C
CrowdSec4mo ago
Yohan

Apache parser failure

Hello I am trying to setup crowdsec on one of my ubuntu servers. I am at the very beginning of the process, and i can't event get a test working. My apache stores logs in /var/log/apache2/other_vhosts_access.log When i test a log with 'cscli explain', i always get a parser failure. What am i missing here ? I already tried to change the log format to "combined" in an other file with the same result ... the command (with ip and domain changed) : cscli explain --log 'mydomain.com:80 1.1.1.1 - - [18/Jun/2025:13:17:43 +0000] "GET /front/cron.php HTTP/1.1" 200 63 "https://mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36"' --type apache --color yes --debug The result (with ip and domain changed) : DEBU[2025-06-18T13:18:56Z] Using /etc/crowdsec/config.yaml as configuration file DEBU[2025-06-18T13:18:56Z] the option 'daemonize' is deprecated and ignored DEBU[2025-06-18T13:18:56Z] Enabled feature flags: none
DEBUG file /tmp/cscli_explain2737993452/cscli_test_tmp.log has 1 lines WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode. file=/tmp/cscli_explain2737993452/parser-dump.yaml line: mydomain.com:1.1.1.1 - - [18/Jun/2025:13:17:43 +0000] "GET /front/cron.php HTTP/1.1" 200 63 "https://mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36" ├ s00-raw |├  crowdsecurity/syslog-logs |└  crowdsecurity/non-syslog (+5 ~8) ├ s01-parse |├  crowdsecurity/apache2-logs |└  crowdsecurity/sshd-logs └-------- parser failure  Thanks for the help 🙏
No description
5 Replies
CrowdSec
CrowdSec4mo ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
iiamloz
iiamloz4mo ago
it because the type is apache2 not just apache 
sudo cscli explain --log 'mydomain.com:80 1.1.1.1 - - [18/Jun/2025:13:17:43 +0000] "GET /front/cron.php HTTP/1.1" 200 63 "https://mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36"' --type apache2 --color yes --debug --only-successful-parsers
DEBU[2025-06-18T15:25:56+01:00] Using /etc/crowdsec/config.yaml as configuration file
DEBU[2025-06-18T15:25:56+01:00] the option 'daemonize' is deprecated and ignored
DEBU[2025-06-18T15:25:56+01:00] Enabled feature flags: re2_grok_support, re2_regexp_in_file_support
DEBUG file /tmp/cscli_explain1950272216/cscli_test_tmp.log has 1 lines
DEBUG Line 0/1 has evt.StrTime set to '18/Jun/2025:13:17:43 +0000'  file=/tmp/cscli_explain1950272216/parser-dump.yaml
line: mydomain.com:80 1.1.1.1 - - [18/Jun/2025:13:17:43 +0000] "GET /front/cron.php HTTP/1.1" 200 63 "https://mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36"
        ├ s00-raw
        |       └ 🟢 crowdsecurity/non-syslog (+5 ~8)
        ├ s01-parse
        |       └ 🟢 crowdsecurity/apache2-logs (+22 ~2)
        ├ s02-enrich
        |       ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2)
        |       ├ 🟢 crowdsecurity/geoip-enrich (+13)
        |       ├ 🟢 crowdsecurity/http-logs (+7)
        |       ├ 🟢 crowdsecurity/jellyfin-whitelist (unchanged)
        |       └ 🟢 crowdsecurity/nextcloud-whitelist (unchanged)
        ├-------- parser success 🟢
        ├ Scenarios
                ├ 🟢 crowdsecurity/http-crawl-non_statics
                └ 🟢 crowdsecurity/http-dos-swithcing-ua
sudo cscli explain --log 'mydomain.com:80 1.1.1.1 - - [18/Jun/2025:13:17:43 +0000] "GET /front/cron.php HTTP/1.1" 200 63 "https://mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36"' --type apache2 --color yes --debug --only-successful-parsers
DEBU[2025-06-18T15:25:56+01:00] Using /etc/crowdsec/config.yaml as configuration file
DEBU[2025-06-18T15:25:56+01:00] the option 'daemonize' is deprecated and ignored
DEBU[2025-06-18T15:25:56+01:00] Enabled feature flags: re2_grok_support, re2_regexp_in_file_support
DEBUG file /tmp/cscli_explain1950272216/cscli_test_tmp.log has 1 lines
DEBUG Line 0/1 has evt.StrTime set to '18/Jun/2025:13:17:43 +0000'  file=/tmp/cscli_explain1950272216/parser-dump.yaml
line: mydomain.com:80 1.1.1.1 - - [18/Jun/2025:13:17:43 +0000] "GET /front/cron.php HTTP/1.1" 200 63 "https://mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36"
        ├ s00-raw
        |       └ 🟢 crowdsecurity/non-syslog (+5 ~8)
        ├ s01-parse
        |       └ 🟢 crowdsecurity/apache2-logs (+22 ~2)
        ├ s02-enrich
        |       ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2)
        |       ├ 🟢 crowdsecurity/geoip-enrich (+13)
        |       ├ 🟢 crowdsecurity/http-logs (+7)
        |       ├ 🟢 crowdsecurity/jellyfin-whitelist (unchanged)
        |       └ 🟢 crowdsecurity/nextcloud-whitelist (unchanged)
        ├-------- parser success 🟢
        ├ Scenarios
                ├ 🟢 crowdsecurity/http-crawl-non_statics
                └ 🟢 crowdsecurity/http-dos-swithcing-ua
Yohan
YohanOP4mo ago
OMG i feel so dumb Thank you so much for taking the time to answer 🙏
iiamloz
iiamloz4mo ago
No worries if you checkout the hub collection most of the time it has an example acqusition with the type you need https://app.crowdsec.net/hub/author/crowdsecurity/collections/apache2
CrowdSec
CrowdSec4mo ago
Resolving Apache parser failure This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?