Hi all,
I’m new to CrowdSec and I’m trying to create a custom parser for Stalwart logs.
My logs look like this:
2026-02-11T08:16:01Z INFO Banned due to scan (security.scan-ban) listenerId = "smtp", localPort = 25, remoteIp = 164.90.161.69, remotePort = 19983, remoteIp = 164.90.161.69, reason = "Invalid SMTP command"
Current parser attempt (stalwart-logs.yaml)
name: local/stalwart-logs
description: "Parse Stalwart logs for remoteIp"
filter: "evt.Line.Raw contains \"remoteIp =\""
grok:
apply_on: evt.Line.Raw
pattern: 'remoteIp = %{IP:remote_addr}'
statics:
- meta: source_ip
expression: "evt.Parsed.remote_addr"
When I run:
sudo cscli explain --type stalwart --log '<log line>'
I get the warning:
WARNING Line 0/1 is missing evt.StrTime
This means that CrowdSec did not parse the timestamp, so in time-machine/forensic mode the line cannot be processed correctly.
I think the issue is that my Grok pattern does not include the timestamp, but I’m not sure how to include it properly in the parser.
Could someone provide an example of how to capture the ISO8601 timestamp in CrowdSec parsers so evt.StrTime is correctly populated?
Thanks for help.