Hello everyone,
CrowdSec is new to me, this is my first post here and of course a question about parsers 
especially for Postfix.
First some information.
CrowdSec comes from openSUSE :
CrowdSec Version:
cscli version
version: v1.6.8-f209766e
Codename: alphaga
BuildDate: 2025-04-19T12:00:00Z
GoVersion: 1.24.2
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.6.8-f209766e-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Collections:
cscli collections list
─────────────────────────────────────────────────────────────────────────────────────
COLLECTIONS
─────────────────────────────────────────────────────────────────────────────────────
Name 📦 Status Version Local Path
─────────────────────────────────────────────────────────────────────────────────────
crowdsecurity/postfix ✔ enabled 0.4 /etc/crowdsec/collections/postfix.yaml
─────────────────────────────────────────────────────────────────────────────────────
Parsers:
cscli parsers list
───────────────────────────────────────────────────────────────────────────────────────────────────────────
PARSERS
───────────────────────────────────────────────────────────────────────────────────────────────────────────
Name 📦 Status Version Local Path
───────────────────────────────────────────────────────────────────────────────────────────────────────────
crowdsecurity/postfix-logs ✔ enabled 0.9 /etc/crowdsec/parsers/s01-parse/postfix-logs.yaml
crowdsecurity/postscreen-logs ✔ enabled 0.3 /etc/crowdsec/parsers/s01-parse/postscreen-logs.yaml
crowdsecurity/whitelists ✔ enabled 0.3 /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
───────────────────────────────────────────────────────────────────────────────────────────────────────────
Acquisition for Postfix /etc/crowdsec/acquis.d/postfix.yaml
filenames:
- /var/log/mail
labels:
type: syslog
cscli metrics show acquisition
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics │
├────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/log/mail │ 1.16k │ - │ 1.16k │ - │ - │
╰────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
As yo can seee, no lines are parsed.
I’ve already gone through various forum posts and troubleshooting guides, unfortunately without success.
What particularly puzzles me is the following:
cscli explain -v --log "2025-05-06T17:56:54.132546+02:00 mx01 postfix/smtpd[14483]: warning: non-SMTP command from doriansco.com[193.233.203.93]: Message-ID: <80cf862dd91d373c1fb5fc57a3674d46b836f7@shopaways.org>" --type syslog
WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode. file=/tmp/cscli_explain326842116/parser-dump.yaml
line: 2025-05-06T17:56:54.132546+02:00 mx01 postfix/smtpd[14483]: warning: non-SMTP command from doriansco.com[193.233.203.93]: Message-ID: <80cf862dd91d373c1fb5fc57a3674d46b836f7@shopaways.org>
├ s01-parse
| ├ 🔴 crowdsecurity/postfix-logs
| └ 🔴 crowdsecurity/postscreen-logs
└-------- parser failure 🔴
As far as I can understand grok, this line should be hit by the following section in /etc/crowdsec/parsers/s01-parse/postfix-logs.yaml:
apply_on: message
pattern: 'warning: non-SMTP command from %{POSTFIX_HOSTNAME:remote_host}\[%{IP:remote_addr}\]: %{GREEDYDATA:command}'
statics:
- meta: log_type_enh
value: non-smtp-command
What am I misssing?
THX so far!
Installing