From 0b95f1d92d3a95cd446d304d4198e174619cf843 Mon Sep 17 00:00:00 2001 From: Jack Platten Date: Wed, 31 Jan 2024 07:49:02 -0800 Subject: [PATCH] Update caddy-logs.yaml to include http_version (#905) * Update caddy-logs.yaml Adds HTTP version parsing to Caddy parser, resolving an unintended conflict with the `http-dos-invalid-http-versions` scenario. * Update index * Update assert to have http version --------- Co-authored-by: GitHub Action Co-authored-by: Laurence --- .index.json | 8 +- .tests/caddy-logs/parser.assert | 313 ++++++++++-------- .../s01-parse/crowdsecurity/caddy-logs.yaml | 4 +- 3 files changed, 176 insertions(+), 149 deletions(-) diff --git a/.index.json b/.index.json index 3eecd316dbc..e6d038fdb92 100644 --- a/.index.json +++ b/.index.json @@ -4958,7 +4958,7 @@ "crowdsecurity/caddy-logs": { "path": "parsers/s01-parse/crowdsecurity/caddy-logs.yaml", "stage": "s01-parse", - "version": "0.6", + "version": "0.7", "versions": { "0.1": { "digest": "30bf81915d8254ab7611c156ddbe0cf389838d471f973403ae1b07fffa5b6d5a", @@ -4983,10 +4983,14 @@ "0.6": { "digest": "856f9882c2aa89d701dce456e97bfb4c5230b7fc83cefc54a8279d7cdac5b8fe", "deprecated": false + }, + "0.7": { + "digest": "6f4f7ca36d2d65b540bdc57e47edd44365c39a82d04291015136356f99d29f85", + "deprecated": false } }, "long_description": "UGFyc2VyIGZvciBjYWRkeSBsb2dzLgpJdCBleHBlY3RzIHRoZSBkZWZhdWx0IGtleSB2YWx1ZXMgZm9yIGNhZGR5IGxvZ3MuCgpZb3UgbmVlZCB0byBzcGVjaWZ5IGNhZGR5IGNvbmZpZyB0byBlbmFibGUgbG9nZ2luZyBpbiBhIGZpbGU6CgpgYGBiYXNoCjo4MCB7CiAgICAgICAgIyBTZXQgdGhpcyBwYXRoIHRvIHlvdXIgc2l0ZSdzIGRpcmVjdG9yeS4KICAgICAgICByb290ICogL3Vzci9zaGFyZS9jYWRkeQoKICAgICAgICAjIEVuYWJsZSB0aGUgc3RhdGljIGZpbGUgc2VydmVyLgogICAgICAgIGZpbGVfc2VydmVyCgogICAgICAgICMgQW5vdGhlciBjb21tb24gdGFzayBpcyB0byBzZXQgdXAgYSByZXZlcnNlIHByb3h5OgogICAgICAgICMgcmV2ZXJzZV9wcm94eSBsb2NhbGhvc3Q6ODA4MAoKICAgICAgICAjIE9yIHNlcnZlIGEgUEhQIHNpdGUgdGhyb3VnaCBwaHAtZnBtOgogICAgICAgICMgcGhwX2Zhc3RjZ2kgbG9jYWxob3N0OjkwMDAKICAgICAgICBsb2cgewogICAgICAgICAgICAgICAgb3V0cHV0IGZpbGUgL3Zhci9sb2cvY2FkZHkvYWNjZXNzLmxvZwogICAgICAgIH0KfQoKYGBgCgpBbmQgdGhlbiBhZGQgaW4gYWNxdWlzaXRpb24gdGhpcyA6CgpgYGB5YW1sCi0tLQpmaWxlbmFtZXM6CiAtIC92YXIvbG9nL2NhZGR5L2FjY2Vzcy5sb2cKbGFiZWxzOgogIHR5cGU6IGNhZGR5CmBgYA==", - "content": "ZmlsdGVyOiAiZXZ0LlBhcnNlZC5wcm9ncmFtIHN0YXJ0c1dpdGggJ2NhZGR5JyAmJiBVbm1hcnNoYWxKU09OKGV2dC5QYXJzZWQubWVzc2FnZSwgZXZ0LlVubWFyc2hhbGVkLCAnY2FkZHknKSBpbiBbJycsIG5pbF0iCm9uc3VjY2VzczogbmV4dF9zdGFnZQpuYW1lOiBjcm93ZHNlY3VyaXR5L2NhZGR5LWxvZ3MKZGVzY3JpcHRpb246ICJQYXJzZSBjYWRkeSBsb2dzIgpzdGF0aWNzOgogIC0gbWV0YTogbG9nX3R5cGUKICAgIHZhbHVlOiBodHRwX2FjY2Vzcy1sb2cKICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgIGV4cHJlc3Npb246IHwKICAgICAgU3ByaW50ZigiJXYiLCBldnQuVW5tYXJzaGFsZWQuY2FkZHkudHMpIG1hdGNoZXMgJ15bMC05ZVxcLlxcK10rJCcgPyBpbnQoZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnRzKSA6IGV2dC5Vbm1hcnNoYWxlZC5jYWRkeS50cwogIC0gbWV0YTogc2VydmljZQogICAgdmFsdWU6IGh0dHAKICAjI0NhZGR5IG5vdyBzZXRzIGNsaWVudF9pcCB0byB0aGUgdmFsdWUgb2YgWC1Gb3J3YXJkZWQtRm9yIGlmIHVzZXJzIHNldHMgdHJ1c3RlZCBwcm94aWVzCiAgLSBwYXJzZWQ6IHJlbW90ZV9pcAogICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QuY2xpZW50X2lwCiAgLSBwYXJzZWQ6IHJlbW90ZV9hZGRyCiAgICBleHByZXNzaW9uOiAiZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QucmVtb3RlX2FkZHIgIT0gbmlsID8gU3BsaXQoZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QucmVtb3RlX2FkZHIsICc6JylbMF0gOiBuaWwiCiAgLSBtZXRhOiBzb3VyY2VfaXAKICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQucmVtb3RlX2lwCiAgLSBtZXRhOiBodHRwX3N0YXR1cwogICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5jYWRkeS5zdGF0dXMpCiAgLSBtZXRhOiBodHRwX3BhdGgKICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5jYWRkeS5yZXF1ZXN0LnVyaQogIC0gcGFyc2VkOiByZXF1ZXN0ICNBZGQgZm9yIGh0dHAtbG9ncyBlbnJpY2hlcgogICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QudXJpCiAgLSBwYXJzZWQ6IHZlcmIKICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5jYWRkeS5yZXF1ZXN0Lm1ldGhvZAogIC0gbWV0YTogaHR0cF92ZXJiCiAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuY2FkZHkucmVxdWVzdC5tZXRob2QKICAtIHBhcnNlZDogaHR0cF91c2VyX2FnZW50CiAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuY2FkZHkucmVxdWVzdC5oZWFkZXJzWydVc2VyLUFnZW50J11bMF0KICAtIG1ldGE6IGh0dHBfdXNlcl9hZ2VudAogICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QuaGVhZGVyc1snVXNlci1BZ2VudCddWzBdCiAgLSBtZXRhOiB0YXJnZXRfZnFkbgogICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QuaG9zdAogIC0gbWV0YTogc3ViX3R5cGUKICAgIGV4cHJlc3Npb246ICJldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDAxJyAmJiBldnQuVW5tYXJzaGFsZWQucmVxdWVzdC5oZWFkZXJzLkF1dGhvcml6YXRpb24gc3RhcnRzV2l0aCAnQmFzaWMgJyA/ICdhdXRoX2ZhaWwnIDogJyci", + "content": "ZmlsdGVyOiAiZXZ0LlBhcnNlZC5wcm9ncmFtIHN0YXJ0c1dpdGggJ2NhZGR5JyAmJiBVbm1hcnNoYWxKU09OKGV2dC5QYXJzZWQubWVzc2FnZSwgZXZ0LlVubWFyc2hhbGVkLCAnY2FkZHknKSBpbiBbJycsIG5pbF0iCm9uc3VjY2VzczogbmV4dF9zdGFnZQpuYW1lOiBjcm93ZHNlY3VyaXR5L2NhZGR5LWxvZ3MKZGVzY3JpcHRpb246ICJQYXJzZSBjYWRkeSBsb2dzIgpzdGF0aWNzOgogIC0gbWV0YTogbG9nX3R5cGUKICAgIHZhbHVlOiBodHRwX2FjY2Vzcy1sb2cKICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgIGV4cHJlc3Npb246IHwKICAgICAgU3ByaW50ZigiJXYiLCBldnQuVW5tYXJzaGFsZWQuY2FkZHkudHMpIG1hdGNoZXMgJ15bMC05ZVxcLlxcK10rJCcgPyBpbnQoZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnRzKSA6IGV2dC5Vbm1hcnNoYWxlZC5jYWRkeS50cwogIC0gbWV0YTogc2VydmljZQogICAgdmFsdWU6IGh0dHAKICAjI0NhZGR5IG5vdyBzZXRzIGNsaWVudF9pcCB0byB0aGUgdmFsdWUgb2YgWC1Gb3J3YXJkZWQtRm9yIGlmIHVzZXJzIHNldHMgdHJ1c3RlZCBwcm94aWVzCiAgLSBwYXJzZWQ6IHJlbW90ZV9pcAogICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QuY2xpZW50X2lwCiAgLSBwYXJzZWQ6IGh0dHBfdmVyc2lvbgogICAgZXhwcmVzc2lvbjogImV2dC5Vbm1hcnNoYWxlZC5jYWRkeS5yZXF1ZXN0LnByb3RvICE9IG5pbCA/IFNwbGl0KGV2dC5Vbm1hcnNoYWxlZC5jYWRkeS5yZXF1ZXN0LnByb3RvLCAnLycpWzFdIDogbmlsIgogIC0gcGFyc2VkOiByZW1vdGVfYWRkcgogICAgZXhwcmVzc2lvbjogImV2dC5Vbm1hcnNoYWxlZC5jYWRkeS5yZXF1ZXN0LnJlbW90ZV9hZGRyICE9IG5pbCA/IFNwbGl0KGV2dC5Vbm1hcnNoYWxlZC5jYWRkeS5yZXF1ZXN0LnJlbW90ZV9hZGRyLCAnOicpWzBdIDogbmlsIgogIC0gbWV0YTogc291cmNlX2lwCiAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLnJlbW90ZV9pcAogIC0gbWV0YTogaHR0cF9zdGF0dXMKICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQuY2FkZHkuc3RhdHVzKQogIC0gbWV0YTogaHR0cF9wYXRoCiAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuY2FkZHkucmVxdWVzdC51cmkKICAtIHBhcnNlZDogcmVxdWVzdCAjQWRkIGZvciBodHRwLWxvZ3MgZW5yaWNoZXIKICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5jYWRkeS5yZXF1ZXN0LnVyaQogIC0gcGFyc2VkOiB2ZXJiCiAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuY2FkZHkucmVxdWVzdC5tZXRob2QKICAtIG1ldGE6IGh0dHBfdmVyYgogICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QubWV0aG9kCiAgLSBwYXJzZWQ6IGh0dHBfdXNlcl9hZ2VudAogICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QuaGVhZGVyc1snVXNlci1BZ2VudCddWzBdCiAgLSBtZXRhOiBodHRwX3VzZXJfYWdlbnQKICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5jYWRkeS5yZXF1ZXN0LmhlYWRlcnNbJ1VzZXItQWdlbnQnXVswXQogIC0gbWV0YTogdGFyZ2V0X2ZxZG4KICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5jYWRkeS5yZXF1ZXN0Lmhvc3QKICAtIG1ldGE6IHN1Yl90eXBlCiAgICBleHByZXNzaW9uOiAiZXZ0Lk1ldGEuaHR0cF9zdGF0dXMgPT0gJzQwMScgJiYgZXZ0LlVubWFyc2hhbGVkLnJlcXVlc3QuaGVhZGVycy5BdXRob3JpemF0aW9uIHN0YXJ0c1dpdGggJ0Jhc2ljICcgPyAnYXV0aF9mYWlsJyA6ICcnIgo=", "description": "Parse caddy logs", "author": "crowdsecurity", "labels": null diff --git a/.tests/caddy-logs/parser.assert b/.tests/caddy-logs/parser.assert index 17a7d049b11..a53b23f3044 100644 --- a/.tests/caddy-logs/parser.assert +++ b/.tests/caddy-logs/parser.assert @@ -53,6 +53,7 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == false len(results["s01-parse"]["crowdsecurity/caddy-logs"]) == 7 results["s01-parse"]["crowdsecurity/caddy-logs"][0].Success == true results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Parsed["http_version"] == "1.0" results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840791.7564995,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"44790\",\"client_ip\":\"127.0.0.1\",\"proto\":\"HTTP/1.0\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"X-Forwarded-Port\":[\"80\"],\"X-Real-Ip\":[\"127.0.0.1\"],\"Forwarded\":[\"for=127.0.0.1\"],\"X-Forwarded-Host\":[\"127.0.0.1\"],\"User-Agent\":[\"curl/7.74.0\"],\"Accept\":[\"*/*\"],\"Connection\":[\"close\"],\"X-Forwarded-For\":[\"127.0.0.1\"],\"X-Forwarded-Proto\":[\"http\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002701,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Parsed["program"] == "caddy" results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Parsed["remote_ip"] == "127.0.0.1" @@ -68,25 +69,26 @@ results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Meta["log_type"] == "htt results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Meta["service"] == "http" results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Meta["source_ip"] == "127.0.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Meta["target_fqdn"] == "127.0.0.1:8080" -results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 -FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["duration"], 0.000003) -results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["level"] == "info" results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["status"] == 0 -FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["ts"], 1693840791.756500) results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["user_id"] == "" +FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["duration"], 0.000003) results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["msg"] == "handled request" +FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["ts"], 1693840791.756500) +results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 +results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["level"] == "info" +results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "127.0.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.0" results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "44790" -results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Unmarshaled["caddy"]["size"] == 0 results["s01-parse"]["crowdsecurity/caddy-logs"][0].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/caddy-logs"][1].Success == true results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Parsed["http_version"] == "1.0" results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840792.1942985,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"45750\",\"client_ip\":\"127.0.0.1\",\"proto\":\"HTTP/1.0\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"User-Agent\":[\"curl/7.74.0\"],\"Forwarded\":[\"for=127.0.0.1\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-For\":[\"127.0.0.1\"],\"X-Forwarded-Host\":[\"127.0.0.1\"],\"X-Forwarded-Port\":[\"80\"],\"Accept\":[\"*/*\"],\"Connection\":[\"close\"],\"X-Real-Ip\":[\"127.0.0.1\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002364,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Parsed["program"] == "caddy" results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Parsed["remote_ip"] == "127.0.0.1" @@ -102,25 +104,26 @@ results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Meta["log_type"] == "htt results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Meta["service"] == "http" results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Meta["source_ip"] == "127.0.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Meta["target_fqdn"] == "127.0.0.1:8080" -results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" +results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["user_id"] == "" results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["msg"] == "handled request" +results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["size"] == 0 +results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["status"] == 0 +results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "127.0.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.0" results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "45750" results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" -results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "127.0.0.1" -results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["size"] == 0 FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["ts"], 1693840792.194299) results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["duration"], 0.000002) results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["level"] == "info" -results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["status"] == 0 -results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["user_id"] == "" +results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" results["s01-parse"]["crowdsecurity/caddy-logs"][1].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/caddy-logs"][2].Success == true results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Parsed["http_version"] == "1.0" results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840792.5886028,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"45764\",\"client_ip\":\"127.0.0.1\",\"proto\":\"HTTP/1.0\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Port\":[\"80\"],\"User-Agent\":[\"curl/7.74.0\"],\"Connection\":[\"close\"],\"X-Real-Ip\":[\"127.0.0.1\"],\"Forwarded\":[\"for=127.0.0.1\"],\"X-Forwarded-For\":[\"127.0.0.1\"],\"X-Forwarded-Host\":[\"127.0.0.1\"],\"Accept\":[\"*/*\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002223,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Parsed["program"] == "caddy" results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Parsed["remote_ip"] == "127.0.0.1" @@ -137,24 +140,25 @@ results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Meta["service"] == "http results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Meta["source_ip"] == "127.0.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Meta["target_fqdn"] == "127.0.0.1:8080" results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["msg"] == "handled request" +FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["ts"], 1693840792.588603) +results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" +results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "127.0.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.0" results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "45764" -results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" -results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "127.0.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["size"] == 0 -FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["ts"], 1693840792.588603) +results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["status"] == 0 results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["user_id"] == "" results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 +FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["duration"], 0.000002) results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["level"] == "info" results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" -results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["status"] == 0 -FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Unmarshaled["caddy"]["duration"], 0.000002) results["s01-parse"]["crowdsecurity/caddy-logs"][2].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/caddy-logs"][3].Success == true results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Parsed["http_version"] == "1.1" results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840839.657635,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"42876\",\"client_ip\":\"172.17.0.1\",\"proto\":\"HTTP/1.1\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.74.0\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002689,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Parsed["program"] == "caddy" results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Parsed["remote_ip"] == "172.17.0.1" @@ -170,25 +174,26 @@ results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Meta["log_type"] == "htt results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Meta["service"] == "http" results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Meta["source_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Meta["target_fqdn"] == "127.0.0.1:8080" -results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["msg"] == "handled request" -results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["status"] == 0 -FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["ts"], 1693840839.657635) -results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["user_id"] == "" -results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 -results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["level"] == "info" -results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.1" -results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "42876" results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" +results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.1" +results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" +results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["status"] == 0 +results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["level"] == "info" +results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["msg"] == "handled request" +results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["size"] == 0 +FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["ts"], 1693840839.657635) +results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["user_id"] == "" +results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["duration"], 0.000003) -results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" results["s01-parse"]["crowdsecurity/caddy-logs"][3].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/caddy-logs"][4].Success == true results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Parsed["http_version"] == "1.1" results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840840.2321608,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"42884\",\"client_ip\":\"172.17.0.1\",\"proto\":\"HTTP/1.1\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.74.0\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002693,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Parsed["program"] == "caddy" results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Parsed["remote_ip"] == "172.17.0.1" @@ -204,25 +209,26 @@ results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Meta["log_type"] == "htt results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Meta["service"] == "http" results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Meta["source_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Meta["target_fqdn"] == "127.0.0.1:8080" -results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["status"] == 0 -FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["ts"], 1693840840.232161) -results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["user_id"] == "" -results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 -FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["duration"], 0.000003) -results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "42884" -results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" -results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.1" results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" +results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "42884" +results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" +results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["size"] == 0 +results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 +FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["duration"], 0.000003) +results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["msg"] == "handled request" +FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["ts"], 1693840840.232161) +results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["user_id"] == "" results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["level"] == "info" results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" -results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["msg"] == "handled request" +results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Unmarshaled["caddy"]["status"] == 0 results["s01-parse"]["crowdsecurity/caddy-logs"][4].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/caddy-logs"][5].Success == true results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Parsed["http_version"] == "1.1" results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840840.5579731,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"42892\",\"client_ip\":\"172.17.0.1\",\"proto\":\"HTTP/1.1\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"User-Agent\":[\"curl/7.74.0\"],\"Accept\":[\"*/*\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002928,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Parsed["program"] == "caddy" results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Parsed["remote_ip"] == "172.17.0.1" @@ -238,25 +244,26 @@ results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Meta["log_type"] == "htt results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Meta["service"] == "http" results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Meta["source_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Meta["target_fqdn"] == "127.0.0.1:8080" -results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" -results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["status"] == 0 -FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["ts"], 1693840840.557973) -results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["user_id"] == "" -results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["size"] == 0 -results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["duration"], 0.000003) results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["level"] == "info" results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["msg"] == "handled request" -results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" -results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" -results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.1" results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "42892" results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "172.17.0.1" +results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" +results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" +results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.1" +results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["size"] == 0 +results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["status"] == 0 +results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 +FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["ts"], 1693840840.557973) +results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["user_id"] == "" +results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" results["s01-parse"]["crowdsecurity/caddy-logs"][5].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/caddy-logs"][6].Success == true results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Parsed["http_version"] == "1.1" results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840840.896227,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"42894\",\"client_ip\":\"172.17.0.1\",\"proto\":\"HTTP/1.1\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"User-Agent\":[\"curl/7.74.0\"],\"Accept\":[\"*/*\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002716,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Parsed["program"] == "caddy" results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Parsed["remote_ip"] == "172.17.0.1" @@ -272,26 +279,27 @@ results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Meta["log_type"] == "htt results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Meta["service"] == "http" results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Meta["source_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Meta["target_fqdn"] == "127.0.0.1:8080" -FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["duration"], 0.000003) -results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" -results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["size"] == 0 -results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["user_id"] == "" -FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["ts"], 1693840840.896227) +results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["msg"] == "handled request" results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["level"] == "info" -results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["msg"] == "handled request" +results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" +results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" +results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.1" results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "42894" results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "172.17.0.1" -results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" -results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" +results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["size"] == 0 results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["status"] == 0 +FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["ts"], 1693840840.896227) +results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["user_id"] == "" +FloatApproxEqual(results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Unmarshaled["caddy"]["duration"], 0.000003) results["s01-parse"]["crowdsecurity/caddy-logs"][6].Evt.Whitelisted == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 7 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_version"] == "1.0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840791.7564995,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"44790\",\"client_ip\":\"127.0.0.1\",\"proto\":\"HTTP/1.0\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"X-Forwarded-Port\":[\"80\"],\"X-Real-Ip\":[\"127.0.0.1\"],\"Forwarded\":[\"for=127.0.0.1\"],\"X-Forwarded-Host\":[\"127.0.0.1\"],\"User-Agent\":[\"curl/7.74.0\"],\"Accept\":[\"*/*\"],\"Connection\":[\"close\"],\"X-Forwarded-For\":[\"127.0.0.1\"],\"X-Forwarded-Proto\":[\"http\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002701,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "caddy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_ip"] == "127.0.0.1" @@ -310,6 +318,11 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_fqdn results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-09-04T15:19:51Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-09-04T15:19:51Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 +FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["caddy"]["duration"], 0.000003) +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["caddy"]["user_id"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["caddy"]["status"] == 0 +FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["caddy"]["ts"], 1693840791.756500) results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["caddy"]["level"] == "info" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["caddy"]["msg"] == "handled request" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" @@ -319,15 +332,11 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["cadd results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "44790" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "127.0.0.1" -FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["caddy"]["ts"], 1693840791.756500) -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["caddy"]["user_id"] == "" -FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["caddy"]["duration"], 0.000003) -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["caddy"]["size"] == 0 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["caddy"]["status"] == 0 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["http_version"] == "1.0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840792.1942985,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"45750\",\"client_ip\":\"127.0.0.1\",\"proto\":\"HTTP/1.0\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"User-Agent\":[\"curl/7.74.0\"],\"Forwarded\":[\"for=127.0.0.1\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-For\":[\"127.0.0.1\"],\"X-Forwarded-Host\":[\"127.0.0.1\"],\"X-Forwarded-Port\":[\"80\"],\"Accept\":[\"*/*\"],\"Connection\":[\"close\"],\"X-Real-Ip\":[\"127.0.0.1\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002364,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "caddy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_ip"] == "127.0.0.1" @@ -345,25 +354,26 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_fqdn"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-09-04T15:19:52Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-09-04T15:19:52Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["size"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["user_id"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 +FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["duration"], 0.000002) +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["level"] == "info" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["msg"] == "handled request" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "45750" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["size"] == 0 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["level"] == "info" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["msg"] == "handled request" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["status"] == 0 FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["ts"], 1693840792.194299) -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["user_id"] == "" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 -FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["caddy"]["duration"], 0.000002) results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["http_version"] == "1.0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840792.5886028,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"45764\",\"client_ip\":\"127.0.0.1\",\"proto\":\"HTTP/1.0\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Port\":[\"80\"],\"User-Agent\":[\"curl/7.74.0\"],\"Connection\":[\"close\"],\"X-Real-Ip\":[\"127.0.0.1\"],\"Forwarded\":[\"for=127.0.0.1\"],\"X-Forwarded-For\":[\"127.0.0.1\"],\"X-Forwarded-Host\":[\"127.0.0.1\"],\"Accept\":[\"*/*\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002223,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "caddy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_ip"] == "127.0.0.1" @@ -381,25 +391,26 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_fqdn"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-09-04T15:19:52Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2023-09-04T15:19:52Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 -FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["duration"], 0.000002) results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["level"] == "info" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "45764" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["size"] == 0 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["msg"] == "handled request" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["status"] == 0 -FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["ts"], 1693840792.588603) results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["user_id"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["msg"] == "handled request" +FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["ts"], 1693840792.588603) +FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["caddy"]["duration"], 0.000002) results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["http_version"] == "1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840839.657635,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"42876\",\"client_ip\":\"172.17.0.1\",\"proto\":\"HTTP/1.1\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.74.0\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002689,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "caddy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_ip"] == "172.17.0.1" @@ -417,25 +428,26 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_fqdn"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2023-09-04T15:20:39Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2023-09-04T15:20:39Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["size"] == 0 +FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["ts"], 1693840839.657635) FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["duration"], 0.000003) -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["user_id"] == "" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["level"] == "info" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["msg"] == "handled request" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "42876" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "42876" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["size"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["user_id"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["level"] == "info" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["status"] == 0 -FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["caddy"]["ts"], 1693840839.657635) results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["http_version"] == "1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840840.2321608,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"42884\",\"client_ip\":\"172.17.0.1\",\"proto\":\"HTTP/1.1\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.74.0\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002693,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "caddy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_ip"] == "172.17.0.1" @@ -453,25 +465,26 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_fqdn"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2023-09-04T15:20:40Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2023-09-04T15:20:40Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["msg"] == "handled request" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["status"] == 0 FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["ts"], 1693840840.232161) -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["user_id"] == "" FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["duration"], 0.000003) -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["level"] == "info" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "42884" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["size"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["user_id"] == "" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["caddy"]["level"] == "info" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["http_version"] == "1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840840.5579731,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"42892\",\"client_ip\":\"172.17.0.1\",\"proto\":\"HTTP/1.1\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"User-Agent\":[\"curl/7.74.0\"],\"Accept\":[\"*/*\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002928,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "caddy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_ip"] == "172.17.0.1" @@ -489,25 +502,26 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_fqdn"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2023-09-04T15:20:40Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2023-09-04T15:20:40Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["status"] == 0 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["msg"] == "handled request" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["size"] == 0 -FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["ts"], 1693840840.557973) -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["user_id"] == "" -FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["duration"], 0.000003) -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["level"] == "info" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["msg"] == "handled request" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "42892" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["size"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["user_id"] == "" +FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["duration"], 0.000003) +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["level"] == "info" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["status"] == 0 +FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["caddy"]["ts"], 1693840840.557973) results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["http_version"] == "1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840840.896227,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"42894\",\"client_ip\":\"172.17.0.1\",\"proto\":\"HTTP/1.1\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"User-Agent\":[\"curl/7.74.0\"],\"Accept\":[\"*/*\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002716,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "caddy" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["remote_ip"] == "172.17.0.1" @@ -525,27 +539,28 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["target_fqdn"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2023-09-04T15:20:40Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2023-09-04T15:20:40Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["msg"] == "handled request" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["status"] == 0 FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["duration"], 0.000003) -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["level"] == "info" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "42894" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "172.17.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["status"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["size"] == 0 FloatApproxEqual(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["ts"], 1693840840.896227) results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["user_id"] == "" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["msg"] == "handled request" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["size"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["caddy"]["level"] == "info" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false len(results["s02-enrich"]["crowdsecurity/http-logs"]) == 7 results["s02-enrich"]["crowdsecurity/http-logs"][0].Success == true results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_dir"] == "/" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["http_version"] == "1.0" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["impact_completion"] == "true" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840791.7564995,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"44790\",\"client_ip\":\"127.0.0.1\",\"proto\":\"HTTP/1.0\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"X-Forwarded-Port\":[\"80\"],\"X-Real-Ip\":[\"127.0.0.1\"],\"Forwarded\":[\"for=127.0.0.1\"],\"X-Forwarded-Host\":[\"127.0.0.1\"],\"User-Agent\":[\"curl/7.74.0\"],\"Accept\":[\"*/*\"],\"Connection\":[\"close\"],\"X-Forwarded-For\":[\"127.0.0.1\"],\"X-Forwarded-Proto\":[\"http\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002701,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["program"] == "caddy" @@ -566,26 +581,27 @@ results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["source_ip"] == "12 results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["target_fqdn"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["timestamp"] == "2023-09-04T15:19:51Z" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Enriched["MarshaledTime"] == "2023-09-04T15:19:51Z" -results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["user_id"] == "" -results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" +FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["duration"], 0.000003) +results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "44790" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.0" -results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" +results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["size"] == 0 +results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["user_id"] == "" +results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 +results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" +results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["msg"] == "handled request" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["status"] == 0 FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["ts"], 1693840791.756500) -results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 -FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["duration"], 0.000003) results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["level"] == "info" -results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["msg"] == "handled request" -results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["caddy"]["size"] == 0 results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/http-logs"][1].Success == true results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["file_dir"] == "/" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["http_version"] == "1.0" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["impact_completion"] == "true" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840792.1942985,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"45750\",\"client_ip\":\"127.0.0.1\",\"proto\":\"HTTP/1.0\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"User-Agent\":[\"curl/7.74.0\"],\"Forwarded\":[\"for=127.0.0.1\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-For\":[\"127.0.0.1\"],\"X-Forwarded-Host\":[\"127.0.0.1\"],\"X-Forwarded-Port\":[\"80\"],\"Accept\":[\"*/*\"],\"Connection\":[\"close\"],\"X-Real-Ip\":[\"127.0.0.1\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002364,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["program"] == "caddy" @@ -606,26 +622,27 @@ results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Meta["source_ip"] == "12 results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Meta["target_fqdn"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Meta["timestamp"] == "2023-09-04T15:19:52Z" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Enriched["MarshaledTime"] == "2023-09-04T15:19:52Z" -results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 -FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["duration"], 0.000002) results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" -results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" -results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.0" +results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["size"] == 0 +FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["ts"], 1693840792.194299) +results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["user_id"] == "" +results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["level"] == "info" +FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["duration"], 0.000002) +results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["msg"] == "handled request" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "45750" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "127.0.0.1" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" +results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.0" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["status"] == 0 -results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["user_id"] == "" -results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["level"] == "info" -results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["msg"] == "handled request" -results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["size"] == 0 -FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["ts"], 1693840792.194299) +results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/http-logs"][2].Success == true results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["file_dir"] == "/" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["http_version"] == "1.0" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["impact_completion"] == "true" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840792.5886028,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"45764\",\"client_ip\":\"127.0.0.1\",\"proto\":\"HTTP/1.0\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Port\":[\"80\"],\"User-Agent\":[\"curl/7.74.0\"],\"Connection\":[\"close\"],\"X-Real-Ip\":[\"127.0.0.1\"],\"Forwarded\":[\"for=127.0.0.1\"],\"X-Forwarded-For\":[\"127.0.0.1\"],\"X-Forwarded-Host\":[\"127.0.0.1\"],\"Accept\":[\"*/*\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002223,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["program"] == "caddy" @@ -646,26 +663,27 @@ results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Meta["source_ip"] == "12 results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Meta["target_fqdn"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Meta["timestamp"] == "2023-09-04T15:19:52Z" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Enriched["MarshaledTime"] == "2023-09-04T15:19:52Z" -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["status"] == 0 +FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["duration"], 0.000002) +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["level"] == "info" +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["msg"] == "handled request" +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["size"] == 0 FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["ts"], 1693840792.588603) results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["user_id"] == "" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["level"] == "info" -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["msg"] == "handled request" +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.0" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "45764" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "127.0.0.1" -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.0" -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["size"] == 0 -FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["duration"], 0.000002) -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["caddy"]["status"] == 0 results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/http-logs"][3].Success == true results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["file_dir"] == "/" results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["http_version"] == "1.1" results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["impact_completion"] == "true" results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840839.657635,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"42876\",\"client_ip\":\"172.17.0.1\",\"proto\":\"HTTP/1.1\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.74.0\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002689,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["program"] == "caddy" @@ -687,25 +705,26 @@ results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Meta["target_fqdn"] == " results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Meta["timestamp"] == "2023-09-04T15:20:39Z" results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Enriched["MarshaledTime"] == "2023-09-04T15:20:39Z" results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["status"] == 0 -results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["user_id"] == "" FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["duration"], 0.000003) -results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" -results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["size"] == 0 +results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" +results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.1" results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "42876" results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "172.17.0.1" -results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" -results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" +results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["msg"] == "handled request" +results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["size"] == 0 FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["ts"], 1693840839.657635) +results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["user_id"] == "" results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["level"] == "info" -results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Unmarshaled["caddy"]["msg"] == "handled request" results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/http-logs"][4].Success == true results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["file_dir"] == "/" results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["http_version"] == "1.1" results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["impact_completion"] == "true" results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840840.2321608,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"42884\",\"client_ip\":\"172.17.0.1\",\"proto\":\"HTTP/1.1\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.74.0\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002693,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["program"] == "caddy" @@ -726,26 +745,27 @@ results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["source_ip"] == "17 results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["target_fqdn"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["timestamp"] == "2023-09-04T15:20:40Z" results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Enriched["MarshaledTime"] == "2023-09-04T15:20:40Z" -results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["level"] == "info" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["size"] == 0 +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["user_id"] == "" +FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["duration"], 0.000003) results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["msg"] == "handled request" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.1" results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "42884" results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" -results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "172.17.0.1" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["status"] == 0 FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["ts"], 1693840840.232161) -results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["user_id"] == "" results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 -FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["duration"], 0.000003) -results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["msg"] == "handled request" -results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["size"] == 0 -results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["status"] == 0 +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Unmarshaled["caddy"]["level"] == "info" results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/http-logs"][5].Success == true results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["file_dir"] == "/" results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["http_version"] == "1.1" results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["impact_completion"] == "true" results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840840.5579731,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"42892\",\"client_ip\":\"172.17.0.1\",\"proto\":\"HTTP/1.1\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"User-Agent\":[\"curl/7.74.0\"],\"Accept\":[\"*/*\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002928,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["program"] == "caddy" @@ -767,25 +787,26 @@ results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["target_fqdn"] == " results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["timestamp"] == "2023-09-04T15:20:40Z" results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Enriched["MarshaledTime"] == "2023-09-04T15:20:40Z" FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["ts"], 1693840840.557973) -results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 +FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["duration"], 0.000003) results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["level"] == "info" results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" -results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" -results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "172.17.0.1" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["msg"] == "handled request" results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.1" results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "42892" -results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["status"] == 0 -FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["duration"], 0.000003) -results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["msg"] == "handled request" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["size"] == 0 +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["user_id"] == "" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["caddy"]["status"] == 0 results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/http-logs"][6].Success == true results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["file_dir"] == "/" results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["http_user_agent"] == "curl/7.74.0" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["http_version"] == "1.1" results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["impact_completion"] == "true" results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["message"] == "{\"level\":\"info\",\"ts\":1693840840.896227,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"172.17.0.1\",\"remote_port\":\"42894\",\"client_ip\":\"172.17.0.1\",\"proto\":\"HTTP/1.1\",\"method\":\"GET\",\"host\":\"127.0.0.1:8080\",\"uri\":\"/\",\"headers\":{\"User-Agent\":[\"curl/7.74.0\"],\"Accept\":[\"*/*\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000002716,\"size\":0,\"status\":0,\"resp_headers\":{\"Server\":[\"Caddy\"]}}" results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["program"] == "caddy" @@ -806,21 +827,21 @@ results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["source_ip"] == "17 results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["target_fqdn"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["timestamp"] == "2023-09-04T15:20:40Z" results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Enriched["MarshaledTime"] == "2023-09-04T15:20:40Z" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["status"] == 0 +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["user_id"] == "" FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["duration"], 0.000003) +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["level"] == "info" results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["logger"] == "http.log.access" results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["msg"] == "handled request" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["request"]["host"] == "127.0.0.1:8080" results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["request"]["method"] == "GET" results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["request"]["proto"] == "HTTP/1.1" results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["request"]["remote_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["request"]["remote_port"] == "42894" results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["request"]["uri"] == "/" -results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["request"]["client_ip"] == "172.17.0.1" results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["size"] == 0 -results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["status"] == 0 FloatApproxEqual(results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["ts"], 1693840840.896227) results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["bytes_read"] == 0 -results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["level"] == "info" -results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["caddy"]["user_id"] == "" results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/parsers/s01-parse/crowdsecurity/caddy-logs.yaml b/parsers/s01-parse/crowdsecurity/caddy-logs.yaml index c311188198b..1c6b55f3620 100644 --- a/parsers/s01-parse/crowdsecurity/caddy-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/caddy-logs.yaml @@ -13,6 +13,8 @@ statics: ##Caddy now sets client_ip to the value of X-Forwarded-For if users sets trusted proxies - parsed: remote_ip expression: evt.Unmarshaled.caddy.request.client_ip + - parsed: http_version + expression: "evt.Unmarshaled.caddy.request.proto != nil ? Split(evt.Unmarshaled.caddy.request.proto, '/')[1] : nil" - parsed: remote_addr expression: "evt.Unmarshaled.caddy.request.remote_addr != nil ? Split(evt.Unmarshaled.caddy.request.remote_addr, ':')[0] : nil" - meta: source_ip @@ -34,4 +36,4 @@ statics: - meta: target_fqdn expression: evt.Unmarshaled.caddy.request.host - meta: sub_type - expression: "evt.Meta.http_status == '401' && evt.Unmarshaled.request.headers.Authorization startsWith 'Basic ' ? 'auth_fail' : ''" \ No newline at end of file + expression: "evt.Meta.http_status == '401' && evt.Unmarshaled.request.headers.Authorization startsWith 'Basic ' ? 'auth_fail' : ''"