Cscli explain syntax problem

I’ve just been experimenting and tried using explain on the last line in my haproxy.log

# cscli explain --verbose --log 'May 25 06:57:27 nginxsrv haproxy[1055]: 12.9.1.27:49871 [25/May/2022:06:57:27.272] fe_https_in~ be/httpserver 0/0/2/20/22 200 297 - - --NI 1/1/0/0/0 0/0 {www.domain.com} "POST /site/page.aspx?12345&9 HTTP/1.0' --type haproxy

and it responded with

line: May 25 06:57:27 nginxsrv haproxy[1055]: 12.9.1.27:49871 [25/May/2022:06:57:27.272] fe_https_in~ be/httpserver 0/0/2/20/22 200 297 - - --NI 1/1/0/0/0 0/0 {www.domain.com} "POST /path/page.aspx?12345&9 HTTP/1.0
        â s00-raw
        |       â ð¢ crowdsecurity/non-syslog (first_parser)
        |       â ð´ crowdsecurity/syslog-logs
        â s01-parse
        |       â ð´ crowdsecurity/haproxy-logs
        |       â ð´ crowdsecurity/sshd-logs
        â-------- parser failure ð´

I read this as saying that crowdsec has failed to parse haproxy log.

Have I failed to specify the log format correctly? Is my syntax incorrect?

Hello,

Sorry your output doesn’t render very well and eats the colors so I’m not sure I can read what works or not.

However, it seems that you log line is incomplete, there is an unbalanced double quote :

"POST /site/page.aspx?12345&9 HTTP/1.0'

Don’t hesitate to look at the parser associated tests in case of doubt : hub/haproxy-logs.log at master · crowdsecurity/hub · GitHub

Quite right. I should have spotted that. It works now, though I still don’t yet understand what the explanation means.