auth.log seems to not get parsed

It seems my crowdsec instance is not parsing auth.log file from ubuntu linux.
I am running the crowdsec container, I have my auth.log mounted in the docker container.
Here is the metrics output:

├──────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                           │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├──────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/log/auth.log           │ 249        │ 1            │ 248            │ 4                      │ -                 │

├──────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                           │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├──────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/log/auth.log           │ 249        │ 1            │ 248            │ 4                      │ -                 │

When I run on the auth.log cscli explain, it correctly detects scenarios:

    ├ Scenarios
        ├ 🟢 crowdsecurity/ssh-bf

    ├ Scenarios
        ├ 🟢 crowdsecurity/ssh-bf

It also fails to parse some lines:

    └-------- parser failure 🔴

    └-------- parser failure 🔴

No decisions are made for the IPs that trigger scenarios.

CrowdSec•6/2/25, 10:24 AM

Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command

/resolve

/resolve

or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

•

6/2/25, 10:25 AM

CCrowdSec Empty message

CrowdSecAPP•6/2/25, 10:25 AM

Resolving auth.log seems to not get parsed

CrowdSec•6/2/25, 10:25 AM

This has now been resolved. If you think this is a mistake please run

CCrowdSec Empty message

CrowdSecAPP•6/2/25, 10:25 AM

Unresolving auth.log seems to not get parsed

CrowdSec•6/2/25, 10:25 AM

This has now been unresolved.

atiOP•6/11/25, 7:38 AM

It seems more people are running into this issue as it is posted on some forums, but it seems nobody found a solution yet no those forums.

Aati It seems more people are running into this issue as it is posted on some forums,...

Loz•6/11/25, 7:51 AM

The issue is your missing stage parsers, you need to also install collection

Loz•6/11/25, 7:51 AM

oooh

Loz•6/11/25, 7:51 AM

wait

Loz•6/11/25, 7:51 AM

im an idiot and didnt read it properly need my

Loz•6/11/25, 7:52 AM

do you have examples of the log lines that fail to parse? you can redact the IP addresses

Loz•6/11/25, 7:52 AM

cause ssh scenario detect fail logins and the scenario only overflows if the IP login multiple times within a set timeframe, it doesnt overflow at the first sign of a failed login

atiOP•6/11/25, 7:53 AM

i can give you more logs sure

atiOP•6/11/25, 7:53 AM

so what I see is a flood of login attempts with multiple user names

atiOP•6/11/25, 7:53 AM

like 30-40 times with users like lenovo and ibm and so

atiOP•6/11/25, 7:55 AM

here

atiOP•6/11/25, 8:00 AM

as visible above, for some reason only 1 line of auth.log was parsed

Aati here

Loz•6/11/25, 9:30 AM

I guess you cropped out the timestamps and other information like program?

atiOP•6/11/25, 9:31 AM

yep

Loz•6/11/25, 9:31 AM

cause like I said, it depends on timeframe so without that I cant understand if it an actual issue

atiOP•6/11/25, 9:34 AM

so this is mostly in time frame of a second

Aati so this is mostly in time frame of a second

Loz•6/11/25, 9:35 AM

any chance you can DM the raw log lines as I need to test them,

atiOP•6/11/25, 9:36 AM

okay le me try

_KaszpiR_•6/13/25, 5:59 AM

Its probably because of the timestamp

_KaszpiR_•6/13/25, 6:00 AM

I had the same issue recently https://discord.com/channels/921520481163673640/922593826986672178/1381389460880494643

_KaszpiR_•6/13/25, 6:01 AM

Maybe ubuntu switched from ISO to RFC3339

_KaszpiR_•6/13/25, 6:02 AM

But it would mean they changed their default rsyslog config after years

_KaszpiR_•6/13/25, 6:02 AM

But then it would affect much more log parsers

__KaszpiR_Maybe ubuntu switched from ISO to RFC3339

m3tc0n•8/13/25, 9:35 PM

I have the same problem. My logs dont get parsed because of the RFC3339 time stamps. Do you have a fix?

Mm3tc0n I have the same problem. My logs dont get parsed because of the RFC3339 time sta...

Loz•8/14/25, 7:18 AM

I cant find my previous chats with OP, so if anyone can provide some examples logs I can investigate the parser

_KaszpiR_•8/14/25, 8:08 AM

https://github.com/crowdsecurity/hub/issues/725#issuecomment-2954284896 some example and explanation related to other parser

GitHub

Bug found in a1ad/mikrotik-logs · Issue #725 · crowdsecurity/hub

@a1ad This one is for you. I troubleshooted the a1ad/mikrotik-logs parser on a ROS 7.9 VM. Nothing was parsing using the original parser: %{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME} .* %{DATA:tag} i...

_KaszpiR_•8/14/25, 8:10 AM

Generally ubuntu switched to different time format and jt becomes a real mess when doing upgrades

_KaszpiR_•8/14/25, 8:13 AM

I remember it causes various problems with other apps so i keep the old format and just adjusted only specific one, no time to fix it then (or now), maybe in the near future

Loz•8/14/25, 9:56 AM

Okay just so I can get up to speed, ubuntu changed default timestamp but only for rsyslog remote? or all cases and this example in mikrotik is simply where you found it?

m3tc0n•8/14/25, 10:27 AM

I have the problem with the firewall bouncer nog having any hits. So I investigated and discovered auth.log having different time stamps so the logs dont get parsed. Maybe syslog is also in the different time stamps. I wouldnt be surprised.

Loz•8/14/25, 10:30 AM

Well you can test it via the below command:

or simply

LLoz Okay just so I can get up to speed, ubuntu changed default timestamp but only fo...

_KaszpiR_•8/14/25, 10:33 AM

Afair they changed defaults in the /etc/rsyslog.conf which affects everything

_KaszpiR_•8/14/25, 10:34 AM

And AFAIR it mainly affects systems without journald (especially Debian)

Loz•8/14/25, 10:35 AM

you mean without rsyslog cause debian 12 doesnt come with it by default but journald should be there

LLoz Well you can test it via the below command: ``` grep sshd /var/log/auth.log | gr...

m3tc0n•8/14/25, 10:55 AM

I am getting this results when adjusting the command:

Mm3tc0n I am getting this results when adjusting the command: ``` [ramon@docker-2: $~]$...

Loz•8/14/25, 11:38 AM

Lol because your its logging the docker exec command cause it matches itself, can you first then run it but it may now pick up on that command so you may want to add

before the explain

but you can see from that log line that it passed the parser so the timestamp didnt matter

LLoz Lol because your `sudo` its logging the docker exec command cause it matches its...

m3tc0n•8/14/25, 12:28 PM

Thanks, it says the log file is empty

Mm3tc0n Thanks, it says the log file is empty

Loz•8/14/25, 1:15 PM

then you most likely dont have any ssh failed logins.

m3tc0n•8/14/25, 1:27 PM

Good to know. Thanks!