I’ve just been experimenting and tried using explain on the last line in my haproxy.log
# cscli explain --verbose --log 'May 25 06:57:27 nginxsrv haproxy[1055]: 12.9.1.27:49871 [25/May/2022:06:57:27.272] fe_https_in~ be/httpserver 0/0/2/20/22 200 297 - - --NI 1/1/0/0/0 0/0 {www.domain.com} "POST /site/page.aspx?12345&9 HTTP/1.0' --type haproxy
and it responded with
line: May 25 06:57:27 nginxsrv haproxy[1055]: 12.9.1.27:49871 [25/May/2022:06:57:27.272] fe_https_in~ be/httpserver 0/0/2/20/22 200 297 - - --NI 1/1/0/0/0 0/0 {www.domain.com} "POST /path/page.aspx?12345&9 HTTP/1.0
â s00-raw
| â ð¢ crowdsecurity/non-syslog (first_parser)
| â ð´ crowdsecurity/syslog-logs
â s01-parse
| â ð´ crowdsecurity/haproxy-logs
| â ð´ crowdsecurity/sshd-logs
â-------- parser failure ð´
I read this as saying that crowdsec has failed to parse haproxy log.
Have I failed to specify the log format correctly? Is my syntax incorrect?