fix(authelia): Remove ^ from the patterns to allow container log pars…

…ing (#819) * fix(authelia): Remove ^ & $ from the patterns to allow container log parsing as well First of all - Thanks for the great work ! It seems like we have to remove the start/end of the line matching filter to allow container logs to be parsed. * Fixup !
crowdsecurity · Sep 4, 2023 · 99d33f1 · 99d33f1
1 parent 0cac87f
commit 99d33f1
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/parsers/s01-parse/LePresidente/authelia-logs.yaml b/parsers/s01-parse/LePresidente/authelia-logs.yaml
@@ -7,9 +7,9 @@ pattern_syntax:
   AUTHELIA_BAD_AUTH: 'Unsuccessful 1FA authentication attempt by user \S(%{EMAILADDRESS:email}|%{USERNAME:username})\S'
   AUTHELIA_BAD_DUO: 'Unsuccessful Duo authentication attempt by user \S(%{EMAILADDRESS:email}|%{USERNAME:username})\S'
   AUTHELIA_BAD_TOTP: 'Unsuccessful TOTP authentication attempt by user \S(%{EMAILADDRESS:email}|%{USERNAME:username})\S'
-  AUTHELIA_CLF_BADAUTH: '^time="%{RFC3339:timestamp}".*?%{AUTHELIA_BAD_AUTH}.*?remote_ip=%{IP:remote_ip}'
-  AUTHELIA_CLF_DUO: '^time="%{RFC3339:timestamp}".*?%{AUTHELIA_BAD_DUO}.*?remote_ip=%{IP:remote_ip}'
-  AUTHELIA_CLF_TOTP: '^time="%{RFC3339:timestamp}".*?%{AUTHELIA_BAD_TOTP}.*?remote_ip=%{IP:remote_ip}'
+  AUTHELIA_CLF_BADAUTH: 'time="%{RFC3339:timestamp}".*?%{AUTHELIA_BAD_AUTH}.*?remote_ip=%{IP:remote_ip}'
+  AUTHELIA_CLF_DUO: 'time="%{RFC3339:timestamp}".*?%{AUTHELIA_BAD_DUO}.*?remote_ip=%{IP:remote_ip}'
+  AUTHELIA_CLF_TOTP: 'time="%{RFC3339:timestamp}".*?%{AUTHELIA_BAD_TOTP}.*?remote_ip=%{IP:remote_ip}'
 nodes:
   - grok:
       name: "AUTHELIA_CLF_BADAUTH"
@@ -54,4 +54,4 @@ statics:
     - target: evt.StrTime
       expression: evt.Parsed.timestamp
     - meta: source_ip
-      expression: "evt.Parsed.remote_ip"
+      expression: "evt.Parsed.remote_ip"