From 81bddd3455c861842d86b60c54cb5592a00f52a0 Mon Sep 17 00:00:00 2001
From: eliasgrana <43425223+eliasgrana@users.noreply.github.com>
Date: Mon, 6 Apr 2020 18:14:26 +0200
Subject: [PATCH] Update 0170-nginx_decoders.xml. Extract dstuser

Twin decoders to extract the dstuser for nginx basic auth
---
 decoders/0170-nginx_decoders.xml | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/decoders/0170-nginx_decoders.xml b/decoders/0170-nginx_decoders.xml
index b3c33255d..3b79ba86f 100644
--- a/decoders/0170-nginx_decoders.xml
+++ b/decoders/0170-nginx_decoders.xml
@@ -8,10 +8,12 @@
 -->
 
 <!--
-  - Will extract the srcip.
+  - Will extract the srcip. Additionally extract the username for basic authentication if present.
   - Examples:
   - 2009/09/15 20:55:40 [error] 63858#0: *3663 open() "/srv/www/ossec.net/robots.txt" failed (2: No such file or directory), client: 1.2.3.4, server: ossec.net, request: "GET /robots.txt HTTP/1.1", host: "www.ossec.net"
   - 2009/09/15 19:51:07 [error] 37992#0: accept() failed (53: Software caused connection abort)
+  - 2018/05/26 06:46:11 [error] 31963#31963: *28769 user "test user" was not found in "/etc/nginx/conf.d/users.htpasswd", client: 1.2.3.4, server: example.com, request: "GET / HTTP/1.1", host: "example.com"
+  - 2018/05/27 10:22:20 [error] 31972#31972: *52363 user "user2": password mismatch, client: 1.2.3.4, server: example.com, request: "GET / HTTP/2.0", host: "example.com"
   -->
 <decoder name="nginx-errorlog">
   <prematch>^20\d\d/\d\d/\d\d \d\d:\d\d:\d\d [</prematch>
@@ -29,6 +31,19 @@ Extract NAXSI WAF alert information https://github.com/nbs-system/naxsi/wiki/nax
   <order>srcip,server,uri,learning,vers,total_processed,total_blocked,block,attack,score</order>
 </decoder>
 
+<decoder name="nginx-errorlog-user-ip">
+  <parent>nginx-errorlog</parent>
+  <prematch offset="after_parent"> user "\.+"</prematch>
+  <regex offset="after_parent"> user "(\.+)"</regex>
+  <order>dstuser</order>
+</decoder>
+
+<decoder name="nginx-errorlog-user-ip">
+  <parent>nginx-errorlog</parent>
+  <regex offset="after_regex">client: (\S+),</regex>
+  <order>srcip</order>
+</decoder>
+
 <decoder name="nginx-errorlog-ip">
   <parent>nginx-errorlog</parent>
   <prematch offset="after_parent">, client: \S+, server: \S*, request: "\S+ </prematch>