Hi,
I installed caddy collection (cscli collections install crowdsecurity/caddy) and it works for the most part but while testing/reviewing results I noticed some parser failures. I’d like to know if there is anything that can be done to eliminate these failures.
I don’t have enough experience with CrowdSec be to understand the reason for these failures an hope that someone here can help. Output of ‘cscli explain --type caddy --verbose’ with sample parser failures is enclosed below (My server IP address was manually replaced). Thank you!
line: {"level":"info","ts":1689610831.4908166,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"91.224.92.16","remote_port":"53506","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0:80","uri":"/","headers":{}},"user_id":"","duration":0.00004636,"size":0,"status":308,"resp_headers":{"Content-Type":[],"Server":["Caddy"],"Connection":["close"],"Location":["https://0.0.0.0/"]}}
├ s00-raw
| ├ 🟢 crowdsecurity/non-syslog (+5 ~8)
| ├ update evt.ExpectMode : %!s(int=0) -> 1
| ├ update evt.Stage : -> s01-parse
| ├ update evt.Line.Raw : -> {"level":"info","ts":1689610831.4908166,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"91.224.92.16","remote_port":"53506","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0:80","uri":"/","headers":{}},"user_id":"","duration":0.00004636,"size":0,"status":308,"resp_headers":{"Content-Type":[],"Server":["Caddy"],"Connection":["close"],"Location":["https://0.0.0.0/"]}}
| ├ update evt.Line.Src : -> /mnt/data/work/caddy/log/access.log
| ├ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-07-22 08:35:12.970212353 +0000 UTC
| ├ create evt.Line.Labels.type : caddy
| ├ update evt.Line.Process : %!s(bool=false) -> true
| ├ update evt.Line.Module : -> file
| ├ create evt.Parsed.message : {"level":"info","ts":1689610831.4908166,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"91.224.92.16","remote_port":"53506","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0:80","uri":"/","headers":{}},"user_id":"","duration":0.00004636,"size":0,"status":308,"resp_headers":{"Content-Type":[],"Server":["Caddy"],"Connection":["close"],"Location":["https://0.0.0.0/"]}}
| ├ create evt.Parsed.program : caddy
| ├ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-07-22 08:35:12.971004477 +0000 UTC
| ├ create evt.Meta.datasource_type : file
| ├ create evt.Meta.datasource_path : /mnt/data/work/caddy/log/access.log
| └ 🔴 crowdsecurity/syslog-logs
├ s01-parse
| ├ 🔴 crowdsecurity/caddy-logs
| ├ 🟢 crowdsecurity/mywhitelists (+1)
| ├ create evt.Parsed.remote_ip : 91.224.92.16
| └ 🔴 crowdsecurity/sshd-logs
└-------- parser failure 🔴
line: {"level":"info","ts":1689378347.8289995,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"167.94.138.34","remote_port":"40174","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0:443","uri":"/","headers":{},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"","server_name":"jellyfin.glosol.com"}},"user_id":"","duration":0.000463121,"size":0,"status":0,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"]}}
├ s00-raw
| ├ 🟢 crowdsecurity/non-syslog (+5 ~8)
| ├ update evt.ExpectMode : %!s(int=0) -> 1
| ├ update evt.Stage : -> s01-parse
| ├ update evt.Line.Raw : -> {"level":"info","ts":1689378347.8289995,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"167.94.138.34","remote_port":"40174","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0:443","uri":"/","headers":{},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"","server_name":"jellyfin.glosol.com"}},"user_id":"","duration":0.000463121,"size":0,"status":0,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"]}}
| ├ update evt.Line.Src : -> /mnt/data/work/caddy/log/access.log
| ├ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-07-22 08:35:12.46327441 +0000 UTC
| ├ create evt.Line.Labels.type : caddy
| ├ update evt.Line.Process : %!s(bool=false) -> true
| ├ update evt.Line.Module : -> file
| ├ create evt.Parsed.message : {"level":"info","ts":1689378347.8289995,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"167.94.138.34","remote_port":"40174","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0:443","uri":"/","headers":{},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"","server_name":"jellyfin.glosol.com"}},"user_id":"","duration":0.000463121,"size":0,"status":0,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"]}}
| ├ create evt.Parsed.program : caddy
| ├ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-07-22 08:35:12.463737052 +0000 UTC
| ├ create evt.Meta.datasource_path : /mnt/data/work/caddy/log/access.log
| ├ create evt.Meta.datasource_type : file
| └ 🔴 crowdsecurity/syslog-logs
├ s01-parse
| ├ 🔴 crowdsecurity/caddy-logs
| ├ 🟢 crowdsecurity/mywhitelists (+1)
| ├ create evt.Parsed.remote_ip : 167.94.138.34
| └ 🔴 crowdsecurity/sshd-logs
└-------- parser failure 🔴
line: {"level":"info","ts":1689540270.8057756,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"167.94.138.124","remote_port":"45920","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0:80","uri":"/","headers":{}},"user_id":"","duration":0.000214521,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://0.0.0.0/"],"Content-Type":[]}}
├ s00-raw
| ├ 🟢 crowdsecurity/non-syslog (+5 ~8)
| ├ update evt.ExpectMode : %!s(int=0) -> 1
| ├ update evt.Stage : -> s01-parse
| ├ update evt.Line.Raw : -> {"level":"info","ts":1689540270.8057756,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"167.94.138.124","remote_port":"45920","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0:80","uri":"/","headers":{}},"user_id":"","duration":0.000214521,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://0.0.0.0/"],"Content-Type":[]}}
| ├ update evt.Line.Src : -> /mnt/data/work/caddy/log/access.log
| ├ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-07-22 08:35:12.811317389 +0000 UTC
| ├ create evt.Line.Labels.type : caddy
| ├ update evt.Line.Process : %!s(bool=false) -> true
| ├ update evt.Line.Module : -> file
| ├ create evt.Parsed.message : {"level":"info","ts":1689540270.8057756,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"167.94.138.124","remote_port":"45920","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0:80","uri":"/","headers":{}},"user_id":"","duration":0.000214521,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://0.0.0.0/"],"Content-Type":[]}}
| ├ create evt.Parsed.program : caddy
| ├ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-07-22 08:35:12.811826351 +0000 UTC
| ├ create evt.Meta.datasource_path : /mnt/data/work/caddy/log/access.log
| ├ create evt.Meta.datasource_type : file
| └ 🔴 crowdsecurity/syslog-logs
├ s01-parse
| ├ 🔴 crowdsecurity/caddy-logs
| ├ 🟢 crowdsecurity/mywhitelists (+1)
| ├ create evt.Parsed.remote_ip : 167.94.138.124
| └ 🔴 crowdsecurity/sshd-logs
└-------- parser failure 🔴
line: {"level":"info","ts":1689807610.132443,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"46.8.29.152","remote_port":"64739","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0","uri":"/","headers":{"Connection":["Keep-Alive"]}},"user_id":"","duration":0.00004416,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://0.0.0.0/"],"Content-Type":[]}}
├ s00-raw
| ├ 🟢 crowdsecurity/non-syslog (+5 ~8)
| ├ update evt.ExpectMode : %!s(int=0) -> 1
| ├ update evt.Stage : -> s01-parse
| ├ update evt.Line.Raw : -> {"level":"info","ts":1689807610.132443,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"46.8.29.152","remote_port":"64739","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0","uri":"/","headers":{"Connection":["Keep-Alive"]}},"user_id":"","duration":0.00004416,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://0.0.0.0/"],"Content-Type":[]}}
| ├ update evt.Line.Src : -> /mnt/data/work/caddy/log/access.log
| ├ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-07-22 08:35:13.523697697 +0000 UTC
| ├ create evt.Line.Labels.type : caddy
| ├ update evt.Line.Process : %!s(bool=false) -> true
| ├ update evt.Line.Module : -> file
| ├ create evt.Parsed.message : {"level":"info","ts":1689807610.132443,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"46.8.29.152","remote_port":"64739","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0","uri":"/","headers":{"Connection":["Keep-Alive"]}},"user_id":"","duration":0.00004416,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://0.0.0.0/"],"Content-Type":[]}}
| ├ create evt.Parsed.program : caddy
| ├ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-07-22 08:35:13.524661421 +0000 UTC
| ├ create evt.Meta.datasource_path : /mnt/data/work/caddy/log/access.log
| ├ create evt.Meta.datasource_type : file
| └ 🔴 crowdsecurity/syslog-logs
├ s01-parse
| ├ 🔴 crowdsecurity/caddy-logs
| ├ 🟢 crowdsecurity/mywhitelists (+1)
| ├ create evt.Parsed.remote_ip : 46.8.29.152
| └ 🔴 crowdsecurity/sshd-logs
└-------- parser failure 🔴
line: {"level":"info","ts":1689484436.395933,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"106.75.71.52","remote_port":"58910","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0:80","uri":"/","headers":{"Accept":["*/*"]}},"user_id":"","duration":0.000208601,"size":0,"status":308,"resp_headers":{"Content-Type":[],"Server":["Caddy"],"Connection":["close"],"Location":["https://0.0.0.0/"]}}
├ s00-raw
| ├ 🟢 crowdsecurity/non-syslog (+5 ~8)
| ├ update evt.ExpectMode : %!s(int=0) -> 1
| ├ update evt.Stage : -> s01-parse
| ├ update evt.Line.Raw : -> {"level":"info","ts":1689484436.395933,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"106.75.71.52","remote_port":"58910","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0:80","uri":"/","headers":{"Accept":["*/*"]}},"user_id":"","duration":0.000208601,"size":0,"status":308,"resp_headers":{"Content-Type":[],"Server":["Caddy"],"Connection":["close"],"Location":["https://0.0.0.0/"]}}
| ├ update evt.Line.Src : -> /mnt/data/work/caddy/log/access.log
| ├ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-07-22 08:35:12.745163904 +0000 UTC
| ├ create evt.Line.Labels.type : caddy
| ├ update evt.Line.Process : %!s(bool=false) -> true
| ├ update evt.Line.Module : -> file
| ├ create evt.Parsed.message : {"level":"info","ts":1689484436.395933,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"106.75.71.52","remote_port":"58910","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0:80","uri":"/","headers":{"Accept":["*/*"]}},"user_id":"","duration":0.000208601,"size":0,"status":308,"resp_headers":{"Content-Type":[],"Server":["Caddy"],"Connection":["close"],"Location":["https://0.0.0.0/"]}}
| ├ create evt.Parsed.program : caddy
| ├ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-07-22 08:35:12.745568346 +0000 UTC
| ├ create evt.Meta.datasource_path : /mnt/data/work/caddy/log/access.log
| ├ create evt.Meta.datasource_type : file
| └ 🔴 crowdsecurity/syslog-logs
├ s01-parse
| ├ 🔴 crowdsecurity/caddy-logs
| ├ 🟢 crowdsecurity/mywhitelists (+1)
| ├ create evt.Parsed.remote_ip : 106.75.71.52
| └ 🔴 crowdsecurity/sshd-logs
└-------- parser failure 🔴
line: {"level":"info","ts":1689628856.60371,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"91.224.92.16","remote_port":"33370","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0:80","uri":"/","headers":{}},"user_id":"","duration":0.00004552,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://0.0.0.0/"],"Content-Type":[]}}
├ s00-raw
| ├ 🟢 crowdsecurity/non-syslog (+5 ~8)
| ├ update evt.ExpectMode : %!s(int=0) -> 1
| ├ update evt.Stage : -> s01-parse
| ├ update evt.Line.Raw : -> {"level":"info","ts":1689628856.60371,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"91.224.92.16","remote_port":"33370","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0:80","uri":"/","headers":{}},"user_id":"","duration":0.00004552,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://0.0.0.0/"],"Content-Type":[]}}
| ├ update evt.Line.Src : -> /mnt/data/work/caddy/log/access.log
| ├ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-07-22 08:35:13.01135449 +0000 UTC
| ├ create evt.Line.Labels.type : caddy
| ├ update evt.Line.Process : %!s(bool=false) -> true
| ├ update evt.Line.Module : -> file
| ├ create evt.Parsed.message : {"level":"info","ts":1689628856.60371,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"91.224.92.16","remote_port":"33370","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0:80","uri":"/","headers":{}},"user_id":"","duration":0.00004552,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://0.0.0.0/"],"Content-Type":[]}}
| ├ create evt.Parsed.program : caddy
| ├ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-07-22 08:35:13.011642452 +0000 UTC
| ├ create evt.Meta.datasource_path : /mnt/data/work/caddy/log/access.log
| ├ create evt.Meta.datasource_type : file
| └ 🔴 crowdsecurity/syslog-logs
├ s01-parse
| ├ 🔴 crowdsecurity/caddy-logs
| ├ 🟢 crowdsecurity/mywhitelists (+1)
| ├ create evt.Parsed.remote_ip : 91.224.92.16
| └ 🔴 crowdsecurity/sshd-logs
└-------- parser failure 🔴
line: {"level":"info","ts":1689819255.9251556,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"185.165.190.34","remote_port":"44502","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0","uri":"/.well-known/security.txt","headers":{"Accept-Encoding":["identity"]}},"user_id":"","duration":0.00004096,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://0.0.0.0/.well-known/security.txt"],"Content-Type":[]}}
├ s00-raw
| ├ 🟢 crowdsecurity/non-syslog (+5 ~8)
| ├ update evt.ExpectMode : %!s(int=0) -> 1
| ├ update evt.Stage : -> s01-parse
| ├ update evt.Line.Raw : -> {"level":"info","ts":1689819255.9251556,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"185.165.190.34","remote_port":"44502","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0","uri":"/.well-known/security.txt","headers":{"Accept-Encoding":["identity"]}},"user_id":"","duration":0.00004096,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://0.0.0.0/.well-known/security.txt"],"Content-Type":[]}}
| ├ update evt.Line.Src : -> /mnt/data/work/caddy/log/access.log
| ├ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-07-22 08:35:13.548887845 +0000 UTC
| ├ create evt.Line.Labels.type : caddy
| ├ update evt.Line.Process : %!s(bool=false) -> true
| ├ update evt.Line.Module : -> file
| ├ create evt.Parsed.message : {"level":"info","ts":1689819255.9251556,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"185.165.190.34","remote_port":"44502","proto":"HTTP/1.1","method":"GET","host":"0.0.0.0","uri":"/.well-known/security.txt","headers":{"Accept-Encoding":["identity"]}},"user_id":"","duration":0.00004096,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://0.0.0.0/.well-known/security.txt"],"Content-Type":[]}}
| ├ create evt.Parsed.program : caddy
| ├ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-07-22 08:35:13.548921485 +0000 UTC
| ├ create evt.Meta.datasource_path : /mnt/data/work/caddy/log/access.log
| ├ create evt.Meta.datasource_type : file
| └ 🔴 crowdsecurity/syslog-logs
├ s01-parse
| ├ 🔴 crowdsecurity/caddy-logs
| ├ 🟢 crowdsecurity/mywhitelists (+1)
| ├ create evt.Parsed.remote_ip : 185.165.190.34
| └ 🔴 crowdsecurity/sshd-logs
└-------- parser failure 🔴