gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(crowdsec): Fix parsers and acquisition for v1.7.6 compatibility

Browse Source 
- Change evt.Line contains -> evt.Line.Raw contains in parsers
  (pipeline.Line type requires .Raw accessor for string operations)
- Remove invalid filter: field from acquisition configs
  (filter belongs in parsers, not acquisition files)

Fixes CrowdSec v1.7.6 startup failures.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
CyberMind-FR 2026-01-27 12:08:03 +01:00
parent 51c2f9d1a1
commit 32d737483b
4 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
package/secubox/secubox-app-crowdsec-custom/files/acquis.d/secubox-haproxy.yaml
View File

@ -15,4 +15,3 @@ filenames:
- /tmp/log/messages
labels:
type: syslog
filter: "contains(Line, 'haproxy')"

1
package/secubox/secubox-app-crowdsec-custom/files/acquis.d/secubox-streamlit.yaml
View File

@ -14,4 +14,3 @@ filenames:
- /var/log/haproxy.log
labels:
type: haproxy
filter: "contains(Line, 'streamlit')"

4
package/secubox/secubox-app-crowdsec-custom/files/parsers/s01-parse/secubox-haproxy.yaml
View File

@ -4,7 +4,7 @@
onsuccess: next_stage
name: secubox/haproxy-logs
description: "Parse HAProxy access logs"
filter: "evt.Parsed.program == 'haproxy' || evt.Line contains 'haproxy'"
filter: "evt.Parsed.program == 'haproxy' || evt.Line.Raw contains 'haproxy'"
grok:
pattern: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE:timestamp}\] %{NOTSPACE:frontend} %{NOTSPACE:backend}/%{NOTSPACE:server} %{INT:tq}/%{INT:tw}/%{INT:tc}/%{INT:tr}/%{INT:tt} %{INT:http_status} %{INT:bytes_read}'
apply_on: message
@ -27,7 +27,7 @@ statics:
onsuccess: next_stage
name: secubox/haproxy-backend-failure
description: "Parse HAProxy backend connection failures"
filter: "evt.Line contains 'haproxy' && (evt.Line contains 'no server available' || evt.Line contains 'Connection refused')"
filter: "evt.Line.Raw contains 'haproxy' && (evt.Line.Raw contains 'no server available' || evt.Line.Raw contains 'Connection refused')"
grok:
pattern: "%{IP:source_ip}.*%{GREEDYDATA:error_message}"
apply_on: message

4
package/secubox/secubox-app-crowdsec-custom/files/parsers/s01-parse/secubox-streamlit.yaml
View File

@ -4,7 +4,7 @@
onsuccess: next_stage
name: secubox/streamlit-logs
description: "Parse Streamlit application logs"
filter: "evt.Line.Labels.type == 'streamlit' || evt.Line contains 'streamlit'"
filter: "evt.Line.Labels.type == 'streamlit' || evt.Line.Raw contains 'streamlit'"
grok:
pattern: '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:message}'
apply_on: message
@ -29,7 +29,7 @@ statics:
onsuccess: next_stage
name: secubox/streamlit-ws-failure
description: "Parse Streamlit WebSocket connection issues"
filter: "evt.Line contains 'streamlit' && evt.Line contains 'WebSocket'"
filter: "evt.Line.Raw contains 'streamlit' && evt.Line.Raw contains 'WebSocket'"
grok:
pattern: '%{IP:source_ip}.*WebSocket.*(?:failed|error|closed)'
apply_on: message