Hello, im trying to modify the existing sonarr parser available for download to make it work with logs parsed by cri-logs parser, but im having some issue with escaping the square brackets in this log format “2024-07-31T15:01:24.667698131Z stdout F [Warn] Auth: Auth-Failure ip 192.168.91.4 username ‘darkfellakjhkhjkh’” . Currently i tested this pattern for parsing the logs for authentication failure and when i run it in Grok Debugger it parses the line correctly “%{TIMESTAMP_ISO8601:timestamp} %{WORD:stream} %{WORD:logtag} [Warn] Auth: Auth-Failure ip %{IP:source_ip} username ‘%{DATA:username}’” Problem is that the validation schema for crowdsec parsers expects double backslashes for escaping square brackets and if i use those , the grok pattern is no longer able to match the information in the logs . This is the content of the custom parser yaml file . Wondering if someone can give me a hint as to how to make this work with the provided logging format created by cri-logs.
onsuccess: next_stage
filter: “evt.Parsed.program in [‘mono’, ‘Sonarr’]”
name: schiz0phr3ne/sonarr-logs
description: “Parse Sonarr Logs”
nodes:
- grok:
pattern: “%{TIMESTAMP_ISO8601:timestamp} %{WORD:stream} %{WORD:logtag} \[Warn\] Auth: Auth-Failure ip %{IP:source_ip} username ‘%{DATA:username}’”
apply_on: message
onsuccess: next_stage
statics: - meta: log_type
value: sonarr_failed_authentication - meta: service
value: sonarr - meta: source_ip
expression: “evt.Parsed.source_ip” - target: evt.StrTime
expression: “evt.Parsed.timestamp” - meta: username
expression: evt.Parsed.username