Parser failure

Hello !
I am currently trying to use crowdsec on my Apache Guacamole server.
I used the corvese/apache-guacamole-logs collection, and edited the pattern of the parser.
Sadly, i always get a parser failure, but my pattern is supposed to work according to https://grokdebugger.com/

I join my parser as image (/etc/crowdsec/parsers/s01-parse/apache-guacamole-logs.yaml)

Here is the command i use to test :

cscli explain --log "2025-07-03T12:58:55,174Z [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4:6833 for user "dqfhnqtn" failed." --type corvese/apache-guacamole-logs --debug

cscli explain --log "2025-07-03T12:58:55,174Z [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4:6833 for user "dqfhnqtn" failed." --type corvese/apache-guacamole-logs --debug

And this is the output :

DEBU[2025-07-03T13:25:52Z] Using /etc/crowdsec/config.yaml as configuration file
DEBU[2025-07-03T13:25:52Z] Loading yaml file: '/etc/crowdsec/config.yaml' with additional values from '/etc/crowdsec/config.yaml.local'
DEBU[2025-07-03T13:25:52Z] the option 'daemonize' is deprecated and ignored
DEBU[2025-07-03T13:25:52Z] Enabled feature flags: none
DEBUG file /tmp/cscli_explain2419963357/cscli_test_tmp.log has 1 lines
WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.  file=/tmp/cscli_explain2419963357/parser-dump.yaml
line: 2025-07-03T12:58:55,174Z [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4:6833 for user dqfhnqtn failed.
        ├ s01-parse
        |       └ 🔴 corvese/apache-guacamole-logs
        └-------- parser failure 🔴

DEBU[2025-07-03T13:25:52Z] Using /etc/crowdsec/config.yaml as configuration file
DEBU[2025-07-03T13:25:52Z] Loading yaml file: '/etc/crowdsec/config.yaml' with additional values from '/etc/crowdsec/config.yaml.local'
DEBU[2025-07-03T13:25:52Z] the option 'daemonize' is deprecated and ignored
DEBU[2025-07-03T13:25:52Z] Enabled feature flags: none
DEBUG file /tmp/cscli_explain2419963357/cscli_test_tmp.log has 1 lines
WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.  file=/tmp/cscli_explain2419963357/parser-dump.yaml
line: 2025-07-03T12:58:55,174Z [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4:6833 for user dqfhnqtn failed.
        ├ s01-parse
        |       └ 🔴 corvese/apache-guacamole-logs
        └-------- parser failure 🔴

What am I doing wrong here ? How can i have more details on the error ?

My server OS is Debian.
Crowdsec version: v1.6.9-debian-pragmatic-amd64-40b8cfe6

Thanks a lot for taking some time to help me !

Grok Debugger | Autocomplete and Live Match Highlghting

Easily debug Logstash Grok patterns online with helpful features such as syntax highlghting and autocomplete. Standard Grok patterns as well as patterns for Cisco firewall, HAProxy, Java, Linux Syslog, MongoDB, Redis, PostgreSQL, and more. Useful when creating Grok patterns for your ELK (ElasticSearch, Logstash, Kibana) or ELastic Stack.

CrowdSec•8mo ago•

26 replies

Yohan

Parser failure

cscli explain --log "2025-07-03T12:58:55,174Z [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4:6833 for user "dqfhnqtn" failed." --type corvese/apache-guacamole-logs --debug

cscli explain --log "2025-07-03T12:58:55,174Z [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4:6833 for user "dqfhnqtn" failed." --type corvese/apache-guacamole-logs --debug

And this is the output :

DEBU[2025-07-03T13:25:52Z] Using /etc/crowdsec/config.yaml as configuration file
DEBU[2025-07-03T13:25:52Z] Loading yaml file: '/etc/crowdsec/config.yaml' with additional values from '/etc/crowdsec/config.yaml.local'
DEBU[2025-07-03T13:25:52Z] the option 'daemonize' is deprecated and ignored
DEBU[2025-07-03T13:25:52Z] Enabled feature flags: none
DEBUG file /tmp/cscli_explain2419963357/cscli_test_tmp.log has 1 lines
WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.  file=/tmp/cscli_explain2419963357/parser-dump.yaml
line: 2025-07-03T12:58:55,174Z [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4:6833 for user dqfhnqtn failed.
        ├ s01-parse
        |       └ 🔴 corvese/apache-guacamole-logs
        └-------- parser failure 🔴

DEBU[2025-07-03T13:25:52Z] Using /etc/crowdsec/config.yaml as configuration file
DEBU[2025-07-03T13:25:52Z] Loading yaml file: '/etc/crowdsec/config.yaml' with additional values from '/etc/crowdsec/config.yaml.local'
DEBU[2025-07-03T13:25:52Z] the option 'daemonize' is deprecated and ignored
DEBU[2025-07-03T13:25:52Z] Enabled feature flags: none
DEBUG file /tmp/cscli_explain2419963357/cscli_test_tmp.log has 1 lines
WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.  file=/tmp/cscli_explain2419963357/parser-dump.yaml
line: 2025-07-03T12:58:55,174Z [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4:6833 for user dqfhnqtn failed.
        ├ s01-parse
        |       └ 🔴 corvese/apache-guacamole-logs
        └-------- parser failure 🔴

Grok Debugger | Autocomplete and Live Match Highlghting

Parser failure

Parser failure

Similar Threads

Similar Threads

Similar Threads