C
CrowdSec4mo ago
Yohan

Parser failure

Hello ! I am currently trying to use crowdsec on my Apache Guacamole server. I used the corvese/apache-guacamole-logs collection, and edited the pattern of the parser. Sadly, i always get a parser failure, but my pattern is supposed to work according to https://grokdebugger.com/ I join my parser as image (/etc/crowdsec/parsers/s01-parse/apache-guacamole-logs.yaml) Here is the command i use to test : cscli explain --log "2025-07-03T12:58:55,174Z [http-nio-8080-exec-4] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4:6833 for user "dqfhnqtn" failed." --type corvese/apache-guacamole-logs --debug And this is the output : 
DEBU[2025-07-03T13:25:52Z] Using /etc/crowdsec/config.yaml as configuration file
DEBU[2025-07-03T13:25:52Z] Loading yaml file: '/etc/crowdsec/config.yaml' with additional values from '/etc/crowdsec/config.yaml.local'
DEBU[2025-07-03T13:25:52Z] the option 'daemonize' is deprecated and ignored
DEBU[2025-07-03T13:25:52Z] Enabled feature flags: none
DEBUG file /tmp/cscli_explain2419963357/cscli_test_tmp.log has 1 lines
WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.  file=/tmp/cscli_explain2419963357/parser-dump.yaml
line: 2025-07-03T12:58:55,174Z [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4:6833 for user dqfhnqtn failed.
        ├ s01-parse
        |       └ 🔴 corvese/apache-guacamole-logs
        └-------- parser failure 🔴
DEBU[2025-07-03T13:25:52Z] Using /etc/crowdsec/config.yaml as configuration file
DEBU[2025-07-03T13:25:52Z] Loading yaml file: '/etc/crowdsec/config.yaml' with additional values from '/etc/crowdsec/config.yaml.local'
DEBU[2025-07-03T13:25:52Z] the option 'daemonize' is deprecated and ignored
DEBU[2025-07-03T13:25:52Z] Enabled feature flags: none
DEBUG file /tmp/cscli_explain2419963357/cscli_test_tmp.log has 1 lines
WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.  file=/tmp/cscli_explain2419963357/parser-dump.yaml
line: 2025-07-03T12:58:55,174Z [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4:6833 for user dqfhnqtn failed.
        ├ s01-parse
        |       └ 🔴 corvese/apache-guacamole-logs
        └-------- parser failure 🔴
What am I doing wrong here ? How can i have more details on the error ? My server OS is Debian. Crowdsec version: v1.6.9-debian-pragmatic-amd64-40b8cfe6 Thanks a lot for taking some time to help me !
Grok Debugger | Autocomplete and Live Match Highlghting
Easily debug Logstash Grok patterns online with helpful features such as syntax highlghting and autocomplete. Standard Grok patterns as well as patterns for Cisco firewall, HAProxy, Java, Linux Syslog, MongoDB, Redis, PostgreSQL, and more. Useful when creating Grok patterns for your ELK (ElasticSearch, Logstash, Kibana) or ELastic Stack.
No description
No description
20 Replies
CrowdSec
CrowdSec4mo ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
iiamloz
iiamloz4mo ago
Your missing the s00 parsers so you must install cscli collections install crowdsecurity/linux the extra information is your missing the syslog-logs parser which has the parser to know how to convert file based log lines into appropiate s01 stage items.
Yohan
YohanOP4mo ago
Thanks a lot for your help. I installed crowdsecurity/linux, even rebooted but still the same error. Maybe my command is wrong ? cscli explain --log "2025-07-03T12:58:55,174Z [http-nio-8080-exec-4] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4:6833 for user "dqfhnqtn" failed." --type corvese/apache-guacamole-logs --debug
No description
iiamloz
iiamloz4mo ago
hmmm, can you show the output of cscli config show
Yohan
YohanOP4mo ago
No description
iiamloz
iiamloz4mo ago
okay also ls -la /etc/crowdsec/parsers/**/*.yaml
Yohan
YohanOP4mo ago
No description
iiamloz
iiamloz4mo ago
ahh okay so did you acidentally install the debian version then ours on top? like version 1.4.6 then 1.6.9
Yohan
YohanOP4mo ago
i had an update after adding the repos, so maybe !
iiamloz
iiamloz4mo ago
can you try this script https://gist.github.com/LaurenceJJones/6960107296145e8e365009973b9d7f6d it will basically update the symlinks as basically the debian version hosts them in a different folder hence the red text as they are dead links then if you run ls -la /etc/crowdsec/parsers/**/*.yaml again none of them should be red, hopefully note this will override your changes but I guess your the one that created the PR?
Yohan
YohanOP4mo ago
Thank you @Loz It looks like the script worked. I edited the parser again with my pattern, but still fails.
No description
No description
Yohan
YohanOP4mo ago
Edited parser : 
name: corvese/apache-guacamole-logs
description: "Parses Apache Guacamole logs"
filter: "evt.Parsed.program == 'apache-guacamole'"
onsuccess: next_stage
pattern_syntax:
  GUAC_CUSTOMUSER: "(%{EMAILADDRESS}|%{USERNAME})"
nodes:
  - grok:
      pattern: '%{TIMESTAMP_ISO8601:timestamp} \[[^\]]+\] %{LOGLEVEL:level}\s+[^-]+ - Authentication attempt from %{IP:source_ip}:%{INT:port} for user "%{USERNAME:username}" failed\.'
      apply_on: message
      statics:
        - meta: log_type
          value: apache-guacamole_failed_auth
        - meta: target_user
          expression: evt.Parsed.username
statics:
    - meta: service
      value: apache-guacamole
    - meta: source_ip
      expression: evt.Parsed.source_ip
    - target: evt.StrTime
      expression: evt.Parsed.timestamp
name: corvese/apache-guacamole-logs
description: "Parses Apache Guacamole logs"
filter: "evt.Parsed.program == 'apache-guacamole'"
onsuccess: next_stage
pattern_syntax:
  GUAC_CUSTOMUSER: "(%{EMAILADDRESS}|%{USERNAME})"
nodes:
  - grok:
      pattern: '%{TIMESTAMP_ISO8601:timestamp} \[[^\]]+\] %{LOGLEVEL:level}\s+[^-]+ - Authentication attempt from %{IP:source_ip}:%{INT:port} for user "%{USERNAME:username}" failed\.'
      apply_on: message
      statics:
        - meta: log_type
          value: apache-guacamole_failed_auth
        - meta: target_user
          expression: evt.Parsed.username
statics:
    - meta: service
      value: apache-guacamole
    - meta: source_ip
      expression: evt.Parsed.source_ip
    - target: evt.StrTime
      expression: evt.Parsed.timestamp
I don't get why it fails, with Grok Debbuger it looks fine
iiamloz
iiamloz4mo ago
Can you run cscli collections install crowdsecurity/linux --force and once then I noticed the type in your explain command is not correct it should be apache-guacamole
Yohan
YohanOP4mo ago
No description
iiamloz
iiamloz4mo ago
the type is just apache-guacamole nothing else
Yohan
YohanOP4mo ago
same result, just noticed i kept corvese/
Yohan
YohanOP4mo ago
No description
iiamloz
iiamloz4mo ago
works fine my side 
line: 2025-07-03T12:58:55,174Z [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4:6833 for user "dqfhnqtn" failed.
    ├ s00-raw
    |    └ 🟢 crowdsecurity/non-syslog (+5 ~8)
    |        └ update evt.ExpectMode : %!s(int=0) -> 1
    |        └ update evt.Stage :  -> s01-parse
    |        └ update evt.Line.Raw :  -> 2025-07-03T12:58:55,174Z [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4:6833 for user "dqfhnqtn" failed.
    |        └ update evt.Line.Src :  -> /tmp/cscli_explain1287061176/cscli_test_tmp.log
    |        └ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-07-03 15:35:22.392009006 +0000 UTC
    |        └ create evt.Line.Labels.type : apache-guacamole
    |        └ update evt.Line.Process : %!s(bool=false) -> true
    |        └ update evt.Line.Module :  -> file
    |        └ create evt.Parsed.program : apache-guacamole
    |        └ create evt.Parsed.message : 2025-07-03T12:58:55,174Z [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4:6833 for user "dqfhnqtn" failed.
    |        └ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-07-03 15:35:22.392036764 +0000 UTC
    |        └ create evt.Meta.datasource_path : /tmp/cscli_explain1287061176/cscli_test_tmp.log
    |        └ create evt.Meta.datasource_type : file
    ├ s01-parse
    |    └ 🟢 corvese/apache-guacamole-logs (+9 ~2)
    |        └ update evt.Stage : s01-parse -> s02-enrich
    |        └ create evt.Parsed.port : 6833
    |        └ create evt.Parsed.source_ip : 1.2.3.4
    |        └ create evt.Parsed.timestamp : 2025-07-03T12:58:55,174Z
    |        └ create evt.Parsed.username : dqfhnqtn
    |        └ create evt.Parsed.level : WARN
    |        └ update evt.StrTime :  -> 2025-07-03T12:58:55,174Z
    |        └ create evt.Meta.log_type : apache-guacamole_failed_auth
    |        └ create evt.Meta.service : apache-guacamole
    |        └ create evt.Meta.source_ip : 1.2.3.4
    |        └ create evt.Meta.target_user : dqfhnqtn
    ├ s02-enrich
    |    ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2)
    |        ├ create evt.Enriched.MarshaledTime : 2025-07-03T12:58:55.174Z
    |        ├ update evt.Time : 2025-07-03 15:35:22.392036764 +0000 UTC -> 2025-07-03 12:58:55.174 +0000 UTC
    |        ├ update evt.MarshaledTime :  -> 2025-07-03T12:58:55.174Z
    |        ├ create evt.Meta.timestamp : 2025-07-03T12:58:55.174Z
    |    ├ 🟢 crowdsecurity/geoip-enrich (+10)
    |        ├ create evt.Enriched.ASNumber : 0
    |        ├ create evt.Enriched.IsInEU : false
    |        ├ create evt.Enriched.IsoCode : AU
    |        ├ create evt.Enriched.Latitude : -33.494000
    |        ├ create evt.Enriched.Longitude : 143.210400
    |        ├ create evt.Enriched.ASNNumber : 0
    |        ├ create evt.Enriched.ASNOrg : 
    |        ├ create evt.Meta.IsoCode : AU
    |        ├ create evt.Meta.ASNNumber : 0
    |        ├ create evt.Meta.IsInEU : false
    ├-------- parser success 🟢
    ├ Scenarios
        ├ 🟢 corvese/apache-guacamole_bf
        └ 🟢 corvese/apache-guacamole_user_enum
line: 2025-07-03T12:58:55,174Z [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4:6833 for user "dqfhnqtn" failed.
    ├ s00-raw
    |    └ 🟢 crowdsecurity/non-syslog (+5 ~8)
    |        └ update evt.ExpectMode : %!s(int=0) -> 1
    |        └ update evt.Stage :  -> s01-parse
    |        └ update evt.Line.Raw :  -> 2025-07-03T12:58:55,174Z [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4:6833 for user "dqfhnqtn" failed.
    |        └ update evt.Line.Src :  -> /tmp/cscli_explain1287061176/cscli_test_tmp.log
    |        └ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-07-03 15:35:22.392009006 +0000 UTC
    |        └ create evt.Line.Labels.type : apache-guacamole
    |        └ update evt.Line.Process : %!s(bool=false) -> true
    |        └ update evt.Line.Module :  -> file
    |        └ create evt.Parsed.program : apache-guacamole
    |        └ create evt.Parsed.message : 2025-07-03T12:58:55,174Z [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4:6833 for user "dqfhnqtn" failed.
    |        └ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-07-03 15:35:22.392036764 +0000 UTC
    |        └ create evt.Meta.datasource_path : /tmp/cscli_explain1287061176/cscli_test_tmp.log
    |        └ create evt.Meta.datasource_type : file
    ├ s01-parse
    |    └ 🟢 corvese/apache-guacamole-logs (+9 ~2)
    |        └ update evt.Stage : s01-parse -> s02-enrich
    |        └ create evt.Parsed.port : 6833
    |        └ create evt.Parsed.source_ip : 1.2.3.4
    |        └ create evt.Parsed.timestamp : 2025-07-03T12:58:55,174Z
    |        └ create evt.Parsed.username : dqfhnqtn
    |        └ create evt.Parsed.level : WARN
    |        └ update evt.StrTime :  -> 2025-07-03T12:58:55,174Z
    |        └ create evt.Meta.log_type : apache-guacamole_failed_auth
    |        └ create evt.Meta.service : apache-guacamole
    |        └ create evt.Meta.source_ip : 1.2.3.4
    |        └ create evt.Meta.target_user : dqfhnqtn
    ├ s02-enrich
    |    ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2)
    |        ├ create evt.Enriched.MarshaledTime : 2025-07-03T12:58:55.174Z
    |        ├ update evt.Time : 2025-07-03 15:35:22.392036764 +0000 UTC -> 2025-07-03 12:58:55.174 +0000 UTC
    |        ├ update evt.MarshaledTime :  -> 2025-07-03T12:58:55.174Z
    |        ├ create evt.Meta.timestamp : 2025-07-03T12:58:55.174Z
    |    ├ 🟢 crowdsecurity/geoip-enrich (+10)
    |        ├ create evt.Enriched.ASNumber : 0
    |        ├ create evt.Enriched.IsInEU : false
    |        ├ create evt.Enriched.IsoCode : AU
    |        ├ create evt.Enriched.Latitude : -33.494000
    |        ├ create evt.Enriched.Longitude : 143.210400
    |        ├ create evt.Enriched.ASNNumber : 0
    |        ├ create evt.Enriched.ASNOrg : 
    |        ├ create evt.Meta.IsoCode : AU
    |        ├ create evt.Meta.ASNNumber : 0
    |        ├ create evt.Meta.IsInEU : false
    ├-------- parser success 🟢
    ├ Scenarios
        ├ 🟢 corvese/apache-guacamole_bf
        └ 🟢 corvese/apache-guacamole_user_enum
Yohan
YohanOP4mo ago
@Loz It's a bit weird, but now if I test my logfile instead of the log line it actually works Thank you so much for your time, i was loosing my hair with this 🤣 Have a great day !
CrowdSec
CrowdSec4mo ago
Resolving Parser failure This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?