Hello there. I’m new to crowdsec, please,help me. I installed crowdsec, default collection for apache, gettext, bouncer.
At /etc/crowdsec/acquis.yaml i added paths to my logs
filenames:
- /www/wwwlogs/access_log
- /www/wwwlogs/my.domain-access_log
labels:
type: apache2
Then i restarted crowdsec. But logs aren’t parsed. There is always trouble to parse time, but log format is compatible with grok pattern.
nodes:
- grok:
pattern: ‘(%{IPORHOST:target_fqdn}(:%{INT:port})? )?%{COMMONAPACHELOG}( “%{NOTDQUOTE:referrer}” “%{NOTDQUOTE:http_user_agent}”)?’
~# cscli metrics show acquisition
╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics │
├───────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├───────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/log/auth.log │ 10 │ - │ 10 │ - │ - │
│ file:/var/log/kern.log │ 4 │ - │ 4 │ - │ - │
│ file:/var/log/messages │ 4 │ - │ 4 │ - │ - │
│ file:/var/log/syslog │ 6 │ - │ 6 │ - │ - │
│ file:/www/wwwlogs/my.domain-access_log │ 74 │ - │ 74 │ - │ - │
╰───────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
~# tail -n 3 /www/wwwlogs/my.domain-access_log | cscli explain -f- --type apache2 -v
WARNING Line 0/10 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode. file=/tmp/cscli_explain655300316/parser-dump.yaml
WARNING Line 1/10 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode. file=/tmp/cscli_explain655300316/parser-dump.yaml
WARNING Line 2/10 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode. file=/tmp/cscli_explain655300316/parser-dump.yaml
WARNING Line 3/10 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode. file=/tmp/cscli_explain655300316/parser-dump.yaml
line: 180.149.228.172 - - [16/Jul/2025:11:23:45 +0300] “GET /.well-known/pki-validation/moon.php HTTP/1.1” 404 2080 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36”
├ apache-custom.yaml
| └ 
crowdsecurity/apache2-custom
└-------- parser failure
line: 180.149.228.174 - - [16/Jul/2025:11:23:47 +0300] “GET /credits.php HTTP/1.1” 404 2080 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0”
├ apache-custom.yaml
| └ crowdsecurity/apache2-custom
└-------- parser failure
line: 180.149.228.174 - - [16/Jul/2025:11:23:48 +0300] “GET /wp-content/plugins/dummyyummy/wp-signup.php HTTP/1.1” 404 2080 “-” “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)”
├ apache-custom.yaml
| └ crowdsecurity/apache2-custom
└-------- parser failure
What is the problem?
Same with default parsers
line: 45.248.76.214 - - [16/Jul/2025:11:31:17 +0300] “GET /wp-includes/click.php HTTP/1.1” 404 2080 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36”
├ s01-parse
| ├ crowdsecurity/apache2-logs
| └ crowdsecurity/nginx-logs
└-------- parser failure