Custom Unifi parser
Hi all,
I'm trying to write a s00 Unifi parser but running into some roadblocks. I have setup a test env. (which was a hassle btw.)
Using the help of AI I'm trying to get a basic understanding of how these parsers are written.
Example log:
I'm trying to write a s00 Unifi parser but running into some roadblocks. I have setup a test env. (which was a hassle btw.)
Using the help of AI I'm trying to get a basic understanding of how these parsers are written.
Example log:
Jun 13 16:30:19 UDMP-DTC [WAN_LOCAL-D-2147483647] DESCR="[WAN_LOCAL]Block All Traffic" IN=eth8 OUT= MAC=74:ac:b9:1c:xx:e5:00:17:xx:2b:31:a9:08:00 SRC=130.195.223.2 DST=<WAN_IP> LEN=60 TOS=00 PREC=0x00 TTL=53 ID=26089 DF PROTO=TCP SPT=57263 DPT=54329 SEQ=2894412795 ACK=0 WINDOW=64240 SYN URGP=0 MARK=1a0000Jun 13 16:30:19 UDMP-DTC [WAN_LOCAL-D-2147483647] DESCR="[WAN_LOCAL]Block All Traffic" IN=eth8 OUT= MAC=74:ac:b9:1c:xx:e5:00:17:xx:2b:31:a9:08:00 SRC=130.195.223.2 DST=<WAN_IP> LEN=60 TOS=00 PREC=0x00 TTL=53 ID=26089 DF PROTO=TCP SPT=57263 DPT=54329 SEQ=2894412795 ACK=0 WINDOW=64240 SYN URGP=0 MARK=1a0000/home/ubuntu/crowdsec-v1.6.8/tests/hub/parsers/s00-raw/crowdsecurity/s00-unifi-firewall.yaml
name: crowdsecurity/udmp-firewall-raw
description: "Parse Ubiquiti UDMP firewall log lines in syslog format"
stage: s00-raw
filter: "evt.Parsed.program == ''" # Optionally refine this
pattern_syntax:
MAC: "[0-9a-f]{2}(:[0-9a-f]{2}){5}(,[0-9a-f]{2}(:[0-9a-f]{2}){5})*"
nodes:
- grok:
pattern: |
%{SYSLOGTIMESTAMP:log_ts} %{DATA:host} \[%{DATA:fw_rule}\] DESCR=\"%{DATA:fw_descr}\" IN=%{WORD:in_iface} OUT=%{WORD:out_iface} MAC=%{MAC:mac} SRC=%{IPV4:src_ip} DST=%{IPV4:dst_ip} LEN=%{INT:len1} TOS=%{DATA:tos} PREC=%{DATA:prec} TTL=%{INT:ttl} ID=%{INT:id} PROTO=%{WORD:proto} SPT=%{INT:src_port} DPT=%{INT:dst_port} LEN=%{INT:len2} MARK=%{DATA:mark}
apply_on: message
statics:
- meta: service
value: "udmp-firewall"
- target: evt.Time
expression: "evt.Parsed.log_ts"
- target: evt.Parsed.source_ip
expression: "evt.Parsed.src_ip"
- target: evt.Parsed.destination_ip
expression: "evt.Parsed.dst_ip"
- target: evt.Parsed.source_port
expression: "evt.Parsed.src_port"
- target: evt.Parsed.destination_port
expression: "evt.Parsed.dst_port"
- target: evt.Parsed.proto
expression: "evt.Parsed.proto"
- target: evt.StrTime
expression: evt.Parsed.log_ts/home/ubuntu/crowdsec-v1.6.8/tests/hub/parsers/s00-raw/crowdsecurity/s00-unifi-firewall.yaml
name: crowdsecurity/udmp-firewall-raw
description: "Parse Ubiquiti UDMP firewall log lines in syslog format"
stage: s00-raw
filter: "evt.Parsed.program == ''" # Optionally refine this
pattern_syntax:
MAC: "[0-9a-f]{2}(:[0-9a-f]{2}){5}(,[0-9a-f]{2}(:[0-9a-f]{2}){5})*"
nodes:
- grok:
pattern: |
%{SYSLOGTIMESTAMP:log_ts} %{DATA:host} \[%{DATA:fw_rule}\] DESCR=\"%{DATA:fw_descr}\" IN=%{WORD:in_iface} OUT=%{WORD:out_iface} MAC=%{MAC:mac} SRC=%{IPV4:src_ip} DST=%{IPV4:dst_ip} LEN=%{INT:len1} TOS=%{DATA:tos} PREC=%{DATA:prec} TTL=%{INT:ttl} ID=%{INT:id} PROTO=%{WORD:proto} SPT=%{INT:src_port} DPT=%{INT:dst_port} LEN=%{INT:len2} MARK=%{DATA:mark}
apply_on: message
statics:
- meta: service
value: "udmp-firewall"
- target: evt.Time
expression: "evt.Parsed.log_ts"
- target: evt.Parsed.source_ip
expression: "evt.Parsed.src_ip"
- target: evt.Parsed.destination_ip
expression: "evt.Parsed.dst_ip"
- target: evt.Parsed.source_port
expression: "evt.Parsed.src_port"
- target: evt.Parsed.destination_port
expression: "evt.Parsed.dst_port"
- target: evt.Parsed.proto
expression: "evt.Parsed.proto"
- target: evt.StrTime
expression: evt.Parsed.log_ts
