suricata logs can't parser?

[andyoulovexy]

What happened?

suricata logs can't parser?

What did you expect to happen?

parser suricata work

How can we reproduce it (as minimally and precisely as possible)?

suricata logs :
{"timestamp":"2022-11-14T10:41:13.512844+0800","flow_id":171518089232986,"in_iface":"eth0","event_type":"anomaly","src_ip":"61.141.64.67","src_port":55191,"dest_ip":"103.164.63.78","dest_port":40189,"proto":"TCP","anomaly":{"app_proto":"dcer
pc","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2022-11-14T10:41:15.259165+0800","flow_id":1902553118510911,"in_iface":"eth0","event_type":"tls","src_ip":"103.164.63.78","src_port":37314,"dest_ip":"212.64.63.190","dest_port":443,"proto":"TCP","tls":{"subject":"CN=.gitee.com
","issuerdn":"C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA","serial":"0E:9C:10:54:AA:30:0B:61:4B:19:82:19:4B:12:E0:B9","fingerprint":"73:77:c8:87:1a:3d:3b:5f:68:18:d8:3b:11:5a:e6:92:32:3a:5c:54","sni
":"gitee.com","version":"TLS 1.2","notbefore":"2022-02-21T00:00:00","notafter":"2023-03-06T23:59:59","ja3":{},"ja3s":{}}}
{"timestamp":"2022-11-14T10:41:15.263897+0800","flow_id":2097420079606221,"in_iface":"eth0","event_type":"anomaly","src_ip":"61.141.64.67","src_port":55223,"dest_ip":"103.164.63.78","dest_port":40189,"proto":"TCP","anomaly":{"app_proto":"dce
rpc","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2022-11-14T10:41:15.279867+0800","flow_id":664576040082216,"in_iface":"eth0","event_type":"tls","src_ip":"103.164.63.78","src_port":37316,"dest_ip":"212.64.63.190","dest_port":443,"proto":"TCP","tls":{"subject":"CN=.gitee.com"
,"issuerdn":"C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA","serial":"0E:9C:10:54:AA:30:0B:61:4B:19:82:19:4B:12:E0:B9","fingerprint":"73:77:c8:87:1a:3d:3b:5f:68:18:d8:3b:11:5a:e6:92:32:3a:5c:54","sni"
:"gitee.com","version":"TLS 1.2","notbefore":"2022-02-21T00:00:00","notafter":"2023-03-06T23:59:59","ja3":{},"ja3s":{}}}
{"timestamp":"2022-11-14T10:41:15.280621+0800","flow_id":1021023965817414,"in_iface":"eth0","event_type":"anomaly","src_ip":"61.141.64.67","src_port":55224,"dest_ip":"103.164.63.78","dest_port":40189,"proto":"TCP","anomaly":{"app_proto":"dce
rpc","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2022-11-14T10:41:15.307745+0800","event_type":"stats","stats":{"uptime":16,"capture":{"kernel_packets":1964,"kernel_drops":0,"errors":0},"decoder":{"pkts":2298,"bytes":1348785,"invalid":144,"ipv4":2286,"ipv6":3,"ethernet":2298,
"chdlc":0,"raw":0,"null":0,"sll":0,"tcp":2112,"udp":33,"sctp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"geneve":0,"gre":0,"vlan":0,"vlan_qinq":0,"vxlan":0,"vntag":0,"ieee8021ah":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_p
kt_size":586,"max_pkt_size":1534,"max_mac_addrs_src":0,"max_mac_addrs_dst":0,"erspan":0,"event":{"ipv4":{"pkt_too_small":0,"hlen_too_small":0,"iplen_smaller_than_hlen":0,"trunc_pkt":144,"opt_invalid":0,"opt_invalid_len":0,"opt_malformed":0,"
opt_pad_required":0,"opt_eol_required":0,"opt_duplicate":0,"opt_unknown":0,"wrong_ip_version":0,"icmpv6":0,"frag_pkt_too_large":0,"frag_overlap":0,"frag_ignored":0},"icmpv4":{"pkt_too_small":0,"unknown_type":0,"unknown_code":0,"ipv4_trunc_pk
t":0,"ipv4_unknown_ver":0},"icmpv6":{"unknown_type":0,"unknown_code":0,"pkt_too_small":0,"ipv6_unknown_version":0,"ipv6_trunc_pkt":0,"mld_message_with_invalid_hl":0,"unassigned_type":0,"experimentation_type":0},"ipv6":{"pkt_too_small":0,"tru
nc_pkt":0,"trunc_exthdr":0,"exthdr_dupl_fh":0,"exthdr_useless_fh":0,"exthdr_dupl_rh":0,"exthdr_dupl_hh":0,"exthdr_dupl_dh":0,"exthdr_dupl_ah":0,"exthdr_dupl_eh":0,"exthdr_invalid_optlen":0,"wrong_ip_version":0,"exthdr_ah_res_not_null":0,"hop
opts_unknown_opt":0,"hopopts_only_padding":0,"dstopts_unknown_opt":0,"dstopts_only_padding":0,"rh_type_0":0,"zero_len_padn":0,"fh_non_zero_reserved_field":0,"data_after_none_header":0,"unknown_next_header":0,"icmpv4":0,"frag_pkt_too_large":0
,"frag_overlap":0,"frag_invalid_length":0,"frag_ignored":0,"ipv4_in_ipv6_too_small":0,"ipv4_in_ipv6_wrong_version":0,"ipv6_in_ipv6_too_small":0,"ipv6_in_ipv6_wrong_version":0},"tcp":{"pkt_too_small":0,"hlen_too_small":0,"invalid_optlen":0,"o
pt_invalid_len":0,"opt_duplicate":0},"udp":{"pkt_too_small":0,"hlen_too_small":0,"hlen_invalid":0},"sll":{"pkt_too_small":0},"ethernet":{"pkt_too_small":0},"ppp":{"pkt_too_small":0,"vju_pkt_too_small":0,"ip4_pkt_too_small":0,"ip6_pkt_too_sma
ll":0,"wrong_type":0,"unsup_proto":0},"pppoe":{"pkt_too_small":0,"wrong_code":0,"malformed_tags":0},"gre":{"pkt_too_small":0,"wrong_version":0,"version0_recur":0,"version0_flags":0,"version0_hdr_too_big":0,"version0_malformed_sre_hdr":0,"ver
sion1_chksum":0,"version1_route":0,"version1_ssr":0,"version1_recur":0,"version1_flags":0,"version1_no_key":0,"version1_wrong_protocol":0,"version1_malformed_sre_hdr":0,"version1_hdr_too_big":0},"vlan":{"header_too_small":0,"unknown_type":0,
"too_many_layers":0},"ieee8021ah":{"header_too_small":0},"vntag":{"header_too_small":0,"unknown_type":0},"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"sctp":{"pkt_too_small":0},"mpls":{"header_too_small"
:0,"pkt_too_small":0,"bad_label_router_alert":0,"bad_label_implicit_null":0,"bad_label_reserved":0,"unknown_payload_type":0},"vxlan":{"unknown_payload_type":0},"geneve":{"unknown_payload_type":0},"erspan":{"header_too_small":0,"unsupported_v
ersion":0,"too_many_vlan_layers":0},"dce":{"pkt_too_small":0},"chdlc":{"pkt_too_small":0}},"too_many_layers":0},"flow":{"memcap":0,"tcp":38,"udp":6,"icmpv4":0,"icmpv6":0,"tcp_reuse":0,"get_used":0,"get_used_eval":0,"get_used_eval_reject":0,"
get_used_eval_busy":0,"get_used_failed":0,"wrk":{"spare_sync_avg":100,"spare_sync":4,"spare_sync_incomplete":0,"spare_sync_empty":0,"flows_evicted_needs_work":0,"flows_evicted_pkt_inject":0,"flows_evicted":0,"flows_injected":0},"mgr":{"full_
hash_pass":1,"closed_pruned":0,"new_pruned":0,"est_pruned":0,"bypassed_pruned":0,"rows_maxlen":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_evicted":0,"flows_evicted_needs_work":0},"spare":9600,"em
erg_mode_entered":0,"emerg_mode_over":0,"memuse":7394304},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"flow_bypassed":{"local_pkts":0,"local_bytes":0,"l
ocal_capture_pkts":0,"local_capture_bytes":0,"closed":0,"pkts":0,"bytes":0},"tcp":{"sessions":29,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":29,"synack":22,"rst":15,"midstream_pickups":0,"pkt_on_wr
ong_thread":0,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":8,"overlap":2,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":2424992,"reassembly_memuse":424024},"d
etect":{"engines":[{"id":0,"last_reload":"2022-11-14T10:40:59.216508+0800","rules_loaded":0,"rules_failed":0}],"alert":0,"alert_queue_overflow":0,"alerts_suppressed":0},"app_layer":{"flow":{"http":0,"ftp":0,"smtp":0,"tls":9,"ssh":1,"imap":0,
"smb":0,"dcerpc_tcp":10,"dns_tcp":0,"nfs_tcp":0,"ntp":1,"ftp-data":0,"tftp":0,"ikev2":0,"krb5_tcp":0,"dhcp":0,"snmp":0,"sip":0,"rfb":0,"mqtt":0,"rdp":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":1,"nfs_udp":0,"krb5_udp":0,"failed_udp":4},"tx":{
"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"nfs_tcp":0,"ntp":1,"ftp-data":0,"tftp":0,"ikev2":0,"krb5_tcp":0,"dhcp":0,"snmp":0,"sip":0,"rfb":0,"mqtt":0,"rdp":0,"dcerpc_udp":0,"dns_udp":2,"nfs_udp":0,
"krb5_udp":0},"expectations":0},"http":{"memuse":0,"memcap":0},"ftp":{"memuse":0,"memcap":0},"file_store":{"open_files":0}}}

Anything else we need to know?

No response

Crowdsec version

$ cscli version
# paste output here

2022/11/14 11:24:51 version: v1.4.1-el7-rpm-e1954adc325baa9e3420c324caabd50b7074dd77 2022/11/14 11:24:51 Codename: alphaga 2022/11/14 11:24:51 BuildDate: 2022-07-25_09:53:20 2022/11/14 11:24:51 GoVersion: 1.17.5 2022/11/14 11:24:51 Platform: linux 2022/11/14 11:24:51 Constraint_parser: >= 1.0, <= 2.0 2022/11/14 11:24:51 Constraint_scenario: >= 1.0, < 3.0 2022/11/14 11:24:51 Constraint_api: v1 2022/11/14 11:24:51 Constraint_acquis: >= 1.0, < 2.0

OS version

# On Linux:
$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

$ uname -a
Linux HKbact788966.local 3.10.0-957.1.3.el7.x86_64 crowdsecurity/crowdsec#1 SMP Thu Nov 29 14:49:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Enabled collections and parsers

$ cscli hub list -o raw
crowdsecurity/base-http-scenarios,enabled,0.6,http common : scanners detection,collections
crowdsecurity/http-cve,enabled,1.6,,collections
crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections
crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios,collections
crowdsecurity/sshd,enabled,0.2,sshd support : parser and brute-force detection,collections
crowdsecurity/suricata,enabled,0.1,suricata support : parser and automatic remediation on high/major alerts,collections
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers
crowdsecurity/http-logs,enabled,0.8,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
crowdsecurity/nginx-logs,enabled,1.3,Parse nginx access and error logs,parsers
crowdsecurity/sshd-logs,enabled,2.0,Parse openSSH logs,parsers
crowdsecurity/suricata-logs,enabled,0.5,Parse suricata fast.log,parsers
crowdsecurity/syslog-logs,enabled,0.8,,parsers
crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers
crowdsecurity/CVE-2022-26134,enabled,0.1,Detect CVE-2022-26134 exploits,scenarios
crowdsecurity/CVE-2022-35914,enabled,0.1,Detect CVE-2022-35914 exploits,scenarios
crowdsecurity/CVE-2022-37042,enabled,0.1,Detect CVE-2022-37042 exploits,scenarios
crowdsecurity/CVE-2022-40684,enabled,0.2,Detect cve-2022-40684 exploitation attempts,scenarios
crowdsecurity/CVE-2022-41082,enabled,0.3,Detect CVE-2022-41082 exploits,scenarios
crowdsecurity/CVE-2022-42889,enabled,0.2,Detect CVE-2022-42889 exploits (Text4Shell),scenarios
crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.4,Detect cve-2021-44228 exploitation attemps,scenarios
crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.1,Detect cve-2020-5902 exploitation attemps,scenarios
crowdsecurity/fortinet-cve-2018-13379,enabled,0.2,Detect cve-2018-13379 exploitation attemps,scenarios
crowdsecurity/grafana-cve-2021-43798,enabled,0.1,Detect cve-2021-43798 exploitation attemps,scenarios
crowdsecurity/http-backdoors-attempts,enabled,0.3,Detect attempt to common backdoors,scenarios
crowdsecurity/http-bad-user-agent,enabled,0.7,Detect bad user-agents,scenarios
crowdsecurity/http-crawl-non_statics,enabled,0.3,Detect aggressive crawl from single ip,scenarios
crowdsecurity/http-cve-2021-41773,enabled,0.1,cve-2021-41773,scenarios
crowdsecurity/http-cve-2021-42013,enabled,0.1,cve-2021-42013,scenarios
crowdsecurity/http-generic-bf,enabled,0.2,Detect generic http brute force,scenarios
crowdsecurity/http-open-proxy,enabled,0.3,Detect scan for open proxy,scenarios
crowdsecurity/http-path-traversal-probing,enabled,0.2,Detect path traversal attempt,scenarios
crowdsecurity/http-probing,enabled,0.2,Detect site scanning/probing from a single ip,scenarios
crowdsecurity/http-sensitive-files,enabled,0.2,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios
crowdsecurity/http-sqli-probing,enabled,0.2,A scenario that detects SQL injection probing with minimal false positives,scenarios
crowdsecurity/http-xss-probing,enabled,0.2,A scenario that detects XSS probing with minimal false positives,scenarios
crowdsecurity/jira_cve-2021-26086,enabled,0.1,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios
crowdsecurity/modsecurity,enabled,0.4,Web exploitation via modsecurity,scenarios
crowdsecurity/nginx-req-limit-exceeded,enabled,0.1,Detects IPs which violate nginx's user set request limit.,scenarios
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.2,Detect cve-2019-11510 exploitation attemps,scenarios
crowdsecurity/spring4shell_cve-2022-22965,enabled,0.2,Detect cve-2022-22965 probing,scenarios
crowdsecurity/ssh-bf,enabled,0.1,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.2,Detect slow ssh bruteforce,scenarios
crowdsecurity/suricata-alerts,enabled,0.3,Detect exploit attempts via emerging threat rules,scenarios
crowdsecurity/thinkphp-cve-2018-20062,enabled,0.3,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios
crowdsecurity/vmware-cve-2022-22954,enabled,0.2,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios
crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.1,Detect VMSA-2021-0027 exploitation attemps,scenarios
ltsich/http-w00tw00t,enabled,0.1,detect w00tw00t,scenarios

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* #Generated acquisition file - wizard.sh (service: nginx) / files : journalctl_filter: - _SYSTEMD_UNIT=openresty.service labels: type: openresty --- #Generated acquisition file - wizard.sh (service: sshd) / files : /var/log/secure filenames: - /var/log/secure labels: type: syslog --- #Generated acquisition file - wizard.sh (service: linux) / files : /var/log/messages filenames: - /var/log/messages labels: type: syslog --- filenames: - /usr/local/openresty/nginx/logs/*.log labels: type: nginx --- filename: /var/log/suricata/eve.json labels: type: suricata-evelogs ---

On Windows:

C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml

paste output here

Config show

$ cscli config show
Global:
   - Configuration Folder   : /etc/crowdsec
   - Data Folder            : /var/lib/crowdsec/data
   - Hub Folder             : /etc/crowdsec/hub
   - Simulation File        : /etc/crowdsec/simulation.yaml
   - Log Folder             : /var/log/
   - Log level              : info
   - Log Media              : file
Crowdsec:
  - Acquisition File        : /etc/crowdsec/acquis.yaml
  - Parsers routines        : 1
cscli:
  - Output                  : human
  - Hub Branch              : 
  - Hub Folder              : /etc/crowdsec/hub
Local API Server:
  - Listen URL              : 0.0.0.0:8080
  - Profile File            : /etc/crowdsec/profiles.yaml
  - Trusted IPs: 
      - 127.0.0.1
      - ::1
      - 103.233.255.193
      - 103.164.63.78
  - Database:
      - Type                : sqlite
      - Path                : /var/lib/crowdsec/data/crowdsec.db
      - Flush age           : 7d
      - Flush size          : 5000

Prometheus metrics

$ cscli metrics
INFO[14-11-2022 11:27:33 AM] Buckets Metrics:                             
+-------------------------------------+---------------+-----------+--------------+--------+---------+
|               BUCKET                | CURRENT COUNT | OVERFLOWS | INSTANTIATED | POURED | EXPIRED |
+-------------------------------------+---------------+-----------+--------------+--------+---------+
| crowdsecurity/ssh-bf                | 1             | -         | 17           | 34     | 16      |
| crowdsecurity/ssh-bf_user-enum      | 1             | -         | 17           | 17     | 16      |
| crowdsecurity/ssh-slow-bf           | 1             | -         | 1            | 34     | -       |
| crowdsecurity/ssh-slow-bf_user-enum | 1             | -         | 1            | 7      | -       |
+-------------------------------------+---------------+-----------+--------------+--------+---------+
INFO[14-11-2022 11:27:33 AM] Acquisition Metrics:                         
+-------------------------------------------------------+------------+--------------+----------------+------------------------+
|                        SOURCE                         | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+-------------------------------------------------------+------------+--------------+----------------+------------------------+
| file:/var/log/messages                                | 9          | -            | 9              | -                      |
| file:/var/log/secure                                  | 121        | 51           | 70             | 92                     |
| file:/var/log/suricata/eve.json                       | 4.53k      | -            | 4.53k          | -                      |
| journalctl:journalctl-_SYSTEMD_UNIT=openresty.service | 2          | -            | 2              | -                      |
+-------------------------------------------------------+------------+--------------+----------------+------------------------+
INFO[14-11-2022 11:27:33 AM] Parser Metrics:                              
+---------------------------------+-------+--------+----------+
|             PARSERS             | HITS  | PARSED | UNPARSED |
+---------------------------------+-------+--------+----------+
| child-crowdsecurity/sshd-logs   | 1.01k | 51     | 955      |
| child-crowdsecurity/syslog-logs | 130   | 130    | -        |
| crowdsecurity/dateparse-enrich  | 51    | 51     | -        |
| crowdsecurity/geoip-enrich      | 51    | 51     | -        |
| crowdsecurity/non-syslog        | 4.53k | 4.53k  | -        |
| crowdsecurity/sshd-logs         | 121   | 51     | 70       |
| crowdsecurity/syslog-logs       | 130   | 130    | -        |
| crowdsecurity/whitelists        | 51    | 51     | -        |
+---------------------------------+-------+--------+----------+
INFO[14-11-2022 11:27:33 AM] Local Api Metrics:                           
+----------------------+--------+------+
|        ROUTE         | METHOD | HITS |
+----------------------+--------+------+
| /                    | GET    | 2    |
| /v1/alerts           | GET    | 2    |
| /v1/decisions/stream | GET    | 236  |
| /v1/heartbeat        | GET    | 110  |
| /v1/watchers/login   | POST   | 10   |
+----------------------+--------+------+
INFO[14-11-2022 11:27:33 AM] Local Api Machines Metrics:                  
+--------------------------------------------------+---------------+--------+------+
|                     MACHINE                      |     ROUTE     | METHOD | HITS |
+--------------------------------------------------+---------------+--------+------+
| 607ed7e2b03a61872e5d3b0aba2c900dGd82p4T25jlQqDAu | /v1/heartbeat | GET    | 38   |
| 6ed57b2003224bb0a771355be7660bfcnbap0ayYDhWSDGGU | /v1/heartbeat | GET    | 31   |
| testMachine                                      | /v1/heartbeat | GET    | 39   |
| testMachine                                      | /v1/alerts    | GET    | 2    |
+--------------------------------------------------+---------------+--------+------+
INFO[14-11-2022 11:27:33 AM] Local Api Bouncers Metrics:                  
+----------------------------+----------------------+--------+------+
|          BOUNCER           |        ROUTE         | METHOD | HITS |
+----------------------------+----------------------+--------+------+
| FirewallBouncer-1667210992 | /v1/decisions/stream | GET    | 236  |
+----------------------------+----------------------+--------+------+
INFO[14-11-2022 11:27:33 AM] Local Api Decisions:                         
+--------------------------------------------------+----------+--------+-------+
|                      REASON                      |  ORIGIN  | ACTION | COUNT |
+--------------------------------------------------+----------+--------+-------+
| crowdsecurity/fortinet-cve-2018-13379            | CAPI     | ban    | 57    |
| crowdsecurity/http-backdoors-attempts            | CAPI     | ban    | 138   |
| crowdsecurity/http-sensitive-files               | CAPI     | ban    | 13    |
| crowdsecurity/jira_cve-2021-26086                | CAPI     | ban    | 61    |
| crowdsecurity/mysql-bf                           | CAPI     | ban    | 322   |
| crowdsecurity/ssh-bf                             | CAPI     | ban    | 8982  |
| crowdsecurity/ssh-bf                             | crowdsec | ban    | 3     |
| crowdsecurity/CVE-2022-41082                     | CAPI     | ban    | 1112  |
| crowdsecurity/http-cve-2021-41773                | CAPI     | ban    | 16    |
| crowdsecurity/http-generic-bf                    | CAPI     | ban    | 37    |
| crowdsecurity/http-path-traversal-probing        | CAPI     | ban    | 266   |
| crowdsecurity/http-probing                       | CAPI     | ban    | 1997  |
| crowdsecurity/thinkphp-cve-2018-20062            | CAPI     | ban    | 135   |
| crowdsecurity/vmware-cve-2022-22954              | CAPI     | ban    | 2     |
| ltsich/http-w00tw00t                             | CAPI     | ban    | 5     |
| crowdsecurity/CVE-2022-37042                     | CAPI     | ban    | 2     |
| crowdsecurity/http-crawl-non_statics             | CAPI     | ban    | 1528  |
| crowdsecurity/http-open-proxy                    | CAPI     | ban    | 225   |
| crowdsecurity/pulse-secure-sslvpn-cve-2019-11510 | CAPI     | ban    | 1     |
| crowdsecurity/ssh-slow-bf                        | CAPI     | ban    | 3627  |
| crowdsecurity/ssh-slow-bf                        | crowdsec | ban    | 6     |
| crowdsecurity/spring4shell_cve-2022-22965        | CAPI     | ban    | 1     |
| crowdsecurity/CVE-2022-26134                     | CAPI     | ban    | 14    |
| crowdsecurity/apache_log4j2_cve-2021-44228       | CAPI     | ban    | 36    |
| crowdsecurity/grafana-cve-2021-43798             | CAPI     | ban    | 2     |
| crowdsecurity/http-bad-user-agent                | CAPI     | ban    | 1639  |
| crowdsecurity/nginx-req-limit-exceeded           | CAPI     | ban    | 297   |
+--------------------------------------------------+----------+--------+-------+
INFO[14-11-2022 11:27:33 AM] Local Api Alerts:                            
+----------------------------------------------------+-------+
|                       REASON                       | COUNT |
+----------------------------------------------------+-------+
| crowdsecurity/ssh-bf                               | 657   |
| crowdsecurity/http-xss-probbing                    | 1     |
| crowdsecurity/ssh-slow-bf                          | 1575  |
| crowdsecurity/http-path-traversal-probing          | 4     |
| crowdsecurity/http-probing                         | 10    |
| crowdsecurity/ssh-slow-bf_user-enum                | 27    |
| manual 'ban' from                                  | 3     |
| '607ed7e2b03a61872e5d3b0aba2c900dGd82p4T25jlQqDAu' |       |
| crowdsecurity/http-bad-user-agent                  | 12    |
| crowdsecurity/http-open-proxy                      | 2     |
| crowdsecurity/http-sensitive-files                 | 5     |
| crowdsecurity/http-sqli-probbing-detection         | 1     |
| crowdsecurity/ssh-bf_user-enum                     | 24    |
| manual 'ban' from                                  | 1     |
| '607ed7e2b03a61872e5d3b0aba2c900dcQVCQafsRa7bqhNK' |       |
| crowdsecurity/http-crawl-non_statics               | 8     |
| crowdsecurity/http-cve-2021-41773                  | 5     |
+----------------------------------------------------+-------+

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

[LaurenceJJones]

Transferring to the hub as more appropriate location

[LaurenceJJones]

For the suricata fast log we only support text format not JSON, is this configurable? plus which logs is it? is it one below stated?

the JSON eve.json format (type: suricata-evelogs)
the text fast.log format (type: suricata-fastlogs)

[LaurenceJJones]

Stale issue closing please reopen if you find time to respond to questions

[M-Stenzel]

Hi team,

well, I exactly face the same problem.

I run suricata version 5.0.10 (cannot upgrade to version 6, since I need to use it together with prelude OSS).
I run crowdsec version 1.4.3

The suricata logs do not get parsed.

FYI:

Acquisition Metrics:
╭───────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮
│ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │
├───────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤
│ file:/var/log/suricata/eve.json │ 30.83k │ - │ 30.83k │ - │
│ journalctl:journalctl-_SYSTEMD_UNIT=mysql.service │ 1 │ - │ 1 │ - │
│ journalctl:journalctl-_SYSTEMD_UNIT=sshd.service │ 1 │ - │ 1 │ - │
╰───────────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯

Local Api Metrics:
╭──────────────────────┬────────┬──────╮
│ Route │ Method │ Hits │
├──────────────────────┼────────┼──────┤
│ /v1/alerts │ POST │ 3 │
│ /v1/decisions/stream │ GET │ 516 │
│ /v1/heartbeat │ GET │ 86 │
│ /v1/watchers/login │ POST │ 6 │
╰──────────────────────┴────────┴──────╯

Local Api Machines Metrics:
╭──────────────────────────────────────────────────┬───────────────┬────────┬──────╮
│ Machine │ Route │ Method │ Hits │
├──────────────────────────────────────────────────┼───────────────┼────────┼──────┤
│ 8cb9a62beb75b6665e560e3b59789ff3l2CvrtJ61bUuTHSs │ /v1/heartbeat │ GET │ 86 │
│ 8cb9a62beb75b2665e500e3b59789ff3l2CvrtJ61bUuTHSs │ /v1/alerts │ POST │ 3 │
╰──────────────────────────────────────────────────┴───────────────┴────────┴──────╯

Local Api Bouncers Metrics:
╭────────────────────────────┬──────────────────────┬────────┬──────╮
│ Bouncer │ Route │ Method │ Hits │
├────────────────────────────┼──────────────────────┼────────┼──────┤
│ FirewallBouncer-1671311503 │ /v1/decisions/stream │ GET │ 516 │
╰────────────────────────────┴──────────────────────┴────────┴──────╯

Local Api Decisions:
╭──────────────────────────────────────────────────────────────────────┬────────┬────────┬───────╮
│ Reason │ Origin │ Action │ Count │
├──────────────────────────────────────────────────────────────────────┼────────┼────────┼───────┤
│ crowdsecurity/CVE-2022-35914 │ CAPI │ ban │ 4 │
│ crowdsecurity/f5-big-ip-cve-2020-5902 │ CAPI │ ban │ 7 │
│ crowdsecurity/http-generic-bf │ CAPI │ ban │ 26 │
│ crowdsecurity/ssh-bf │ CAPI │ ban │ 1826 │
│ crowdsecurity/mysql-bf │ CAPI │ ban │ 67 │
│ crowdsecurity/spring4shell_cve-2022-22965 │ CAPI │ ban │ 2 │
│ crowdsecurity/thinkphp-cve-2018-20062 │ CAPI │ ban │ 33 │
│ crowdsecurity/http-bad-user-agent │ CAPI │ ban │ 5531 │
│ crowdsecurity/http-cve-2021-42013 │ CAPI │ ban │ 1 │
│ crowdsecurity/ssh-slow-bf │ CAPI │ ban │ 55 │
│ crowdsecurity/vmware-cve-2022-22954 │ CAPI │ ban │ 4 │
│ crowdsecurity/http-probing │ CAPI │ ban │ 4204 │
│ crowdsecurity/nginx-req-limit-exceeded │ CAPI │ ban │ 892 │
│ crowdsecurity/pulse-secure-sslvpn-cve-2019-11510 │ CAPI │ ban │ 2 │
│ ltsich/http-w00tw00t │ CAPI │ ban │ 3 │
│ crowdsecurity/CVE-2022-41082 │ CAPI │ ban │ 2 │
│ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI │ ban │ 29 │
│ crowdsecurity/http-backdoors-attempts │ CAPI │ ban │ 262 │
│ crowdsecurity/http-crawl-non_statics │ CAPI │ ban │ 1165 │
│ crowdsecurity/http-cve-2021-41773 │ CAPI │ ban │ 71 │
│ crowdsecurity/fortinet-cve-2018-13379 │ CAPI │ ban │ 46 │
│ crowdsecurity/http-path-traversal-probing │ CAPI │ ban │ 617 │
│ crowdsecurity/CVE-2022-37042 │ CAPI │ ban │ 4 │
│ crowdsecurity/grafana-cve-2021-43798 │ CAPI │ ban │ 6 │
│ manual 'ban' from '8cb9a62beb75b2665e560e3b59789f3l2CvrtJ61bUuTHSs' │ cscli │ ban │ 1 │
│ crowdsecurity/CVE-2022-42889 │ CAPI │ ban │ 1 │
│ crowdsecurity/http-open-proxy │ CAPI │ ban │ 244 │
│ crowdsecurity/http-sensitive-files │ CAPI │ ban │ 182 │
│ crowdsecurity/jira_cve-2021-26086 │ CAPI │ ban │ 168 │
╰──────────────────────────────────────────────────────────────────────┴────────┴────────┴───────╯

Local Api Alerts:
╭──────────────────────────────────────────────────────────────────────┬───────╮
│ Reason │ Count │
├──────────────────────────────────────────────────────────────────────┼───────┤
│ manual 'ban' from '8cb9a62beb75b765e560e3b59789ff5l2CvrtJ61bUuTHSs' │ 3 │
╰──────────────────────────────────────────────────────────────────────┴───────╯

This is one example line from eve.json

{"timestamp":"2022-12-18T18:30:53.263350+0200","flow_id":989059031607521,"in_iface":"eth0","event_type":"tls","src_ip":"84.44.200.23","src_port":47470,"dest_ip":"95.216.205.51","dest_port":443,"proto":"TCP","tls":{"sni":"tube.xy-space.de","version":"TLS 1.3","ja3":{"hash":"579ccef312d18482fc42e2b822ca2430","string":"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-34-51-43-13-45-28-21,29-23-24-25-256-257,0"},"ja3s":{"hash":"15af977ce25de452b96affa2addb1036","string":"771,4866,43-51"}}}

Any ideas?

[LaurenceJJones]

Hey so the filter is json based so the event_type needs to be "alert" the one you shared is "tls"

Here the filter
evt.Parsed.program == "suricata-evelogs" && JsonExtract(evt.Parsed.message, "event_type") == "alert"

[M-Stenzel]

Well, this was an example line.
I have lines like this:

{"timestamp":"2022-12-18T22:13:41.010414+0200","flow_id":739629681939368,"in_iface":"eth0","event_type":"alert","src_ip":"135.181.5.2","src_port":38917,"dest_ip":"95.216.205.51","dest_port":8042,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1,"http.anomaly.count":1}},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2221042,"rev":1,"signature":"SURICATA HTTP Request line incomplete","category":"Generic Protocol Command Decode","severity":3},"http":{"http_port":0,"status":400,"length":0},"app_proto":"http","app_proto_ts":"failed","flow":{"pkts_toserver":4,"pkts_toclient":7,"bytes_toserver":247,"bytes_toclient":657,"start":"2022-12-18T22:13:41.005032+0200"}}

which should be parsed, shouldn't they?

[LaurenceJJones]

Reopening issue will look into it Monday. Would be helpful if you could run the line through cscli explain

[M-Stenzel]

Reopening issue will look into it Monday. Would be helpful if you could run the line through cscli explain

cscli explain --file /var/log/suricata/eve.json --type suricata-evelogs --verbose yields many lines, e. g.

line: {"timestamp":"2022-12-18T23:31:09.003158+0200","flow_id":2159103788454115,"in_iface":"eth0","event_type":"flow","src_ip":"132.226.212.242","src_port":41784,"dest_ip":"95.216.205.51","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":14,"pkts_toclient":13,"bytes_toserver":3137,"bytes_toclient":7441,"start":"2022-12-18T23:30:00.921827+0200","end":"2022-12-18T23:30:06.410477+0200","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}}
├ s01-parse
| ├ 🔴 crowdsecurity/apache2-logs
| ├ 🔴 crowdsecurity/mysql-logs
| ├ 🔴 crowdsecurity/nginx-logs
| ├ 🔴 crowdsecurity/sshd-logs
| ├ 🔴 crowdsecurity/suricata-evelogs
| └ 🔴 crowdsecurity/suricata-fastlogs
└-------- parser failure 🔴

line: {"timestamp":"2022-12-18T23:36:58.012295+0200","flow_id":2041696589825413,"in_iface":"eth0","event_type":"tls","src_ip":"95.216.205.51","src_port":59106,"dest_ip":"172.67.202.221","dest_port":443,"proto":"TCP","tls":{"sni":"relay.national-defence.network","version":"TLS 1.3","ja3":{"hash":"c199b43d41b470f8f68c5561f8f1ce3e","string":"771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-35-22-23-13-43-45-51-21,29-23-30-25-24,0-1-2"},"ja3s":{"hash":"907bf3ecef1c987c889946b737b43de8","string":"771,4866,51-43"}}}
├ s01-parse
| ├ 🔴 crowdsecurity/apache2-logs
| ├ 🔴 crowdsecurity/mysql-logs
| ├ 🔴 crowdsecurity/nginx-logs
| ├ 🔴 crowdsecurity/sshd-logs
| ├ 🔴 crowdsecurity/suricata-evelogs
| └ 🔴 crowdsecurity/suricata-fastlogs
└-------- parser failure 🔴

[LaurenceJJones]

Is that a like for like copy of the output? Cause its missing s00 section

Helps if I have the full output also wrap the lines in ``` allows for better formatting

But it's clear something not parsing so I can debug on Monday

[M-Stenzel]

O. K. so there seems to be a different problem!?
No, I did not omit anything.

[M-Stenzel]

This is my acquis.yaml file content:

#Generated acquisition file - wizard.sh (service: sshd) / files :
journalctl_filter:

• _SYSTEMD_UNIT=sshd.service
  labels:
  type: syslog
  --
  #Generated acquisition file - wizard.sh (service: mysql) / files :
  journalctl_filter:
• _SYSTEMD_UNIT=mysql.service
  labels:
  type: mysql
  --
  #Added by Martin Stenzel :
  filename: /var/log/suricata/eve.json
  labels:
  type: suricata-evelogs
  --

Note that I removed every third minus sign when posting the content in order to avoid formatting issues.

[LaurenceJJones]

Yes your missing the syslog parser? If you do cscli parsers list if it is not there you need to do cscli collections install crowdsecurity/linux

[M-Stenzel]

Well, I did so, now I receive

    ├ s00-raw
    |       ├ 🟢 crowdsecurity/non-syslog (first_parser)
    |       └ 🔴 crowdsecurity/syslog-logs
    ├ s01-parse
    |       ├ 🔴 crowdsecurity/apache2-logs
    |       ├ 🔴 crowdsecurity/mysql-logs
    |       ├ 🔴 crowdsecurity/nginx-logs
    |       ├ 🔴 crowdsecurity/sshd-logs
    |       ├ 🔴 crowdsecurity/suricata-evelogs
    |       └ 🔴 crowdsecurity/suricata-fastlogs
    └-------- parser failure 🔴

[M-Stenzel]

My updated acquis.yaml file looks like this:

#Added by Martin Stenzel :
filenames:

• /var/log/messages
  labels:
  type: syslog
  --
  #Generated acquisition file - wizard.sh (service: sshd) / files :
  journalctl_filter:
• _SYSTEMD_UNIT=sshd.service
  labels:
  type: syslog
  --
  #Generated acquisition file - wizard.sh (service: mysql) / files :
  journalctl_filter:
• _SYSTEMD_UNIT=mysql.service
  labels:
  type: mysql
  --
  #Added by Martin Stenzel :
  filename: /var/log/suricata/eve.json
  labels:
  type: suricata-evelogs
  --

[M-Stenzel]

The crowdsec.log tells me:

time="19-12-2022 00:20:15" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/apache2-logs.yaml stage=s01-parse
time="19-12-2022 00:20:15" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/mysql-logs.yaml stage=s01-parse
time="19-12-2022 00:20:15" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/nginx-logs.yaml stage=s01-parse
time="19-12-2022 00:20:15" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml stage=s01-parse
time="19-12-2022 00:20:15" level=info msg="Loaded 2 parser nodes" file=/etc/crowdsec/parsers/s01-parse/suricata-logs.yaml stage=s01-parse

No errors or warnings, but still "s01-parse" only yields red dots...

[LaurenceJJones]

That's because the log is stating the yaml syntax is correct doesn't mean the parser is correct for your log sample as stated will investigate Monday as its not just a syslog parser missing issue

[LaurenceJJones]

So with the alert above with "event_type": "alert". The parser is working as intended.

[loz@unknown-dev ~]$ sudo cscli explain --log '{"timestamp":"2022-12-18T22:13:41.010414+0200","flow_id":739629681939368,"in_iface":"eth0","event_type":"alert","src_ip":"135.181.5.2","src_port":38917,"dest_ip":"95.216.205.51","dest_port":8042,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1,"http.anomaly.count":1}},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2221042,"rev":1,"signature":"SURICATA HTTP Request line incomplete","category":"Generic Protocol Command Decode","severity":3},"http":{"http_port":0,"status":400,"length":0},"app_proto":"http","app_proto_ts":"failed","flow":{"pkts_toserver":4,"pkts_toclient":7,"bytes_toserver":247,"bytes_toclient":657,"start":"2022-12-18T22:13:41.005032+0200"}}' --type suricata-evelogs -v
line: {"timestamp":"2022-12-18T22:13:41.010414+0200","flow_id":739629681939368,"in_iface":"eth0","event_type":"alert","src_ip":"135.181.5.2","src_port":38917,"dest_ip":"95.216.205.51","dest_port":8042,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1,"http.anomaly.count":1}},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2221042,"rev":1,"signature":"SURICATA HTTP Request line incomplete","category":"Generic Protocol Command Decode","severity":3},"http":{"http_port":0,"status":400,"length":0},"app_proto":"http","app_proto_ts":"failed","flow":{"pkts_toserver":4,"pkts_toclient":7,"bytes_toserver":247,"bytes_toclient":657,"start":"2022-12-18T22:13:41.005032+0200"}}
        ├ s00-raw
        |       ├ 🔴 crowdsecurity/docker-logs
        |       ├ 🟢 crowdsecurity/non-syslog (first_parser)
        |       └ 🔴 crowdsecurity/syslog-logs
        ├ s01-parse
        |       ├ 🔴 crowdsecurity/apache2-logs
        |       ├ 🔴 crowdsecurity/haproxy-logs
        |       ├ 🔴 crowdsecurity/mariadb-logs
        |       ├ 🔴 crowdsecurity/nginx-logs
        |       ├ 🔴 crowdsecurity/sshd-logs
        |       ├ 🟢 crowdsecurity/suricata-evelogs (+13 ~2)
        |               ├ update evt.Stage : s01-parse -> s02-enrich
        |               ├ create evt.Parsed.time : 2022-12-18T22:13:41.010414
        |               ├ create evt.Parsed.dest_ip : 95.216.205.51
        |               ├ create evt.Parsed.dest_port : 8042
        |               ├ create evt.Parsed.proto : TCP
        |               ├ create evt.Parsed.suricata_alert_signature : SURICATA HTTP Request line incomplete
        |               ├ create evt.Parsed.suricata_alert_signature_rev : 1
        |               ├ update evt.StrTime :  -> 2022-12-18T22:13:41.010414Z
        |               ├ create evt.Meta.log_type : suricata_alert
        |               ├ create evt.Meta.service : suricata
        |               ├ create evt.Meta.source_ip : 135.181.5.2
        |               ├ create evt.Meta.sub_log_type : suricata_alert_eve_json
        |               ├ create evt.Meta.suricata_alert_signature_id : 2221042
        |               ├ create evt.Meta.suricata_flow_id : 739629681939368
        |               ├ create evt.Meta.suricata_rule_severity : 3
        |       ├ 🔴 crowdsecurity/suricata-fastlogs
        |       └ 🔴 proftpd-logs
        ├ s02-enrich
        |       ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~1)
        |               ├ create evt.Enriched.MarshaledTime : 2022-12-18T22:13:41.010414Z
        |               ├ update evt.MarshaledTime :  -> 2022-12-18T22:13:41.010414Z
        |               ├ create evt.Meta.timestamp : 2022-12-18T22:13:41.010414Z
        |       ├ 🟢 crowdsecurity/geoip-enrich (+13)
        |               ├ create evt.Enriched.IsInEU : true
        |               ├ create evt.Enriched.IsoCode : FI
        |               ├ create evt.Enriched.Longitude : 24.934700
        |               ├ create evt.Enriched.SourceRange : 135.181.0.0/16
        |               ├ create evt.Enriched.ASNumber : 24940
        |               ├ create evt.Enriched.ASNOrg : Hetzner Online GmbH
        |               ├ create evt.Enriched.Latitude : 60.171900
        |               ├ create evt.Enriched.ASNNumber : 24940
        |               ├ create evt.Meta.ASNOrg : Hetzner Online GmbH
        |               ├ create evt.Meta.SourceRange : 135.181.0.0/16
        |               ├ create evt.Meta.ASNNumber : 24940
        |               ├ create evt.Meta.IsInEU : true
        |               ├ create evt.Meta.IsoCode : FI
        |       ├ 🔴 crowdsecurity/http-logs
        |       └ 🔴 crowdsecurity/nextcloud-whitelist
        ├-------- parser success 🟢        ├ Scenarios

[LaurenceJJones]

So when you pass it through a json prettifier you can see it more clearly.

[loz@unknown-dev ~]$ echo '{"timestamp":"2022-12-18T22:13:41.010414+0200","flow_id":739629681939368,"in_iface":"eth0","event_type":"alert","src_ip":"135.181.5.2","src_port":38917,"dest_ip":"95.216.205.51","dest_port":8042,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1,"http.anomaly.count":1}},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2221042,"rev":1,"signature":"SURICATA HTTP Request line incomplete","category":"Generic Protocol Command Decode","severity":3},"http":{"http_port":0,"status":400,"length":0},"app_proto":"http","app_proto_ts":"failed","flow":{"pkts_toserver":4,"pkts_toclient":7,"bytes_toserver":247,"bytes_toclient":657,"start":"2022-12-18T22:13:41.005032+0200"}}' | jq
{
  "timestamp": "2022-12-18T22:13:41.010414+0200",
  "flow_id": 739629681939368,
  "in_iface": "eth0",
  "event_type": "alert",
  "src_ip": "135.181.5.2",
  "src_port": 38917,
  "dest_ip": "95.216.205.51",
  "dest_port": 8042,
  "proto": "TCP",
  "metadata": {
    "flowints": {
      "applayer.anomaly.count": 1,
      "http.anomaly.count": 1
    }
  },
  "tx_id": 0,
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2221042,
    "rev": 1,
    "signature": "SURICATA HTTP Request line incomplete",
    "category": "Generic Protocol Command Decode",
    "severity": 3
  },
  "http": {
    "http_port": 0,
    "status": 400,
    "length": 0
  },
  "app_proto": "http",
  "app_proto_ts": "failed",
  "flow": {
    "pkts_toserver": 4,
    "pkts_toclient": 7,
    "bytes_toserver": 247,
    "bytes_toclient": 657,
    "start": "2022-12-18T22:13:41.005032+0200"
  }
}

So the parser only parses the line when the "event_type" == "alert" if is not it will miss the line as it not classed as an suricata alert.

[M-Stenzel]

Well, first of all thank you for digging into it!
I verified on my machine, and indeed I do receive the same results.
So I guess, it was due to

#594 (comment)

I verified with the console, and receive alerts - as expected.

So after all I can state that the latest stable version of crowdsec (1.4.3) works with suricata version 5.0.10.

Thank you again.

[LaurenceJJones]

Always best to get confirmation that it is working 👍🏻