Docker mailserver logs not compatible with crowdsec
Hi all, I am trying to let crowdsec scan my Docker Mailserver (DMS) logs, both are running in containers.
It seems that Crowdsec parser for dovecot/postfix is expecting syslog formatted timestamps.
DMS is producing ISO8601 format, hence my logfiles are not parsed.
I am not able to enforce DMS to write different logfile format.
Any ideas?
7 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
the postfix and dovecot parser dont expect any timestamp within the lines, so is DMS got something custom to add these as simply these two by themselves shouldnt afaik
Okay. So I’ll raise this with the DMS team. Thx for your reply
well not really needed, the parser for postfix and dovecot should already work. What is your acquisition looking like?
here are the latest logs:
2025-10-11T16:43:41.940340+02:00 mail dovecot: imap(admin@xxx.org)<21024><r6x9D+NAFMXAqAIB>: Disconnected: Logged out in=38 out=559 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
2025-10-11T16:43:59.500252+02:00 mail postfix/anvil[20725]: statistics: max connection rate 3/60s for (submission:192.168.2.1) at Oct 11 16:40:39
2025-10-11T16:43:59.500276+02:00 mail postfix/anvil[20725]: statistics: max connection count 3 for (submission:192.168.2.1) at Oct 11 16:40:39
2025-10-11T16:43:59.500288+02:00 mail postfix/anvil[20725]: statistics: max cache size 1 at Oct 11 16:40:39
and here the metrics (all lines unparsed):
Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├─────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/dms_logs/mail.log │ 1.35k │ - │ 1.35k │ - │ - │
yeah so the syslog is fine?
so what type did you set in your acquisition? cause with those logs it should be
syslog
plus remember the parsers are looking for bruteforce attempts, so if you look further into the parser metrics you may see that is passes the syslog section and is failingg at dovecot and postfix since the logs we had so far havent been failed login attempts
via cscli metrics show parsersHi @Loz , I missed your reply earlier. So indeed, my fault was the wrong acquis.yaml instruction. Changing it to file/syslog fixed it. Thanks for pointing me into the right direction.