$schema: "https://json-schema.org/draft-04/schema" $id: "http://schemas.crowdsec.net/schemas/parser.yaml" title: "CrowdSec Parser" type: object additionalProperties: false properties: onsuccess: type: string description: "If node is successful and onsuccess equals next_stage, event is moved to the next stage" pattern: "^next_stage$" debug: type: boolean description: "If true, enables the debug. Default is false." filter: type: string description: | filter must be a valid expr expression that will be evaluated against the event. If filter evaluation returns true or is absent, node will be processed. If filter returns false or a non-boolean, node won't be processed. description: type: string description: "description of the parser usage" pattern_syntax: $ref: "#/$defs/pattern_syntax" name: type: string description: | The mandatory name of the node. If not present, node will be skipped at runtime. It is used for example in debug log to help you track things. grok: $ref: "#/$defs/grok" stash: $ref: "#/$defs/stash" statics: $ref: "#/$defs/statics" data: $ref: "#/$defs/data" format: type: number description: | Non mandatory format version for the parser. configuration file. New features, may not be understood by old crowdsec version, filling this correctly ensures that crowdsec supports all the required parser features. additionalProperties: false minimum: 1.0 nodes: type: array description: | nodes is a list of parser nodes, allowing you to build trees. Each subnode must be valid, and if any of the subnodes succeed, the whole node is considered successful. items: $ref: "#/$defs/children_nodes" whitelist: type: object reason: ip: cidr: expression: type: string data: $ref: "#/$defs/data" required: - name # nodes, grok and statics can be present at the same time # nodes and whitelists are mutually exclusive # grok and whitelists are mutually exclusive # statics and whitelists are mutually exclusive oneOf: - allOf: - anyOf: - required: - nodes - required: - grok - required: - statics - not: anyOf: - required: - whitelist - allOf: - required: - whitelist - not: anyOf: - required: - statics - required: - pattern_syntax - required: - nodes - required: - onsuccess $defs: stash: type: array description: | The stash section allows a parser to capture data, that can be later accessed/populated via GetFromStash and SetInStash expr helpers. Each list item defines a capture directive that is stored in a separate cache (string:string), with its own maximum size, eviction rules etc. items: type: object properties: name: type: string description: | The name of the stash. Distinct parsers can manipulate the same cache key: type: string description: | The expression that defines the string that will be used as a key. value: type: string description: | The expression that defines the string that will be used as a key. ttl: type: string description: | The time to leave of items. Default strategy is LRU. pattern: >- ^([0-9]+(\.[0-9]+)*d)?([0-9]+(\.[0-9]+)*h)?([0-9]+(\.[0-9]+)*m)?([0-9]+(\.[0-9]+)*s)?([0-9]+(\.[0-9]+)*ms)?([0-9]+(\.[0-9]+)*(us|µs))?([0-9]+(\.[0-9]+)*ns)?$ size: type: integer description: | The maximum size of the cache. strategy: type: string pattern: "^(LFU|LRU|ARC)$" description: | The caching strategy to be used : LFU, LRU or ARC (see gcache doc for details). Defaults to LRU. required: - name - key - value data: type: array description: | data allows user to specify an external source of data. This section is only relevant when cscli is used to install parser from hub, as it will download the source_url and store it to dest_file. When the parser is not installed from the hub, CrowdSec won't download the URL, but the file must exist for the parser to be loaded correctly. items: type: object properties: source_url: type: string description: | url to download file from dest_file: type: string description: | destination to store the downloaded file to type: type: string pattern: "^(string|regexp)$" additionalProperties: false description: | The type is mandatory if you want to evaluate the data in the file, and should be regex for valid (re2) regular expression per line or string for string per line. The regexps will be compiled, the strings will be loaded into a list and both will be kept in memory. Without specifying a type, the file will be downloaded and stored as file and not in memory. strategy: type: string pattern: "^(LRU|LFU|ARC)$" description: | Strategy for cache behavior. See https://pkg.go.dev/github.com/bluele/gcache size: type: integer description: | Maximum size of the cache ttl: type: string description: | Duration after which cache elements expire pattern: >- ^([0-9]+(\.[0-9]+)*d)?([0-9]+(\.[0-9]+)*h)?([0-9]+(\.[0-9]+)*m)?([0-9]+(\.[0-9]+)*s)?([0-9]+(\.[0-9]+)*ms)?([0-9]+(\.[0-9]+)*(us|µs))?([0-9]+(\.[0-9]+)*ns)?$ required: - type - dest_file additionalProperties: false pattern_syntax: type: object patternProperties: "^[A-Z][A-Z0-9_v]*$": type: string additionalProperties: false description: | pattern_syntax allows user to define named capture group expressions for future use in grok patterns. Regexp must be a valid RE2 expression. grok: anyOf: - type: object additionalProperties: false properties: name: type: string pattern: type: string apply_on: type: string expression: type: string statics: $ref: "#/$defs/statics" description: | A valid grok pattern can be set up using the "pattern" field, or a named grok used through the name "field". This applies either on an valid expr "expression" or on directly on a field "apply_on" allOf: - oneOf: - required: - name - required: - pattern - oneOf: - required: - expression - required: - apply_on - type: "null" statics: type: array description: | Statics is a list of directives that will be evaluated when the node is considered successful. Each entry of the list is composed of a target (where to write) and a source (what data to write). items: type: object additionalProperties: false properties: meta: type: string parsed: type: string enriched: type: string target: type: string value: type: string expression: type: string method: type: string allOf: - oneOf: - required: - meta - required: - parsed - required: - enriched - required: - target - required: - method - oneOf: - required: - value - required: - expression children_nodes: type: object description: | nodes is a list of parser nodes, allowing you to build trees. Each subnode must be valid, and if any of the subnodes succeed, the whole node is considered successful. additionalProperties: false properties: onsuccess: type: string description: "If node is successful and onsuccess equals next_stage, event is moved to the next stage" pattern: "^next_stage$" debug: type: boolean description: "If true, enables the debug. Default is false." filter: type: string description: | filter must be a valid expr expression that will be evaluated against the event. If filter evaluation returns true or is absent, node will be processed. If filter returns false or a non-boolean, node won't be processed. pattern_syntax: $ref: "#/$defs/pattern_syntax" grok: $ref: "#/$defs/grok" stash: $ref: "#/$defs/stash" statics: $ref: "#/$defs/statics" nodes: type: array description: | nodes is a list of parser nodes, allowing you to build trees. Each subnode must be valid, and if any of the subnodes succeed, the whole node is considered successful. items: $ref: "#/$defs/children_nodes"