npmplus:/# cscli explain --log '[26/Jun/2025:12:27:00 +0300] subdomain.domain.duckdns.org 192.168.100.191 0.010 "GET /api/v3/queue?apikey=hidden&includeSomething=true HTTP/1.1" 200 122 665 - axios/1.3.4' --type npmplus -v line: [26/Jun/2025:12:27:00 +0300] subdomain.domain.duckdns.org 192.168.100.191 0.010 "GET /api/v3/queue?apikey=hidden&includeSomething=true HTTP/1.1" 200 122 665 - axios/1.3.4 ├ s00-raw | ├ 🔴 crowdsecurity/cri-logs | ├ 🔴 crowdsecurity/docker-logs | ├ 🔴 crowdsecurity/syslog-logs | └ 🟢 crowdsecurity/non-syslog (+5 ~8) | └ update evt.ExpectMode : %!s(int=0) -> 1 | └ update evt.Stage : -> s01-parse | └ update evt.Line.Raw : -> [26/Jun/2025:12:27:00 +0300] subdomain.domain.duckdns.org 192.168.100.191 0.010 "GET /api/v3/queue?apikey=hidden&includeSomething=true HTTP/1.1" 200 122 665 - axios/1.3.4 | └ update evt.Line.Src : -> /tmp/cscli_explain3533757459/cscli_test_tmp.log | └ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-06-26 09:30:09.208992022 +0000 UTC | └ create evt.Line.Labels.type : npmplus | └ update evt.Line.Process : %!s(bool=false) -> true | └ update evt.Line.Module : -> file | └ create evt.Parsed.program : npmplus | └ create evt.Parsed.message : [26/Jun/2025:12:27:00 +0300] subdomain.domain.duckdns.org 192.168.100.191 0.010 "GET /api/v3/queue?apikey=hidden&includeSomething=true HTTP/1.1" 200 122 665 - axios/1.3.4 | └ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-06-26 09:30:09.209196042 +0000 UTC | └ create evt.Meta.datasource_path : /tmp/cscli_explain3533757459/cscli_test_tmp.log | └ create evt.Meta.datasource_type : file ├ s01-parse | ├ 🔴 crowdsecurity/appsec-logs | ├ 🔴 crowdsecurity/modsecurity | └ 🟢 ZoeyVid/npmplus-logs (+20 ~2) | └ update evt.Stage : s01-parse -> s01-whitelist | └ create evt.Parsed.bytes_sent : 665 | └ create evt.Parsed.http_referer : - | └ create evt.Parsed.remote_addr : 192.168.100.191 | └ create evt.Parsed.status : 200 | └ create evt.Parsed.time_local : 26/Jun/2025:12:27:00 +0300 | └ create evt.Parsed.verb : GET | └ create evt.Parsed.body_bytes_sent : 122 | └ create evt.Parsed.http_user_agent : axios/1.3.4 | └ create evt.Parsed.http_version : 1.1 | └ create evt.Parsed.request : /api/v3/queue?apikey=hidden&includeSomething=true | └ create evt.Parsed.request_time : 0.010 | └ create evt.Parsed.target_fqdn : subdomain.domain.duckdns.org | └ update evt.StrTime : -> 26/Jun/2025:12:27:00 +0300 | └ create evt.Meta.http_path : /api/v3/queue?apikey=hidden&includeSomething=true | └ create evt.Meta.http_status : 200 | └ create evt.Meta.http_user_agent : axios/1.3.4 | └ create evt.Meta.http_verb : GET | └ create evt.Meta.log_type : http_access-log | └ create evt.Meta.service : http | └ create evt.Meta.source_ip : 192.168.100.191 | └ create evt.Meta.target_fqdn : subdomain.domain.duckdns.org ├ s01-whitelist | └ 🟢 custom/my-whitelists (~2 [whitelisted]) | └ update evt.Whitelisted : %!s(bool=false) -> true | └ update evt.WhitelistReason : -> Trusted local network/admin IPs └-------- parser success, ignored by whitelist (Trusted local network/admin IPs) 🟢 npmplus:/# cscli explain --log '[26/Jun/2025:12:27:00 +0300] subdomain.domain.duckdns.org 142.168.100.191 0.010 "GET /api/v3/queue?apikey=hidden&includeSomething=true HTTP/1.1" 200 122 665 - axios/1.3.4' --type npmplus -v line: [26/Jun/2025:12:27:00 +0300] subdomain.domain.duckdns.org 142.168.100.191 0.010 "GET /api/v3/queue?apikey=hidden&includeSomething=true HTTP/1.1" 200 122 665 - axios/1.3.4 ├ s00-raw | ├ 🔴 crowdsecurity/cri-logs | ├ 🔴 crowdsecurity/docker-logs | ├ 🔴 crowdsecurity/syslog-logs | └ 🟢 crowdsecurity/non-syslog (+5 ~8) | └ update evt.ExpectMode : %!s(int=0) -> 1 | └ update evt.Stage : -> s01-parse | └ update evt.Line.Raw : -> [26/Jun/2025:12:27:00 +0300] subdomain.domain.duckdns.org 142.168.100.191 0.010 "GET /api/v3/queue?apikey=hidden&includeSomething=true HTTP/1.1" 200 122 665 - axios/1.3.4 | └ update evt.Line.Src : -> /tmp/cscli_explain116701128/cscli_test_tmp.log | └ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-06-26 09:30:27.066979209 +0000 UTC | └ create evt.Line.Labels.type : npmplus | └ update evt.Line.Process : %!s(bool=false) -> true | └ update evt.Line.Module : -> file | └ create evt.Parsed.message : [26/Jun/2025:12:27:00 +0300] subdomain.domain.duckdns.org 142.168.100.191 0.010 "GET /api/v3/queue?apikey=hidden&includeSomething=true HTTP/1.1" 200 122 665 - axios/1.3.4 | └ create evt.Parsed.program : npmplus | └ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-06-26 09:30:27.067195433 +0000 UTC | └ create evt.Meta.datasource_type : file | └ create evt.Meta.datasource_path : /tmp/cscli_explain116701128/cscli_test_tmp.log ├ s01-parse | ├ 🔴 crowdsecurity/appsec-logs | ├ 🔴 crowdsecurity/modsecurity | └ 🟢 ZoeyVid/npmplus-logs (+20 ~2) | └ update evt.Stage : s01-parse -> s01-whitelist | └ create evt.Parsed.status : 200 | └ create evt.Parsed.verb : GET | └ create evt.Parsed.body_bytes_sent : 122 | └ create evt.Parsed.bytes_sent : 665 | └ create evt.Parsed.http_referer : - | └ create evt.Parsed.http_version : 1.1 | └ create evt.Parsed.remote_addr : 142.168.100.191 | └ create evt.Parsed.target_fqdn : subdomain.domain.duckdns.org | └ create evt.Parsed.time_local : 26/Jun/2025:12:27:00 +0300 | └ create evt.Parsed.http_user_agent : axios/1.3.4 | └ create evt.Parsed.request : /api/v3/queue?apikey=hidden&includeSomething=true | └ create evt.Parsed.request_time : 0.010 | └ update evt.StrTime : -> 26/Jun/2025:12:27:00 +0300 | └ create evt.Meta.http_status : 200 | └ create evt.Meta.service : http | └ create evt.Meta.http_user_agent : axios/1.3.4 | └ create evt.Meta.http_verb : GET | └ create evt.Meta.log_type : http_access-log | └ create evt.Meta.source_ip : 142.168.100.191 | └ create evt.Meta.target_fqdn : subdomain.domain.duckdns.org | └ create evt.Meta.http_path : /api/v3/queue?apikey=hidden&includeSomething=true ├ s01-whitelist | └ 🟢 custom/my-whitelists (unchanged) └-------- parser failure 🔴