first_parser) | โ”” ๐Ÿ”ด crowdsecurity/syslog-logs โ”œ s01-parse | โ”œ ๐Ÿ”ด LePresidente/jellyfin-logs | โ”œ ๐Ÿ”ด a1ad/meshcentral-logs | โ”œ ๐Ÿ”ด crowdsecurity/home-assistant-logs | โ”œ ๐Ÿ”ด crowdsecurity/nextcloud-logs | โ”œ ๐Ÿ”ด crowdsecurity/nginx-proxy-manager-logs | โ”” ๐Ÿ”ด crowdsecurity/sshd-logs โ””-------- parser failure ๐Ÿ”ด

  • AE

    i really don't get it

  • AE

    When i test a logline from production in the dev env, all is good:
    Line not working in production:
    Feb 13 19:29:59 meshcentral https[18]: Failed password for vzefvzefze from 81.82.208.17 port 48964
    hubtest in dev:
    results["s01-parse"]["a1ad/meshcentral-logs"][3].Evt.Parsed["message"] == "Feb 13 19:29:59 meshcentral https[18]: Failed password for vzefvzefze from 81.82.208.17 port 48964" results["s01-parse"]["a1ad/meshcentral-logs"][3].Evt.Parsed["program"] == "meshcentral" results["s01-parse"]["a1ad/meshcentral-logs"][3].Evt.Parsed["source_ip"] == "81.82.208.17" results["s01-parse"]["a1ad/meshcentral-logs"][3].Evt.Parsed["timestamp"] == "Feb 13 19:29:59" results["s01-parse"]["a1ad/meshcentral-logs"][3].Evt.Parsed["username"] == "vzefvzefze" results["s01-parse"]["a1ad/meshcentral-logs"][3].Evt.Meta["log_type"] == "meshcentral_failed_auth" results["s01-parse"]["a1ad/meshcentral-logs"][3].Evt.Meta["service"] == "meshcentral" results["s01-parse"]["a1ad/meshcentral-logs"][3].Evt.Meta["source_ip"] == "81.82.208.17" results["s01-parse"]["a1ad/meshcentral-logs"][3].Evt.Meta["user"] == "vzefvzefze" results["s01-parse"]["a1ad/meshcentral-logs"][3].Evt.Meta["datasource_path"] == "meshcentral-logs.log" results["s01-parse"]["a1ad/meshcentral-logs"][3].Evt.Meta["datasource_type"] == "file"

  • AE

    i am so lost right nowโ€ฆ

  • LE

    How did you install the collection?

  • AE

    docker container exec crowdsec_lapi cscli collections install a1ad/meshcentral

  • AE

    same as the jellyfin one, and meshcentral is based on jellyfin

  • LE

    i'll try debug this today

  • LE

    kinda a weird one

  • LE

    works in linux wsl (My dev environment), docker it does nothing

  • LE

    So it looks like some parsers just break the flow and i have no idea why

    brian@Brian:~$ sudo cscli explain -l "Feb 13 18:02:23 meshcentral https[18]: Failed password for jeroen from 10.30.52.182 port 39156" -t meshcentral
    line: Feb 13 18:02:23 meshcentral https[18]: Failed password for jeroen from 10.30.52.182 port 39156
            โ”œ s00-raw
            |       โ”œ ๐ŸŸข crowdsecurity/non-syslog (first_parser)
            |       โ”” ๐Ÿ”ด crowdsecurity/syslog-logs
            โ”œ s01-parse
            |       โ”œ ๐Ÿ”ด LePresidente/authelia-logs
            |       โ”œ ๐Ÿ”ด LePresidente/emby-logs
            |       โ”” ๐ŸŸข a1ad/meshcentral-logs (+7 ~2)
            โ”œ s02-enrich
            |       โ”œ ๐ŸŸข crowdsecurity/dateparse-enrich (+2 ~1)
            |       โ”œ ๐ŸŸข crowdsecurity/geoip-enrich (+9)
            |       โ”” ๐ŸŸข crowdsecurity/whitelists (~2 [whitelisted])
            โ””-------- parser failure ๐Ÿ”ด
    
    brian@Brian:~$ sudo cscli parser install LePresidente/gitea-logs
    INFO[14-02-2023 08:31:31] Ignoring file /etc/crowdsec/hub/collections/a1ad/meshcentral.yml of type collections
    INFO[14-02-2023 08:31:31] Enabled parsers : LePresidente/gitea-logs
    INFO[14-02-2023 08:31:31] Enabled LePresidente/gitea-logs
    INFO[14-02-2023 08:31:31] Run 'sudo systemctl reload crowdsec' for the new configuration to be effective.
    brian@Brian:~$ sudo cscli explain -l "Feb 13 18:02:23 meshcentral https[18]: Failed password for jeroen from 10.30.52.182 port 39156" -t meshcentral
    line: Feb 13 18:02:23 meshcentral https[18]: Failed password for jeroen from 10.30.52.182 port 39156
            โ”œ s00-raw
            |       โ”œ ๐ŸŸข crowdsecurity/non-syslog (first_parser)
            |       โ”” ๐Ÿ”ด crowdsecurity/syslog-logs
            โ”œ s01-parse
            |       โ”œ ๐Ÿ”ด LePresidente/authelia-logs
            |       โ”œ ๐Ÿ”ด LePresidente/emby-logs
            |       โ”œ ๐Ÿ”ด LePresidente/gitea-logs
            |       โ”œ ๐Ÿ”ด a1ad/meshcentral-logs
            |       โ”” ๐Ÿ”ด crowdsecurity/sshd-logs
            โ””-------- parser failure ๐Ÿ”ด
    
  • LE

    but i see no reason why that parser should break it

  • LE

    Pinging @iiamloz just so he is aware as well.

    ok so this is due to pattern_syntax: in the yaml files.

    So if the same variable is defined in multiple parsers the first one is only used

  • LE

    i'll do a PR for all my parsers and make them unique based on the parser name

  • LE

    So for example:
    jellyfin-logs.yaml

    pattern_syntax:
      CUSTOMDATE: "%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}"
    

    meshcentral-logs.yaml

    pattern_syntax:
      CUSTOMDATE: "%{MONTH} %{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}"
    

    depending on the order the parsers go through, the first one read will be used for all parsers and doesn't get replaced

  • LE

    https://github.com/crowdsecurity/hub/pull/656

  • II

    Yes this is the case because we have to load all syntaxs into the same parser context. I would prefer them to be locally scoped to the parser but the memory just got out of hand

  • LE

    Yea that sounds reasonable so made all mine unique for now just to avoid this in the future

  • AE

    So a custom date would be: CUSTOMMESHCENTRALDATE

  • AE

    oh yeah, i see it now in your PR

  • AE

    that is one hell of a "feature"

  • II

    More of a limitation of the parser engine

  • AE

    Do i need to do something with the index json file?

  • II

    We could work around it but when we tested it under load crowdsec used 3 times more ram

  • AE
    • when creating a PR
  • II

    No that gets auto updated by repo

  • AE

    ok

  • II

    @AES Think you need to pull from the main branch first

  • II

    https://github.com/crowdsecurity/hub/pull/657

  • AE

    Myea

  • AE

    @iiamloz do i need to start over?

  • II

    No just got to you branch and there should be an option to sync, but you have to resolve the conflicts

  • II

    via github ^^

  • AE

    too late i guess ๐Ÿ™‚

  • II

    Just make sure you sync your main branch before creating a sub branch on your fork

  • AE

    yea i forgot

  • AE

    sorry about that

  • AE

    line: Feb 13 19:29:59 meshcentral https[18]: Failed password for vzefvzefze from 81.82.208.17 port 48964 โ”œ s00-raw | โ”œ ๐Ÿ”ด crowdsecurity/docker-logs | โ”œ ๐ŸŸข crowdsecurity/non-syslog (first_parser) | โ”” ๐Ÿ”ด crowdsecurity/syslog-logs โ”œ s01-parse | โ”œ ๐Ÿ”ด LePresidente/jellyfin-logs | โ”œ ๐ŸŸข a1ad/meshcentral-logs (+7 ~2) | โ”” ๐Ÿ”ด crowdsecurity/home-assistant-logs โ”œ s02-enrich | โ”œ ๐ŸŸข crowdsecurity/dateparse-enrich (+2 ~1) | โ”œ ๐ŸŸข crowdsecurity/geoip-enrich (+13) | โ”œ ๐Ÿ”ด crowdsecurity/http-logs | โ”œ ๐Ÿ”ด crowdsecurity/nextcloud-whitelist | โ”” ๐ŸŸข crowdsecurity/whitelists (unchanged) โ”œ-------- parser success ๐ŸŸข โ”œ Scenarios โ”œ ๐ŸŸข a1ad/meshcentral-bf โ”” ๐ŸŸข a1ad/meshcentral-bf_user-enum

  • AE

    we have green lights ๐Ÿ™‚

  • AE

    thanks @Lepresidente ๐Ÿ‘

  • LE

    No problem, glad it was a easy fix

Last active a month ago

55 replies

8 views