Parser syslog-logs.yaml has no name,author or description. Skipping?

ovizii · November 2, 2020, 12:57pm

On a fresh install of crowdsec on Debian 10, still figuring things out I had a look at /var/log/crowdsec.log and found this|

time="02-11-2020 13:29:51" level=info msg="Node in /etc/crowdsec/config/parsers/s00-raw/syslog-logs.yaml has no name,author or description. Skipping."

that sounds weird, seeing that I haven’t touched that file. I tried a cscli upgrade parser followed by systemctl reload crowdsec but that entry in the log file popped up again.

kaa · November 2, 2020, 3:30pm

Hi,

This is weird. Can you tell us how did you install the syslog-logs parser ? Did you use the wizard ?

And can you post the content of your /etc/crowdsec/config/parsers/s00-raw/syslog-logs.yaml file ?

Thanks for your feedback

ovizii · November 2, 2020, 3:49pm

I installed crowdsec using the details from here: https://github.com/crowdsecurity/crowdsec

curl -s https://api.github.com/repos/crowdsecurity/crowdsec/releases/latest | grep browser_download_url| cut -d '"' -f 4  | wget -i -
tar xvzf crowdsec-release.tgz
cd crowdsec-v*
sudo ./wizard.sh -i

I left all checkboxes which the wizard suggested checked after which I used cscli and installed a few more collections and restarted the service.

This is the current content of the yaml file but meanwhile I have tried a few more times to update via cscli so the problem might be solved.

cat /etc/crowdsec/config/parsers/s00-raw/syslog-logs.yaml
#If it's syslog, we are going to extract progname from it
filter: "evt.Line.Labels.type == 'syslog'"
onsuccess: next_stage
name: crowdsecurity/syslog-logs
grok:
  #this is a named regular expression. grok patterns can be kept into separate files for readability
  name: "SYSLOGLINE"
  #This is the field of the `Event` to which the regexp should be applied
  apply_on: Line.Raw
#if the node was successfull, statics will be applied.
statics:
  - parsed: "logsource"
    value: "syslog"
# syslog date can be in two different fields (one of hte assignment will fail)
  - target: evt.StrTime
    expression: evt.Parsed.timestamp
  - target: evt.StrTime
    expression: evt.Parsed.timestamp8601
---
#if it's not syslog, the type is the progname
filter: "evt.Line.Labels.type != 'syslog'"
onsuccess: next_stage
name: crowdsecurity/non-syslog
#debug: true
statics:
  - parsed: message
    expression: evt.Line.Raw
  - parsed: program
    expression: evt.Line.Labels.type
---

kaa · November 2, 2020, 3:59pm

Ok,

Then we’ll try to reproduce your issue on our side to fix it.

Can you check the outputs of cscli list and cscli metrics to be sure that your installation is now ok ? If you are not sure you can provide us these outputs.

Thanks

kaa · November 3, 2020, 8:35am

Hi,

After some double-checking it’s a normal caveat. It’s only because of the trailing “—” in the syslogs-logs parsing configuration file. It doesn’t mean that anything is wrong. this will be fixed in a near future release.

ovizii · November 6, 2020, 8:47am

Thanks for looking into it.

Topic		Replies	Views
Syslog is not getting parsed	3	971	February 20, 2023
Sshd-logs parser: problems with log files	3	1196	November 10, 2022
Issue with own parser crowdsec	2	366	May 26, 2023
Help: caddy-logs parser failure crowdsec	4	1423	January 4, 2022
Cscli metrics unparsed logs crowdsec	4	971	December 15, 2020

Parser syslog-logs.yaml has no name,author or description. Skipping?

Related Topics