directadmin

package
v1.87.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 16, 2026 License: MPL-2.0 Imports: 4 Imported by: 0

Documentation

Overview

Package directadmin implements a Parser for DirectAdmin's login.log format.

Phase B scope: parse login.log only. security.log is empty on the production fleet as of 2026-04-09 (srv3 verified); it will be added when real security.log samples become available.

DA login.log line format (from real srv3 fixture): 

2026:04:04-12:21:12: '62.38.150.122' 1 failed login attempts. Account 'admin'
2026:04:04-12:21:21: '62.38.150.122' successful login to 'srv3admin'

The parser matches lines containing "failed login" (case-insensitive) and extracts:

  • IP: first single-quoted value
  • Username: value inside "Account '<user>'"
  • Timestamp: first 19 chars parsed as YYYY:MM:DD-HH:MM:SS

Lines containing "successful login" are skipped. Lines that match "failed login" but fail field extraction are reported as ParseMalformed (data anomaly, not a parser bug).

PARITY TARGET

The legacy parser is internal/loginmon/detector/panel.go detectDANativeFormat() (lines 178–219). Parity is defined as: for every line where the legacy parser returns (Verdict, true), this parser returns (ParseMatched, NormalizedEvent) with: 

legacy.IP                          == pipeline.SrcIP
legacy.ReasonNames[legacy.Reason]  == string(pipeline.Reason)
legacy.User                        == pipeline.Username

The parity test in directadmin_test.go asserts this on the real srv3 fixture.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Parser 

type Parser struct{}

Parser implements runtime.Parser for DirectAdmin login.log.

The parser is stateless: same input, same output. No I/O, no DNS, no cross-line state. Thread-safe by construction (no mutable fields).

func New 

func New() *Parser

New constructs a DirectAdmin parser. It takes no configuration because the line format is fixed.

func (*Parser) Name 

func (p *Parser) Name() string

Name returns the source identifier this parser handles.

func (*Parser) Parse 

func (p *Parser) Parse(line event.RawLine) event.ParseResult

Parse attempts to extract a NormalizedEvent from a DA login.log line.

Returns ParseMatched for "failed login" lines with valid IP extraction. Returns ParseSkipped for "successful login" or non-matching lines. Returns ParseMalformed for "failed login" lines where the IP cannot be extracted (data anomaly in the log).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.