search

LaurenceJJones / cslogsumm

Crowdsec spin of pflogsumm
MIT License
1 stars 0 forks source link

Template Report #1

Open pabl-o-ce opened 2 years ago

pabl-o-ce commented 2 years ago

we need to work at first template plain/text first?

sample:


Crowdsec log summaries for Aug 29

Grand Totals
------------

39 alerts
20 banned

Alerts source IP
-----------------------
391 185.25.35.10 | Runtime Collective Limited | UK
200 185.25.35.15 | VNPT Corp | Vietnam
120 185.25.35.13 | HostSlick | Germany

Alerts source provider ISP/Cloud
-----------------------
391 Runtime Collective Limited | UK
200 VNPT Corp | Vietnam
120 HostSlick | Germany

Alerts source countries
-----------------------
391 UK
200 USA
120 Germany

Alerts source scenarios
-----------------------
391 http-bad-user-agent
200 ssh-slow-bf
120 postfix-spam

Buckets Metrics
-----------------------
BUCKET CURRENT COUNT OVERFLOWS INSTANTIATED POURED EXPIRED 
--------------------------------------------------------------------
crowdsecurity/dovecot-spam                 | -             | -         | 72           | 72      | 72      |
crowdsecurity/fortinet-cve-2018-13379      | -             | 6         | 6            | -       | -       |
crowdsecurity/http-backdoors-attempts      | -             | 1         | 21           | 22      | 20      |
crowdsecurity/http-bad-user-agent          | -             | 5.34k     | 9.32k        | 17.05k  | 3.98k   |
crowdsecurity/http-bf-wordpress_bf         | -             | 275       | 6.06k        | 7.64k   | 5.78k   |
crowdsecurity/http-crawl-non_statics       | 3             | 5         | 164.81k      | 236.12k | 164.80k |
crowdsecurity/http-cve-2021-41773          | -             | 1         | 1            | -       | -       |
crowdsecurity/http-open-proxy              | -             | 20        | 20           | -       | -       |
crowdsecurity/http-path-traversal-probing  | -             | -         | 16           | 18      | 16      |
crowdsecurity/http-probing                 | -             | 176       | 11.59k       | 14.85k  | 11.41k  |
crowdsecurity/http-sensitive-files         | -             | 6         | 284          | 315     | 278     |
crowdsecurity/http-sqli-probbing-detection | -             | -         | 45           | 248     | 45      |
crowdsecurity/http-wordpress_user-enum     | -             | 143       | 507          | 1.60k   | 364     |
crowdsecurity/http-wordpress_wpconfig      | -             | -         | 1            | 1       | 1       |
crowdsecurity/http-xss-probbing            | -             | -         | 3            | 3       | 3       |
crowdsecurity/jira_cve-2021-26086          | -             | 1         | 1            | -       | -       |
crowdsecurity/postfix-spam                 | -             | 70        | 26.06k       | 52.24k  | 25.99k  |
crowdsecurity/ssh-bf                       | -             | 60        | 2.97k        | 4.77k   | 2.91k   |
crowdsecurity/ssh-bf_user-enum             | -             | 15        | 3.34k        | 3.57k   | 3.33k   |
crowdsecurity/ssh-slow-bf                  | -             | 37        | 1.48k        | 4.77k   | 1.44k   |
crowdsecurity/ssh-slow-bf_user-enum        | -             | 2         | 1.96k        | 2.21k   | 1.96k   |
crowdsecurity/thinkphp-cve-2018-20062      | -             | 10        | 10           | -       | -       |
ltsich/http-w00tw00t                       | -             | 2         | 2            | -       | -       |

Acquisition Metrics
---------------------
SOURCE READ PARSED UNPARSED POURED TO BUCKET
--------------------------------------------------------------------
file:/var/log/maillog                             | 567.67k    | 55.80k       | 511.87k        | 52.31k                 |
file:/var/log/messages                            | 121.73M    | -            | 121.73M        | -                      |
file:/var/log/nginx/access.log                    | 682.10k    | 681.51k      | 587            | 277.64k                |
file:/var/log/nginx/error.log                     | 3.08k      | 1.86k        | 1.23k          | 231                    |
file:/var/log/secure                              | 10.78k     | 5.15k        | 5.63k          | 15.32k                 |
journalctl:journalctl-_SYSTEMD_UNIT=mysql.service | 1          | -            | 1              | -                      |

Parser Metrics
--------
PARSERS HITS PARSED UNPARSED
--------------------------------------------------------------------
child-crowdsecurity/dovecot-logs | 643.74k | 3.56k   | 640.18k  |
child-crowdsecurity/http-logs    | 2.05M   | 1.40M   | 652.55k  |
child-crowdsecurity/nginx-logs   | 688.85k | 683.37k | 5.49k    |
child-crowdsecurity/postfix-logs | 733.06k | 52.24k  | 680.82k  |
child-crowdsecurity/sshd-logs    | 127.02k | 5.15k   | 121.86k  |
child-crowdsecurity/syslog-logs  | 122.31M | 122.31M | -        |
crowdsecurity/dateparse-enrich   | 744.32k | 744.32k | -        |
crowdsecurity/dovecot-logs       | 216.96k | 3.56k   | 213.39k  |
crowdsecurity/geoip-enrich       | 744.32k | 744.32k | -        |
crowdsecurity/http-logs          | 683.37k | 651.85k | 31.52k   |
crowdsecurity/nginx-logs         | 685.18k | 683.37k | 1.81k    |
crowdsecurity/non-syslog         | 685.18k | 685.18k | -        |
crowdsecurity/postfix-logs       | 252.69k | 52.24k  | 200.46k  |
crowdsecurity/sshd-logs          | 16.40k  | 5.15k   | 11.24k   |
crowdsecurity/syslog-logs        | 122.31M | 122.31M | -        |
crowdsecurity/whitelists         | 1.49M   | 1.49M   | -        |

Local Api Metrics
------------------------
ROUTE METHOD HITS
--------------------------------------------------------------------
/v1/alerts           | GET    | 12     |
/v1/alerts           | POST   | 3714   |
/v1/decisions/stream | GET    | 694323 |
/v1/watchers/login   | POST   | 774    |

Local Api Machines Metrics
--------------------------------------
MACHINE ROUTE METHOD HITS
--------------------------------------------------------------------
2jsd23233 | /v1/alerts | GET    | 12   |
2jsd23233 | /v1/alerts | POST   | 3714 |

Local Api Bouncers Metrics
---------------------------------------
BOUNCER ROUTE METHOD HITS
--------------------------------------------------------------------
FirewallBouncer-2jsd23233   | /v1/decisions/stream | GET    | 375413 |
cloudflareBouncer-2jsd232   | /v1/decisions/stream | GET    | 318910 |
pabl-o-ce commented 2 years ago

we need to work more on sections of reports... this is just the first attempt... we need to add also decisions