Help with iptables parser failure/not working, why, and how to debug them

I need some help with understanding why crowdsecurity/iptables-logs parser is not working on my log entries.

Specifficaly I’m seeking:

1. why this one is not being picked up?
2. how can I analyse it on my own, explain does not explain anything interesting here What should be my proper approach to analyze cases (parsers not picking up) like that?
   2.b. specifically what exact condition was failed and did not let move forward with this log line? /all -debug/-trace etc options were useless here)
   2.c. is there a way to disable that fancy green/red circles? and use normal pure ascii? circles show in web, but not in terminal on embedded devices.

root@rtr:/etc/crowdsec# cscli explain -v -t syslog -l '2022-04-14T21:34:28 rtr kernel: [1834431.431012] REJECT lan in: IN=br0.99 OUT= MAC=00:11:22:33:44:55:00:22:33:44:55:66:08:00 SRC=10.1.1.2 DST=10.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38450 DF PROTO=TCP SPT=32930 DPT=1111 WINDOW=65424 RES=0x00 SYN U RGP=0'
line: 2022-04-14T21:34:28 rtr kernel: [1834431.431012] REJECT lan in: IN=br0.99 OUT= MAC=00:11:22:33:44:55:00:22:33:44:55:66:08:00 SRC=10.1.1.2 DST=10.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38450 DF PROTO=TCP SPT=32930 DPT=1111 WINDOW=65424 RES=0x00 SYN URGP=0
	├ s00-raw
	|	├ 🟢 crowdsecurity/non-syslog (first_parser)
	|	└ 🔴 crowdsecurity/syslog-logs
	├ s01-parse
	|	├ 🔴 crowdsecurity/iptables-logs
	|	└ 🔴 crowdsecurity/sshd-logs
	└-------- parser failure 🔴

The parser doesn’t like the dot in your interface name (IN).
I tried your explain with replacing it with a _ (br0_99), works fine.

No idea how to debug it either, but the “WORD” in IN=%{WORD:int_eth} in parser code, and the dot in your IN value, somehow woke up a neuron here

Hi, thanks @smu44 for your reply. I confirm that’s the issue.
I just created a PR to fix this.

Thank you @smu44 - I confirm that this solved my problem. Good spot/hunch with WORD and ‘.’ !!