Sshd-logs parser: problems with log files

Hello everybody,
I was testing Crowdsec in several syslog-based files to watch ssh logins. I have used the command cscli explain -f XXXX --failures -t syslog with the official Crowdsec docker image and I have found that, in spite of the fact that syslog parser is working in my first test, the sshd-logs parser is not acting adequately.

Firstly, an example working correctly extracted from a Debian-based-distro’s /var/log/auth.log:

Oct 29 00:37:56 bananapipro sshd[23082]: Failed password for nicux from XX.XX.XX.XX port 45874 ssh2

The aforementioned cscli command prints nothing (no failures).

In contrast, when I use an Alpine LInux’s /var/log/messages.log the sshd-logs parser fails and, therefore, cscli prints:
line: Oct 29 00:06:10 rpi auth.info sshd[26197]: Failed password for nicux from XX.XX.XX.XX port 45866 ssh2
├ s00-raw
| ├ crowdsecurity/docker-logs
| └ crowdsecurity/syslog-logs (first_parser)
├ s01-parse
| ├ crowdsecurity/sshd-logs
| └ crowdsecurity/traefik-logs
└-------- parser failure

On the other hand, my third test was with a Docker image from linuxserver.io (linuxserver/openssh-server - LinuxServer.io). In this case, they do not use syslog exactly, but s6-log, and the s00 parsers fail, as expected:
line: 2022-10-26 23:43:54.665316842 Connection closed by authenticating user nicux XX.XX.XX.XX port 45826 [preauth]
├ s00-raw
| ├ crowdsecurity/docker-logs
| ├ crowdsecurity/non-syslog
| └ crowdsecurity/syslog-logs
└-------- parser failure
I was checking the syslog parser syntax in https://docs.crowdsec.net/docs/parsers/patterns/ and I wonder if TIMESTAMP_ISO8601 pattern should work with this text and why the parser is not working exactly.

I am a newbie with respect to write/modify the Crowdsec’s parsers and I don’t know if somebody is interested in including these cases in the parsers.

Realised after reading the post deeper my first reply completely missed the point.

The second log line fails because there is a space inbetween rpi and auth.info if they line was together it would work:

line: Oct 29 00:06:10 rpi.auth.info sshd[26197]: Failed password for nicux from 10.10.10.10 port 45866 ssh2
├ s00-raw
| └ crowdsecurity/syslog-logs (first_parser)
├ s01-parse
| ├ LePresidente/authelia-logs
| ├ LePresidente/emby-logs
| ├ LePresidente/gitea-logs
| ├ LePresidente/jellyseerr-logs
| ├ LePresidente/ombi-logs
| ├ baudneo/gotify-logs
| ├ crowdsecurity/apache2-logs
| ├ crowdsecurity/asterisk-logs
| ├ crowdsecurity/caddy-logs
| ├ crowdsecurity/cpanel-logs
| ├ crowdsecurity/dovecot-logs
| ├ crowdsecurity/dropbear-logs
| ├ crowdsecurity/endlessh-logs
| ├ crowdsecurity/exchange-imap-logs
| ├ crowdsecurity/exchange-pop-logs
| ├ crowdsecurity/exchange-smtp-logs
| ├ crowdsecurity/fastly-logs
| ├ crowdsecurity/haproxy-logs
| ├ crowdsecurity/home-assistant-logs
| ├ crowdsecurity/iis-logs
| ├ crowdsecurity/iptables-logs
| ├ crowdsecurity/litespeed-logs
| ├ crowdsecurity/magento-extension-logs
| ├ crowdsecurity/mariadb-logs
| ├ crowdsecurity/modsecurity
| ├ crowdsecurity/mssql-logs
| ├ crowdsecurity/mysql-logs
| ├ crowdsecurity/nextcloud-logs
| ├ crowdsecurity/nginx-logs
| ├ crowdsecurity/nginx-proxy-manager-logs
| ├ crowdsecurity/odoo-logs
| ├ crowdsecurity/opnsense-gui-logs
| ├ crowdsecurity/pgsql-logs
| ├ crowdsecurity/pkexec-logs
| ├ crowdsecurity/postfix-logs
| ├ crowdsecurity/postscreen-logs
| ├ crowdsecurity/smb-logs
| ├ crowdsecurity/sshd-logs (+9 ~1)
| ├ update evt.Stage : s01-parse → s02-enrich
| ├ create evt.Parsed.sshd_auth_type : password
| ├ create evt.Parsed.sshd_client_ip : 10.10.10.10
| ├ create evt.Parsed.sshd_invalid_user : nicux
| ├ create evt.Parsed.sshd_port : 45866
| ├ create evt.Parsed.sshd_protocol : ssh2
| ├ create evt.Meta.service : ssh
| ├ create evt.Meta.source_ip : 10.10.10.10
| ├ create evt.Meta.target_user : nicux
| ├ create evt.Meta.log_type : ssh_failed-auth
| ├ firewall-services/lemonldap-ng-logs
| ├ firewallservices/pf-logs
| ├ firewallservices/pf-logs-drop
| ├ fulljackz/proxmox-logs
| ├ fulljackz/pureftpd-logs
| ├ hitech95/nginx-mail-logs
| ├ jusabatier/apereo-cas-audit-logs
| ├ lourys/pterodactyl-wings-logs
| ├ proftpd-logs
| ├ schiz0phr3ne/prowlarr-logs
| ├ schiz0phr3ne/radarr-logs
| ├ schiz0phr3ne/sonarr-logs
| ├ timokoessler/gitlab-logs
| └ timokoessler/mongodb-logs
├ s02-enrich
| ├ crowdsecurity/dateparse-enrich (+2 ~1)
| ├ create evt.Enriched.MarshaledTime : 2022-10-29T00:06:10Z
| ├ update evt.MarshaledTime : → 2022-10-29T00:06:10Z
| ├ create evt.Meta.timestamp : 2022-10-29T00:06:10Z
| ├ crowdsecurity/geoip-enrich (+9)
| ├ create evt.Enriched.ASNNumber : 0
| ├ create evt.Enriched.ASNOrg :
| ├ create evt.Enriched.ASNumber : 0
| ├ create evt.Enriched.IsInEU : false
| ├ create evt.Enriched.IsoCode :
| ├ create evt.Enriched.Latitude : 0.000000
| ├ create evt.Enriched.Longitude : 0.000000
| ├ create evt.Meta.ASNNumber : 0
| ├ create evt.Meta.IsInEU : false
| ├ crowdsecurity/http-logs
| ├ crowdsecurity/naxsi-logs
| └ crowdsecurity/whitelists (~2 [whitelisted])
| └ update evt.Whitelisted : %!s(bool=false) → true
| └ update evt.WhitelistReason : → private ipv4/ipv6 ip/ranges
└-------- parser failure

And as you stated the docker image would never work as it is not syslog so that would need a custom parser most likely.

Thank you!! Now I need to find how to modify the Alpine’s default syslog … or change the parser in Crowdsec?

To avoid the parser’s problem I have installed syslog-ng in Alpine Linux. The default syslog-busybox Alpine uses prints a column more.