traefik-logs parser (v1.5) fails to parse logs when reading directly from file

[giperion85]

GitHub Issue Template for CrowdSec Hub

Title

traefik-logs parser (v1.5) fails to parse logs when reading directly from file without syslog/journald

---

Issue Description

Problem

The crowdsecurity/traefik-logs parser (version 1.5) fails to parse Traefik logs when they are read directly from a file (without syslog/journald wrapper). All logs remain unparsed.

Environment

• CrowdSec version: 1.7.6
• Traefik version: 3.6.7
• Parser version: crowdsecurity/traefik-logs v1.5
• OS: Debian 13
• Log format: JSON (direct file write)

Root Cause

The parser uses this filter:

filter: "evt.Parsed.program startsWith 'traefik'"

However, when logs are read directly from a file using acquisition config:

source: file
filename: /var/log/traefik/access.log
labels:
  type: traefik

The evt.Parsed.program field is not automatically created. This field is typically added by syslog/journald, but when reading raw files, it doesn't exist, causing the filter to fail.

Reproduction Steps

1. Configure Traefik to write JSON logs directly to a file:

# traefik.yaml
accessLog:
  filePath: "/var/log/traefik/access.log"
  format: json

2. Configure CrowdSec acquisition:

# /etc/crowdsec/acquis.d/traefik.yaml
source: file
filename: /var/log/traefik/access.log
labels:
  type: traefik

3. Install the official parser:

cscli parsers install crowdsecurity/traefik-logs
systemctl restart crowdsec

4. Check metrics:

cscli metrics

Expected result: Logs should be parsed
Actual result:

Lines read:     100
Lines parsed:   -
Lines unparsed: 100

Sample Log Line

{"ClientAddr":"178.17.168.33:24316","ClientHost":"178.176.168.9","ClientPort":"24316","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":204,"Duration":9972974,"OriginContentSize":0,"OriginDuration":5619120,"OriginStatus":204,"Overhead":4353854,"RequestAddr":"immich.hlab.net","RequestContentSize":64,"RequestCount":3164,"RequestHost":"immich.hlab.net","RequestMethod":"POST","RequestPath":"/api/sync/ack","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"RouterName":"immich@file","ServiceAddr":"192.168.1.102:2283","ServiceName":"immich@file","ServiceURL":"http://192.168.1.102:2283","StartLocal":"2026-02-11T12:39:59.746221151+04:00","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2026-02-11T12:39:59+04:00"}

---

Workaround: Create local parser with different filter (WORKS)

Create a local parser that uses evt.Line.Labels.type instead of evt.Parsed.program:

name: local/traefik-logs
filter: "evt.Line.Labels.type == 'traefik'"  # Changed from evt.Parsed.program
# ... rest of parser code with evt.Line.Raw instead of evt.Parsed.message

---

Suggested Solution

I suggest updating the parser to be more flexible and work with both syslog/journald and direct file sources.

Option 1: Use fallback filter (Recommended)

filter: "evt.Parsed.program startsWith 'traefik' || evt.Line.Labels.type == 'traefik'"

This would work with:

• Syslog/journald (evt.Parsed.program)
• Direct file read (evt.Line.Labels.type)

Option 2: Check both sources for JSON parsing

Update the JSON parser node to check both evt.Parsed.message and evt.Line.Raw:

- filter: |
    (evt.Parsed.message != "" && TrimSpace(evt.Parsed.message) startsWith "{") ||
    (evt.Line.Raw != "" && TrimSpace(evt.Line.Raw) startsWith "{")

Option 3: Update documentation

If the current behavior is intended, update the parser documentation to clearly state:

• Parser requires logs via syslog/journald
• For direct file reading, users must create an s00 parser to add the program field
• Provide example s00 parser in documentation

---

Additional Context

This issue affects users who:

• Use Traefik's native file logging (common setup)
• Don't use syslog/journald as an intermediary
• Follow Traefik's official documentation for logging

The previous version (v1.4) had the same filter, so this issue likely existed before but may not have been widely reported.

---

Related Files

• Parser: https://github.com/crowdsecurity/hub/blob/master/parsers/s01-parse/crowdsecurity/traefik-logs.yaml
• CrowdSec acquisition docs: https://docs.crowdsec.net/docs/data_sources/intro

---

Checklist

• I have tested the workarounds and they work
• I have provided sample log lines
• I have provided my configuration files
• This issue affects the latest parser version

---

Impact

This prevents the official parser from working out-of-the-box with a json Traefik 3.6.6 logging setup, requiring users to create custom local parsers as workaround

[blotus]

evt.Parsed.program is always set: if the log is coming from syslog, we extract it from the syslog message, otherwise we use the label provided in the configuration (see here).

Can you confirm you have the syslog parser installed ? (cscli parsers list).

If you do not have the syslog parser installed (the name is misleading, it also handles non-syslog logs), you'll need to install it (preferably with cscli collections install crowdsecurity/linux as this will also install the geoip enrichment parser, or cscli parsers install crowdsecurity/syslog-logs)