Parse Vsftp log (Filebeat + Logstash)

Hecha · October 29, 2021, 9:40pm

Hello guys! I am trying to parse the logs of my FTP server (Vsftpd) with logstash but I am having trouble.
The logs follow the following format

Fri Oct 29 17:16:17 2021 [pid 22947] CONNECT: Client "::ffff:10.0.1.6"
Fri Oct 29 17:16:26 2021 [pid 22940] [test] FAIL LOGIN: Client "::ffff:10.0.1.6"
Fri Oct 29 17:16:51 2021 [pid 22954] CONNECT: Client "::ffff:10.0.1.6"
Fri Oct 29 17:16:59 2021 [pid 22953] [user] OK LOGIN: Client "::ffff:10.0.1.6"
Fri Oct 29 17:17:31 2021 [pid 22955] [user] OK DOWNLOAD: Client "::ffff:10.0.1.6", "/home/user/credentials.txt", 64 bytes, 24.33Kbyte/sec

I have not found any filebeat or logstash modules to help me achieve this

I tried using grok filter but the problem is that the lines are not all the same

I hope some of you can help me

Badger · October 29, 2021, 10:42pm

Use dissect to parse the fixed prefix and grok with an array of patterns for the variable part. An example is here .

Hecha · November 9, 2021, 8:21pm

Hey guys, i write a script to clean vsftpd log and convert it into ndjson.
You can find it on this repo : Vsftpd Parser
I hope you find it useful!

system · December 7, 2021, 8:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.