Technitium parser

Hi,

I'm trying to write a custom parser for technitium failed auth logs. However I'm unable to get it working properly... (Grok Debugger confirms that the correct things are getting matched though)

name: PintjesB/technitium-logs
description: "Parse Technitium auth logs"
onsuccess: next_stage
pattern_syntax:
  DATETIME_CUSTOM: '%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} %{TIME:time} %{TZ}'
nodes:
  - grok:
      pattern: '^\[%{DATETIME_CUSTOM}\] \[%{IP:source_ip}:%{INT:source_port}\] DnsServerCore.DnsWebServiceException: Invalid username or password for user: %{USERNAME:username}'
      apply_on: message
      statics:
        - meta: log_type
          value: technitium_failed_auth

statics:
  - meta: service
    value: technitium
  - target: evt.StrTime
    expression: "evt.Parsed.day + '/' + evt.Parsed.month + '/' + evt.Parsed.year + ' ' + evt.Parsed.time"
  - meta: source_ip
    expression: "evt.Parsed.source_ip"
  - meta: source_port
    expression: "evt.Parsed.source_port"
  - meta: username
    expression: "evt.Parsed.username"

name: PintjesB/technitium-logs
description: "Parse Technitium auth logs"
onsuccess: next_stage
pattern_syntax:
  DATETIME_CUSTOM: '%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} %{TIME:time} %{TZ}'
nodes:
  - grok:
      pattern: '^\[%{DATETIME_CUSTOM}\] \[%{IP:source_ip}:%{INT:source_port}\] DnsServerCore.DnsWebServiceException: Invalid username or password for user: %{USERNAME:username}'
      apply_on: message
      statics:
        - meta: log_type
          value: technitium_failed_auth

statics:
  - meta: service
    value: technitium
  - target: evt.StrTime
    expression: "evt.Parsed.day + '/' + evt.Parsed.month + '/' + evt.Parsed.year + ' ' + evt.Parsed.time"
  - meta: source_ip
    expression: "evt.Parsed.source_ip"
  - meta: source_port
    expression: "evt.Parsed.source_port"
  - meta: username
    expression: "evt.Parsed.username"

Log example:

[2025-07-28 05:34:01 UTC] [169.254.44.3:50051] DnsServerCore.DnsWebServiceException: Invalid username or password for user: admin

[2025-07-28 05:34:01 UTC] [169.254.44.3:50051] DnsServerCore.DnsWebServiceException: Invalid username or password for user: admin

However, I keep getting this log:

╰─✗  csdev hubtest run technitium-logs
Running test 'technitium-logs'
WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.  file=/home/ubuntu/crowdsec-v1.6.8/tests/hub/.tests/technitium-logs/results/parser-dump.yaml
WARNING Assert file '/home/ubuntu/crowdsec-v1.6.8/tests/hub/.tests/technitium-logs/parser.assert' is empty, generating assertion: 

len(results) == 2
len(results["s01-parse"]["PintjesB/technitium-logs"]) == 1
results["s01-parse"]["PintjesB/technitium-logs"][0].Success == false
len(results["success"][""]) == 0

Error: please fill your assert file(s) for test 'technitium-logs', exiting

╰─✗  csdev hubtest run technitium-logs
Running test 'technitium-logs'
WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.  file=/home/ubuntu/crowdsec-v1.6.8/tests/hub/.tests/technitium-logs/results/parser-dump.yaml
WARNING Assert file '/home/ubuntu/crowdsec-v1.6.8/tests/hub/.tests/technitium-logs/parser.assert' is empty, generating assertion: 

len(results) == 2
len(results["s01-parse"]["PintjesB/technitium-logs"]) == 1
results["s01-parse"]["PintjesB/technitium-logs"][0].Success == false
len(results["success"][""]) == 0

Error: please fill your assert file(s) for test 'technitium-logs', exiting

CrowdSec•7mo ago•

15 replies

PintjesBier

Technitium parser

Hi,

I'm trying to write a custom parser for technitium failed auth logs. However I'm unable to get it working properly... (Grok Debugger confirms that the correct things are getting matched though)

name: PintjesB/technitium-logs
description: "Parse Technitium auth logs"
onsuccess: next_stage
pattern_syntax:
  DATETIME_CUSTOM: '%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} %{TIME:time} %{TZ}'
nodes:
  - grok:
      pattern: '^\[%{DATETIME_CUSTOM}\] \[%{IP:source_ip}:%{INT:source_port}\] DnsServerCore.DnsWebServiceException: Invalid username or password for user: %{USERNAME:username}'
      apply_on: message
      statics:
        - meta: log_type
          value: technitium_failed_auth

statics:
  - meta: service
    value: technitium
  - target: evt.StrTime
    expression: "evt.Parsed.day + '/' + evt.Parsed.month + '/' + evt.Parsed.year + ' ' + evt.Parsed.time"
  - meta: source_ip
    expression: "evt.Parsed.source_ip"
  - meta: source_port
    expression: "evt.Parsed.source_port"
  - meta: username
    expression: "evt.Parsed.username"

name: PintjesB/technitium-logs
description: "Parse Technitium auth logs"
onsuccess: next_stage
pattern_syntax:
  DATETIME_CUSTOM: '%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} %{TIME:time} %{TZ}'
nodes:
  - grok:
      pattern: '^\[%{DATETIME_CUSTOM}\] \[%{IP:source_ip}:%{INT:source_port}\] DnsServerCore.DnsWebServiceException: Invalid username or password for user: %{USERNAME:username}'
      apply_on: message
      statics:
        - meta: log_type
          value: technitium_failed_auth

statics:
  - meta: service
    value: technitium
  - target: evt.StrTime
    expression: "evt.Parsed.day + '/' + evt.Parsed.month + '/' + evt.Parsed.year + ' ' + evt.Parsed.time"
  - meta: source_ip
    expression: "evt.Parsed.source_ip"
  - meta: source_port
    expression: "evt.Parsed.source_port"
  - meta: username
    expression: "evt.Parsed.username"

Log example:

[2025-07-28 05:34:01 UTC] [169.254.44.3:50051] DnsServerCore.DnsWebServiceException: Invalid username or password for user: admin

[2025-07-28 05:34:01 UTC] [169.254.44.3:50051] DnsServerCore.DnsWebServiceException: Invalid username or password for user: admin

However, I keep getting this log:

╰─✗  csdev hubtest run technitium-logs
Running test 'technitium-logs'
WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.  file=/home/ubuntu/crowdsec-v1.6.8/tests/hub/.tests/technitium-logs/results/parser-dump.yaml
WARNING Assert file '/home/ubuntu/crowdsec-v1.6.8/tests/hub/.tests/technitium-logs/parser.assert' is empty, generating assertion: 

len(results) == 2
len(results["s01-parse"]["PintjesB/technitium-logs"]) == 1
results["s01-parse"]["PintjesB/technitium-logs"][0].Success == false
len(results["success"][""]) == 0

Error: please fill your assert file(s) for test 'technitium-logs', exiting

╰─✗  csdev hubtest run technitium-logs
Running test 'technitium-logs'
WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.  file=/home/ubuntu/crowdsec-v1.6.8/tests/hub/.tests/technitium-logs/results/parser-dump.yaml
WARNING Assert file '/home/ubuntu/crowdsec-v1.6.8/tests/hub/.tests/technitium-logs/parser.assert' is empty, generating assertion: 

len(results) == 2
len(results["s01-parse"]["PintjesB/technitium-logs"]) == 1
results["s01-parse"]["PintjesB/technitium-logs"][0].Success == false
len(results["success"][""]) == 0

Error: please fill your assert file(s) for test 'technitium-logs', exiting

Technitium parser

Similar Threads

Technitium parser

Similar Threads

Similar Threads

Similar Threads