From 32d737483ba018b4d9eb4f154bbbeabf79be6161 Mon Sep 17 00:00:00 2001
From: CyberMind-FR <gandalf@Gk2.net>
Date: Tue, 27 Jan 2026 12:08:03 +0100
Subject: [PATCH] fix(crowdsec): Fix parsers and acquisition for v1.7.6
 compatibility

- Change evt.Line contains -> evt.Line.Raw contains in parsers
  (pipeline.Line type requires .Raw accessor for string operations)
- Remove invalid filter: field from acquisition configs
  (filter belongs in parsers, not acquisition files)

Fixes CrowdSec v1.7.6 startup failures.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .../files/acquis.d/secubox-haproxy.yaml                       | 1 -
 .../files/acquis.d/secubox-streamlit.yaml                     | 1 -
 .../files/parsers/s01-parse/secubox-haproxy.yaml              | 4 ++--
 .../files/parsers/s01-parse/secubox-streamlit.yaml            | 4 ++--
 4 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/package/secubox/secubox-app-crowdsec-custom/files/acquis.d/secubox-haproxy.yaml b/package/secubox/secubox-app-crowdsec-custom/files/acquis.d/secubox-haproxy.yaml
index 7c57bbf5..3b45facd 100644
--- a/package/secubox/secubox-app-crowdsec-custom/files/acquis.d/secubox-haproxy.yaml
+++ b/package/secubox/secubox-app-crowdsec-custom/files/acquis.d/secubox-haproxy.yaml
@@ -15,4 +15,3 @@ filenames:
   - /tmp/log/messages
 labels:
   type: syslog
-filter: "contains(Line, 'haproxy')"
diff --git a/package/secubox/secubox-app-crowdsec-custom/files/acquis.d/secubox-streamlit.yaml b/package/secubox/secubox-app-crowdsec-custom/files/acquis.d/secubox-streamlit.yaml
index bb475774..3f3fee1a 100644
--- a/package/secubox/secubox-app-crowdsec-custom/files/acquis.d/secubox-streamlit.yaml
+++ b/package/secubox/secubox-app-crowdsec-custom/files/acquis.d/secubox-streamlit.yaml
@@ -14,4 +14,3 @@ filenames:
   - /var/log/haproxy.log
 labels:
   type: haproxy
-filter: "contains(Line, 'streamlit')"
diff --git a/package/secubox/secubox-app-crowdsec-custom/files/parsers/s01-parse/secubox-haproxy.yaml b/package/secubox/secubox-app-crowdsec-custom/files/parsers/s01-parse/secubox-haproxy.yaml
index af4f8cde..399c8638 100644
--- a/package/secubox/secubox-app-crowdsec-custom/files/parsers/s01-parse/secubox-haproxy.yaml
+++ b/package/secubox/secubox-app-crowdsec-custom/files/parsers/s01-parse/secubox-haproxy.yaml
@@ -4,7 +4,7 @@
 onsuccess: next_stage
 name: secubox/haproxy-logs
 description: "Parse HAProxy access logs"
-filter: "evt.Parsed.program == 'haproxy' || evt.Line contains 'haproxy'"
+filter: "evt.Parsed.program == 'haproxy' || evt.Line.Raw contains 'haproxy'"
 grok:
   pattern: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE:timestamp}\] %{NOTSPACE:frontend} %{NOTSPACE:backend}/%{NOTSPACE:server} %{INT:tq}/%{INT:tw}/%{INT:tc}/%{INT:tr}/%{INT:tt} %{INT:http_status} %{INT:bytes_read}'
   apply_on: message
@@ -27,7 +27,7 @@ statics:
 onsuccess: next_stage
 name: secubox/haproxy-backend-failure
 description: "Parse HAProxy backend connection failures"
-filter: "evt.Line contains 'haproxy' && (evt.Line contains 'no server available' || evt.Line contains 'Connection refused')"
+filter: "evt.Line.Raw contains 'haproxy' && (evt.Line.Raw contains 'no server available' || evt.Line.Raw contains 'Connection refused')"
 grok:
   pattern: "%{IP:source_ip}.*%{GREEDYDATA:error_message}"
   apply_on: message
diff --git a/package/secubox/secubox-app-crowdsec-custom/files/parsers/s01-parse/secubox-streamlit.yaml b/package/secubox/secubox-app-crowdsec-custom/files/parsers/s01-parse/secubox-streamlit.yaml
index 319fe044..36f5d43c 100644
--- a/package/secubox/secubox-app-crowdsec-custom/files/parsers/s01-parse/secubox-streamlit.yaml
+++ b/package/secubox/secubox-app-crowdsec-custom/files/parsers/s01-parse/secubox-streamlit.yaml
@@ -4,7 +4,7 @@
 onsuccess: next_stage
 name: secubox/streamlit-logs
 description: "Parse Streamlit application logs"
-filter: "evt.Line.Labels.type == 'streamlit' || evt.Line contains 'streamlit'"
+filter: "evt.Line.Labels.type == 'streamlit' || evt.Line.Raw contains 'streamlit'"
 grok:
   pattern: '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:message}'
   apply_on: message
@@ -29,7 +29,7 @@ statics:
 onsuccess: next_stage
 name: secubox/streamlit-ws-failure
 description: "Parse Streamlit WebSocket connection issues"
-filter: "evt.Line contains 'streamlit' && evt.Line contains 'WebSocket'"
+filter: "evt.Line.Raw contains 'streamlit' && evt.Line.Raw contains 'WebSocket'"
 grok:
   pattern: '%{IP:source_ip}.*WebSocket.*(?:failed|error|closed)'
   apply_on: message