saving uncommitted changes in /etc prior to dnf run

2023-08-10 11:58:05 +03:00
parent 2d84c3580c
commit b9d544b9c6
199 changed files with 5119 additions and 120 deletions
--- a/crowdsec/hub/parsers/s01-parse/crowdsecurity/mysql-logs.yaml
+++ b/crowdsec/hub/parsers/s01-parse/crowdsecurity/mysql-logs.yaml
@@ -2,13 +2,21 @@ onsuccess: next_stage
 name: crowdsecurity/mysql-logs
 description: "Parse MySQL logs"
 filter: "evt.Parsed.program == 'mysql'"
-grok:
-  pattern: "%{TIMESTAMP_ISO8601:time} %{NUMBER} \\[Note\\]( \\[%{DATA:err_code}\\] \\[%{DATA:subsystem}\\])? Access denied for user '%{DATA:user}'@'%{IP:source_ip}' \\(using password: %{WORD:using_password}\\)"
-  apply_on: message
+pattern_syntax:
+  MYSQL_ACCESS_DENIED: "Access denied for user '%{DATA:user}'@'%{IP:source_ip}' \\(using password: %{WORD:using_password}\\)" 
+nodes:
+  - grok:
+      pattern: "%{TIMESTAMP_ISO8601:time} %{NUMBER} \\[Note\\]( \\[%{DATA:err_code}\\] \\[%{DATA:subsystem}\\])? %{MYSQL_ACCESS_DENIED}"
+      apply_on: message
+  - grok:
+      pattern: "%{TIMESTAMP_ISO8601:time}.*%{NUMBER} Connect.*%{MYSQL_ACCESS_DENIED}"
+      apply_on: message
 statics:
  - meta: log_type
    value: mysql_failed_auth
  - meta: source_ip
    expression: "evt.Parsed.source_ip"
+  - target: evt.StrTime
+    expression: evt.Parsed.time
  - meta: user
-    expression: "evt.Parsed.user"
+    expression: "evt.Parsed.user"