crowdsec-5678ddc69f-rqzc4:/# cscli explain --log '{"log":"{\"ClientAddr\":\"47.128.59.156:11340\",\"ClientHost\":\"47.128.59.156\",\"ClientPort\":\"11340\",\"ClientUsername\":\"-\",\"DownstreamContentSize\":33997,\"DownstreamStatus\":200,\"Duration\":52900667,\"OriginContentSize\":33997,\"OriginDuration\":51955541,\"OriginStatus\":200,\"Overhead\":945126,\"RequestAddr\":\"gitea.communiquons.org\",\"RequestContentSize\":0,\"RequestCount\":19393,\"RequestHost\":\"gitea.communiquons.org\",\"RequestMethod\":\"GET\",\"RequestPath\":\"/pierre/MinioK8sBuckets/src/commit/be307810b2ce7a4eb5488224caf969245825fba1/Cargo.lock?display=rendered\",\"RequestPort\":\"-\",\"RequestProtocol\":\"HTTP/2.0\",\"RequestScheme\":\"https\",\"RetryAttempts\":0,\"RouterName\":\"httproute-default-gitea-gw-default-gateway-ep-websecure-0-ae63ed088e24c4a890a9@kubernetesgateway\",\"ServiceAddr\":\"10.42.0.224:3000\",\"ServiceName\":\"default-gitea-app-http-9200@kubernetesgateway\",\"ServiceURL\":\"http://10.42.0.224:3000\",\"StartLocal\":\"2025-12-08T10:59:43.076478926Z\",\"StartUTC\":\"2025-12-08T10:59:43.076478926Z\",\"TLSCipher\":\"TLS_AES_128_GCM_SHA256\",\"TLSVersion\":\"1.3\",\"entryPointName\":\"websecure\",\"level\":\"info\",\"msg\":\"\",\"request_User-Agent\":\"Mozilla/5.0 (Linux; Android 5.0) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; Bytespider; spider-feedback@bytedance.com GPTBot)\",\"time\":\"2025-12-08T10:59:43Z\"}\n","stream":"stdout","time":"2025-12-08T10:59:43.129598811Z"}' --type docker --labels "program:traefik" -v
line: {"log":"{\"ClientAddr\":\"47.128.59.156:11340\",\"ClientHost\":\"47.128.59.156\",\"ClientPort\":\"11340\",\"ClientUsername\":\"-\",\"DownstreamContentSize\":33997,\"DownstreamStatus\":200,\"Duration\":52900667,\"OriginContentSize\":33997,\"OriginDuration\":51955541,\"OriginStatus\":200,\"Overhead\":945126,\"RequestAddr\":\"gitea.communiquons.org\",\"RequestContentSize\":0,\"RequestCount\":19393,\"RequestHost\":\"gitea.communiquons.org\",\"RequestMethod\":\"GET\",\"RequestPath\":\"/pierre/MinioK8sBuckets/src/commit/be307810b2ce7a4eb5488224caf969245825fba1/Cargo.lock?display=rendered\",\"RequestPort\":\"-\",\"RequestProtocol\":\"HTTP/2.0\",\"RequestScheme\":\"https\",\"RetryAttempts\":0,\"RouterName\":\"httproute-default-gitea-gw-default-gateway-ep-websecure-0-ae63ed088e24c4a890a9@kubernetesgateway\",\"ServiceAddr\":\"10.42.0.224:3000\",\"ServiceName\":\"default-gitea-app-http-9200@kubernetesgateway\",\"ServiceURL\":\"http://10.42.0.224:3000\",\"StartLocal\":\"2025-12-08T10:59:43.076478926Z\",\"StartUTC\":\"2025-12-08T10:59:43.076478926Z\",\"TLSCipher\":\"TLS_AES_128_GCM_SHA256\",\"TLSVersion\":\"1.3\",\"entryPointName\":\"websecure\",\"level\":\"info\",\"msg\":\"\",\"request_User-Agent\":\"Mozilla/5.0 (Linux; Android 5.0) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; Bytespider; spider-feedback@bytedance.com GPTBot)\",\"time\":\"2025-12-08T10:59:43Z\"}\n","stream":"stdout","time":"2025-12-08T10:59:43.129598811Z"}
	├ s00-raw
	|	├ 🔴 crowdsecurity/cri-logs
	|	└ 🟢 crowdsecurity/docker-logs (+4 ~9)
	|		└ update evt.ExpectMode : %!s(int=0) -> 1
	|		└ update evt.Stage :  -> s01-parse
	|		└ update evt.Line.Raw :  -> {"log":"{\"ClientAddr\":\"47.128.59.156:11340\",\"ClientHost\":\"47.128.59.156\",\"ClientPort\":\"11340\",\"ClientUsername\":\"-\",\"DownstreamContentSize\":33997,\"DownstreamStatus\":200,\"Duration\":52900667,\"OriginContentSize\":33997,\"OriginDuration\":51955541,\"OriginStatus\":200,\"Overhead\":945126,\"RequestAddr\":\"gitea.communiquons.org\",\"RequestContentSize\":0,\"RequestCount\":19393,\"RequestHost\":\"gitea.communiquons.org\",\"RequestMethod\":\"GET\",\"RequestPath\":\"/pierre/MinioK8sBuckets/src/commit/be307810b2ce7a4eb5488224caf969245825fba1/Cargo.lock?display=rendered\",\"RequestPort\":\"-\",\"RequestProtocol\":\"HTTP/2.0\",\"RequestScheme\":\"https\",\"RetryAttempts\":0,\"RouterName\":\"httproute-default-gitea-gw-default-gateway-ep-websecure-0-ae63ed088e24c4a890a9@kubernetesgateway\",\"ServiceAddr\":\"10.42.0.224:3000\",\"ServiceName\":\"default-gitea-app-http-9200@kubernetesgateway\",\"ServiceURL\":\"http://10.42.0.224:3000\",\"StartLocal\":\"2025-12-08T10:59:43.076478926Z\",\"StartUTC\":\"2025-12-08T10:59:43.076478926Z\",\"TLSCipher\":\"TLS_AES_128_GCM_SHA256\",\"TLSVersion\":\"1.3\",\"entryPointName\":\"websecure\",\"level\":\"info\",\"msg\":\"\",\"request_User-Agent\":\"Mozilla/5.0 (Linux; Android 5.0) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; Bytespider; spider-feedback@bytedance.com GPTBot)\",\"time\":\"2025-12-08T10:59:43Z\"}\n","stream":"stdout","time":"2025-12-08T10:59:43.129598811Z"}
	|		└ update evt.Line.Src :  -> /tmp/cscli_explain2936154722/cscli_test_tmp.log
	|		└ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-12-08 11:03:13.803806009 +0000 UTC
	|		└ create evt.Line.Labels.program : traefik
	|		└ create evt.Line.Labels.type : docker
	|		└ update evt.Line.Process : %!s(bool=false) -> true
	|		└ update evt.Line.Module :  -> file
	|		└ create evt.Parsed.program : traefik
	|		└ create evt.Parsed.message : {"ClientAddr":"47.128.59.156:11340","ClientHost":"47.128.59.156","ClientPort":"11340","ClientUsername":"-","DownstreamContentSize":33997,"DownstreamStatus":200,"Duration":52900667,"OriginContentSize":33997,"OriginDuration":51955541,"OriginStatus":200,"Overhead":945126,"RequestAddr":"gitea.communiquons.org","RequestContentSize":0,"RequestCount":19393,"RequestHost":"gitea.communiquons.org","RequestMethod":"GET","RequestPath":"/pierre/MinioK8sBuckets/src/commit/be307810b2ce7a4eb5488224caf969245825fba1/Cargo.lock?display=rendered","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"httproute-default-gitea-gw-default-gateway-ep-websecure-0-ae63ed088e24c4a890a9@kubernetesgateway","ServiceAddr":"10.42.0.224:3000","ServiceName":"default-gitea-app-http-9200@kubernetesgateway","ServiceURL":"http://10.42.0.224:3000","StartLocal":"2025-12-08T10:59:43.076478926Z","StartUTC":"2025-12-08T10:59:43.076478926Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","request_User-Agent":"Mozilla/5.0 (Linux; Android 5.0) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; Bytespider; spider-feedback@bytedance.com GPTBot)","time":"2025-12-08T10:59:43Z"}

	|		└ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-12-08 11:03:13.803835527 +0000 UTC
	|		└ update evt.StrTime :  -> 2025-12-08T10:59:43.129598811Z
	├ s01-parse
	|	└ 🟢 crowdsecurity/traefik-logs (+23 ~2)
	|		└ update evt.Stage : s01-parse -> s02-enrich
	|		└ create evt.Parsed.body_bytes_sent : 33997
	|		└ create evt.Parsed.dest_addr : 47.128.59.156
	|		└ create evt.Parsed.remote_addr : 47.128.59.156
	|		└ create evt.Parsed.request : /pierre/MinioK8sBuckets/src/commit/be307810b2ce7a4eb5488224caf969245825fba1/Cargo.lock?display=rendered
	|		└ create evt.Parsed.status : 200
	|		└ create evt.Parsed.time_local : 2025-12-08T10:59:43Z
	|		└ create evt.Parsed.http_version : 2.0
	|		└ create evt.Parsed.request_duration_in_ms : 52900667
	|		└ create evt.Parsed.verb : GET
	|		└ create evt.Parsed.http_user_agent : Mozilla/5.0 (Linux; Android 5.0) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; Bytespider; spider-feedback@bytedance.com GPTBot)
	|		└ create evt.Parsed.traefik_router_name : httproute-default-gitea-gw-default-gateway-ep-websecure-0-ae63ed088e24c4a890a9@kubernetesgateway
	|		└ create evt.Parsed.request_addr : gitea.communiquons.org
	|		└ create evt.Parsed.service_addr : 10.42.0.224
	|		└ create evt.Unmarshaled.traefik : map[ClientAddr:47.128.59.156:11340 ClientHost:47.128.59.156 ClientPort:11340 ClientUsername:- DownstreamContentSize:33997 DownstreamStatus:200 Duration:5.2900667e+07 OriginContentSize:33997 OriginDuration:5.1955541e+07 OriginStatus:200 Overhead:945126 RequestAddr:gitea.communiquons.org RequestContentSize:0 RequestCount:19393 RequestHost:gitea.communiquons.org RequestMethod:GET RequestPath:/pierre/MinioK8sBuckets/src/commit/be307810b2ce7a4eb5488224caf969245825fba1/Cargo.lock?display=rendered RequestPort:- RequestProtocol:HTTP/2.0 RequestScheme:https RetryAttempts:0 RouterName:httproute-default-gitea-gw-default-gateway-ep-websecure-0-ae63ed088e24c4a890a9@kubernetesgateway ServiceAddr:10.42.0.224:3000 ServiceName:default-gitea-app-http-9200@kubernetesgateway ServiceURL:http://10.42.0.224:3000 StartLocal:2025-12-08T10:59:43.076478926Z StartUTC:2025-12-08T10:59:43.076478926Z TLSCipher:TLS_AES_128_GCM_SHA256 TLSVersion:1.3 entryPointName:websecure level:info msg: request_User-Agent:Mozilla/5.0 (Linux; Android 5.0) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; Bytespider; spider-feedback@bytedance.com GPTBot) time:2025-12-08T10:59:43Z]
	|		└ update evt.StrTime : 2025-12-08T10:59:43.129598811Z -> 2025-12-08T10:59:43Z
	|		└ create evt.Meta.http_path : /pierre/MinioK8sBuckets/src/commit/be307810b2ce7a4eb5488224caf969245825fba1/Cargo.lock?display=rendered
	|		└ create evt.Meta.http_status : 200
	|		└ create evt.Meta.http_user_agent : Mozilla/5.0 (Linux; Android 5.0) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; Bytespider; spider-feedback@bytedance.com GPTBot)
	|		└ create evt.Meta.http_verb : GET
	|		└ create evt.Meta.log_type : http_access-log
	|		└ create evt.Meta.service : http
	|		└ create evt.Meta.source_ip : 47.128.59.156
	|		└ create evt.Meta.target_fqdn : gitea.communiquons.org
	|		└ create evt.Meta.traefik_router_name : httproute-default-gitea-gw-default-gateway-ep-websecure-0-ae63ed088e24c4a890a9@kubernetesgateway
	├ s02-enrich
	|	└ 🟢 crowdsecurity/http-logs (+8 ~1)
	|		└ update evt.Parsed.request : /pierre/MinioK8sBuckets/src/commit/be307810b2ce7a4eb5488224caf969245825fba1/Cargo.lock?display=rendered -> /pierre/MinioK8sBuckets/src/commit/be307810b2ce7a4eb5488224caf969245825fba1/Cargo.lock
	|		└ create evt.Parsed.static_ressource : false
	|		└ create evt.Parsed.file_ext : .lock
	|		└ create evt.Parsed.file_frag : Cargo
	|		└ create evt.Parsed.file_dir : /pierre/MinioK8sBuckets/src/commit/be307810b2ce7a4eb5488224caf969245825fba1/
	|		└ create evt.Parsed.file_name : Cargo.lock
	|		└ create evt.Parsed.http_args : display=rendered
	|		└ create evt.Parsed.impact_completion : true
	|		└ create evt.Meta.http_args_len : 16
	├-------- parser success 🟢
	├ Scenarios
		└ 🟢 crowdsecurity/http-crawl-non_statics