From 46c3142c1fd6a82d713b8fe8c10c37f7979b359b Mon Sep 17 00:00:00 2001 From: Laurence Date: Sat, 24 Jan 2026 10:35:39 +0000 Subject: [PATCH] Fix IPv6 address parsing in envoy-logs parser - Use lastIndexOf to extract IP from address:port format instead of split/join - Handle IPv6 addresses in brackets correctly for both JSON and CLF formats - Simplify expressions to match consistent style - Add test cases for IPv6 addresses in both JSON and CLF formats - Add test cases for multiple IPs in x-forwarded-for (upstream proxies) Fixes https://github.com/crowdsecurity/hub/issues/1658 --- .tests/envoy-logs/envoy.log | 6 + .tests/envoy-logs/parser.assert | 1048 +++++++++++++++-- .../s01-parse/yanis-kouidri/envoy-logs.yaml | 11 +- 3 files changed, 958 insertions(+), 107 deletions(-) diff --git a/.tests/envoy-logs/envoy.log b/.tests/envoy-logs/envoy.log index 13265dba9c9..e0d129a62b4 100644 --- a/.tests/envoy-logs/envoy.log +++ b/.tests/envoy-logs/envoy.log @@ -2,3 +2,9 @@ 2025-12-31T18:22:06.456373561+01:00 stdout F {":authority":"10.0.0.13","bytes_received":0,"bytes_sent":0,"connection_termination_details":null,"downstream_local_address":"10.42.0.77:10080","downstream_remote_address":"192.168.1.45:33045","duration":0,"method":"GET","protocol":"HTTP/1.1","requested_server_name":null,"response_code":301,"response_code_details":"direct_response","response_flags":"-","route_name":"httproute/app/http-to-https-filter-redirect/rule/0/match/0/*","start_time":"2025-12-31T17:22:04.951Z","upstream_cluster":null,"upstream_host":null,"upstream_local_address":null,"upstream_transport_failure_reason":null,"user-agent":"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36","x-envoy-origin-path":"/","x-envoy-upstream-service-time":null,"x-forwarded-for":"192.168.1.45","x-request-id":"a9864e02-c6f5-4375-a27d-3ffd7f312811"} 2025-12-31T18:30:06.518608527+01:00 stdout F {":authority":"foo.example.com","bytes_received":0,"bytes_sent":0,"connection_termination_details":null,"downstream_local_address":"10.42.0.77:10443","downstream_remote_address":"172.16.2.33:49578","duration":5,"method":"HEAD","protocol":"HTTP/2","requested_server_name":null,"response_code":404,"response_code_details":"via_upstream","response_flags":"-","route_name":"httproute/app/app-foo-example-com/rule/0/match/0/foo_example_com","start_time":"2025-12-31T17:30:03.228Z","upstream_cluster":"httproute/app/app-foo-example-com/rule/0","upstream_host":"10.42.0.88:1337","upstream_local_address":"10.42.0.77:47106","upstream_transport_failure_reason":null,"user-agent":"curl/8.5.0","x-envoy-origin-path":"/.env","x-envoy-upstream-service-time":null,"x-forwarded-for":"172.16.2.33","x-request-id":"fff03852-5ae8-468b-a528-434d095ddc49"} 2025-12-31T19:00:00.310000000+01:00 stdout F [2016-04-15T20:17:00.310Z] "POST /api/v1/locations HTTP/2" 204 - 154 0 226 100 "10.0.35.28" "nsq2http" "cc21d9b0-cf5c-432b-8c7e-98aeb7988cd2" "locations" "tcp://10.0.2.1:80" +2026-01-24T01:34:36.743000000+00:00 stdout F [2026-01-24T01:34:36.743Z] "GET /test HTTP/1.1" 200 - 0 256 50 25 "[fd00:1234:5678::5a24]" "curl/8.10.1" "test-request-id" "example.com" "tcp://[fd00:1234:5678::e18]:8080" +2026-01-24T01:34:36.743000000+00:00 stdout F {":authority":"example.com","bytes_received":0,"bytes_sent":0,"connection_termination_details":null,"downstream_local_address":"[fd00:1234:5678::e18]:10080","downstream_remote_address":"[fd00:1234:5678::5a24]:43000","duration":0,"method":"GET","protocol":"HTTP/1.1","requested_server_name":null,"response_code":301,"response_code_details":"direct_response","response_flags":"-","route_name":"httproute/namespace/route-name/rule/0/match/0/*","start_time":"2026-01-24T01:34:36.743Z","upstream_cluster":null,"upstream_host":null,"upstream_local_address":null,"upstream_transport_failure_reason":null,"user-agent":"curl/8.10.1","x-envoy-origin-path":"/","x-envoy-upstream-service-time":null,"x-forwarded-for":"fd00:1234:5678::5a24","x-request-id":"6d6e08ba-02a3-4a26-968a-2183aa33a56d"} +2026-01-24T01:35:00.000000000+00:00 stdout F {":authority":"proxy.example.com","bytes_received":0,"bytes_sent":512,"connection_termination_details":null,"downstream_local_address":"10.42.0.77:10443","downstream_remote_address":"10.42.0.1:54321","duration":15,"method":"GET","protocol":"HTTP/2","requested_server_name":null,"response_code":200,"response_code_details":"via_upstream","response_flags":"-","route_name":"httproute/app/proxy-example-com/rule/0/match/0/proxy_example_com","start_time":"2026-01-24T01:35:00.000Z","upstream_cluster":"httproute/app/proxy-example-com/rule/0","upstream_host":"10.42.0.82:8080","upstream_local_address":"10.42.0.77:51216","upstream_transport_failure_reason":null,"user-agent":"Mozilla/5.0","x-envoy-origin-path":"/api/data","x-envoy-upstream-service-time":null,"x-forwarded-for":"192.168.1.100, 10.42.0.1","x-request-id":"multi-ip-v4-test-id"} +2026-01-24T01:36:00.000000000+00:00 stdout F {":authority":"proxy6.example.com","bytes_received":0,"bytes_sent":1024,"connection_termination_details":null,"downstream_local_address":"[fd00:1234:5678::e18]:10080","downstream_remote_address":"[fd00:1234:5678::1]:54321","duration":20,"method":"POST","protocol":"HTTP/1.1","requested_server_name":null,"response_code":201,"response_code_details":"via_upstream","response_flags":"-","route_name":"httproute/app/proxy6-example-com/rule/0/match/0/proxy6_example_com","start_time":"2026-01-24T01:36:00.000Z","upstream_cluster":"httproute/app/proxy6-example-com/rule/0","upstream_host":"[fd00:1234:5678::e18]:8080","upstream_local_address":"[fd00:1234:5678::e18]:51216","upstream_transport_failure_reason":null,"user-agent":"curl/8.10.1","x-envoy-origin-path":"/api/create","x-envoy-upstream-service-time":null,"x-forwarded-for":"fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321","x-request-id":"multi-ip-v6-test-id"} +2026-01-24T01:37:00.000000000+00:00 stdout F [2026-01-24T01:37:00.000Z] "GET /api/proxy HTTP/1.1" 200 - 0 512 30 15 "192.168.1.100, 10.42.0.1" "Mozilla/5.0" "multi-ip-clf-v4" "proxy.example.com" "tcp://10.42.0.82:8080" +2026-01-24T01:38:00.000000000+00:00 stdout F [2026-01-24T01:38:00.000Z] "POST /api/proxy6 HTTP/1.1" 201 - 0 1024 40 20 "fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321" "curl/8.10.1" "multi-ip-clf-v6" "proxy6.example.com" "tcp://[fd00:1234:5678::e18]:8080" \ No newline at end of file diff --git a/.tests/envoy-logs/parser.assert b/.tests/envoy-logs/parser.assert index 119627278f3..de282632592 100644 --- a/.tests/envoy-logs/parser.assert +++ b/.tests/envoy-logs/parser.assert @@ -1,5 +1,5 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/cri-logs"]) == 4 +len(results["s00-raw"]["crowdsecurity/cri-logs"]) == 10 results["s00-raw"]["crowdsecurity/cri-logs"][0].Success == true results["s00-raw"]["crowdsecurity/cri-logs"][0].Evt.Parsed["cri_timestamp"] == "2025-12-31T17:37:40.493035218+01:00" results["s00-raw"]["crowdsecurity/cri-logs"][0].Evt.Parsed["logsource"] == "cri" @@ -40,7 +40,67 @@ results["s00-raw"]["crowdsecurity/cri-logs"][3].Evt.Parsed["stream"] == "stdout" basename(results["s00-raw"]["crowdsecurity/cri-logs"][3].Evt.Meta["datasource_path"]) == "envoy.log" results["s00-raw"]["crowdsecurity/cri-logs"][3].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/cri-logs"][3].Evt.Whitelisted == false -len(results["s01-parse"]["yanis-kouidri/envoy-logs"]) == 4 +results["s00-raw"]["crowdsecurity/cri-logs"][4].Success == true +results["s00-raw"]["crowdsecurity/cri-logs"][4].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:34:36.743000000+00:00" +results["s00-raw"]["crowdsecurity/cri-logs"][4].Evt.Parsed["logsource"] == "cri" +results["s00-raw"]["crowdsecurity/cri-logs"][4].Evt.Parsed["logtag"] == "F" +results["s00-raw"]["crowdsecurity/cri-logs"][4].Evt.Parsed["message"] == "[2026-01-24T01:34:36.743Z] \"GET /test HTTP/1.1\" 200 - 0 256 50 25 \"[fd00:1234:5678::5a24]\" \"curl/8.10.1\" \"test-request-id\" \"example.com\" \"tcp://[fd00:1234:5678::e18]:8080\"" +results["s00-raw"]["crowdsecurity/cri-logs"][4].Evt.Parsed["program"] == "envoy" +results["s00-raw"]["crowdsecurity/cri-logs"][4].Evt.Parsed["stream"] == "stdout" +basename(results["s00-raw"]["crowdsecurity/cri-logs"][4].Evt.Meta["datasource_path"]) == "envoy.log" +results["s00-raw"]["crowdsecurity/cri-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/cri-logs"][4].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/cri-logs"][5].Success == true +results["s00-raw"]["crowdsecurity/cri-logs"][5].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:34:36.743000000+00:00" +results["s00-raw"]["crowdsecurity/cri-logs"][5].Evt.Parsed["logsource"] == "cri" +results["s00-raw"]["crowdsecurity/cri-logs"][5].Evt.Parsed["logtag"] == "F" +results["s00-raw"]["crowdsecurity/cri-logs"][5].Evt.Parsed["message"] == "{\":authority\":\"example.com\",\"bytes_received\":0,\"bytes_sent\":0,\"connection_termination_details\":null,\"downstream_local_address\":\"[fd00:1234:5678::e18]:10080\",\"downstream_remote_address\":\"[fd00:1234:5678::5a24]:43000\",\"duration\":0,\"method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"requested_server_name\":null,\"response_code\":301,\"response_code_details\":\"direct_response\",\"response_flags\":\"-\",\"route_name\":\"httproute/namespace/route-name/rule/0/match/0/*\",\"start_time\":\"2026-01-24T01:34:36.743Z\",\"upstream_cluster\":null,\"upstream_host\":null,\"upstream_local_address\":null,\"upstream_transport_failure_reason\":null,\"user-agent\":\"curl/8.10.1\",\"x-envoy-origin-path\":\"/\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"fd00:1234:5678::5a24\",\"x-request-id\":\"6d6e08ba-02a3-4a26-968a-2183aa33a56d\"}" +results["s00-raw"]["crowdsecurity/cri-logs"][5].Evt.Parsed["program"] == "envoy" +results["s00-raw"]["crowdsecurity/cri-logs"][5].Evt.Parsed["stream"] == "stdout" +basename(results["s00-raw"]["crowdsecurity/cri-logs"][5].Evt.Meta["datasource_path"]) == "envoy.log" +results["s00-raw"]["crowdsecurity/cri-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/cri-logs"][5].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/cri-logs"][6].Success == true +results["s00-raw"]["crowdsecurity/cri-logs"][6].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:35:00.000000000+00:00" +results["s00-raw"]["crowdsecurity/cri-logs"][6].Evt.Parsed["logsource"] == "cri" +results["s00-raw"]["crowdsecurity/cri-logs"][6].Evt.Parsed["logtag"] == "F" +results["s00-raw"]["crowdsecurity/cri-logs"][6].Evt.Parsed["message"] == "{\":authority\":\"proxy.example.com\",\"bytes_received\":0,\"bytes_sent\":512,\"connection_termination_details\":null,\"downstream_local_address\":\"10.42.0.77:10443\",\"downstream_remote_address\":\"10.42.0.1:54321\",\"duration\":15,\"method\":\"GET\",\"protocol\":\"HTTP/2\",\"requested_server_name\":null,\"response_code\":200,\"response_code_details\":\"via_upstream\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/proxy-example-com/rule/0/match/0/proxy_example_com\",\"start_time\":\"2026-01-24T01:35:00.000Z\",\"upstream_cluster\":\"httproute/app/proxy-example-com/rule/0\",\"upstream_host\":\"10.42.0.82:8080\",\"upstream_local_address\":\"10.42.0.77:51216\",\"upstream_transport_failure_reason\":null,\"user-agent\":\"Mozilla/5.0\",\"x-envoy-origin-path\":\"/api/data\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"192.168.1.100, 10.42.0.1\",\"x-request-id\":\"multi-ip-v4-test-id\"}" +results["s00-raw"]["crowdsecurity/cri-logs"][6].Evt.Parsed["program"] == "envoy" +results["s00-raw"]["crowdsecurity/cri-logs"][6].Evt.Parsed["stream"] == "stdout" +basename(results["s00-raw"]["crowdsecurity/cri-logs"][6].Evt.Meta["datasource_path"]) == "envoy.log" +results["s00-raw"]["crowdsecurity/cri-logs"][6].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/cri-logs"][6].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/cri-logs"][7].Success == true +results["s00-raw"]["crowdsecurity/cri-logs"][7].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:36:00.000000000+00:00" +results["s00-raw"]["crowdsecurity/cri-logs"][7].Evt.Parsed["logsource"] == "cri" +results["s00-raw"]["crowdsecurity/cri-logs"][7].Evt.Parsed["logtag"] == "F" +results["s00-raw"]["crowdsecurity/cri-logs"][7].Evt.Parsed["message"] == "{\":authority\":\"proxy6.example.com\",\"bytes_received\":0,\"bytes_sent\":1024,\"connection_termination_details\":null,\"downstream_local_address\":\"[fd00:1234:5678::e18]:10080\",\"downstream_remote_address\":\"[fd00:1234:5678::1]:54321\",\"duration\":20,\"method\":\"POST\",\"protocol\":\"HTTP/1.1\",\"requested_server_name\":null,\"response_code\":201,\"response_code_details\":\"via_upstream\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/proxy6-example-com/rule/0/match/0/proxy6_example_com\",\"start_time\":\"2026-01-24T01:36:00.000Z\",\"upstream_cluster\":\"httproute/app/proxy6-example-com/rule/0\",\"upstream_host\":\"[fd00:1234:5678::e18]:8080\",\"upstream_local_address\":\"[fd00:1234:5678::e18]:51216\",\"upstream_transport_failure_reason\":null,\"user-agent\":\"curl/8.10.1\",\"x-envoy-origin-path\":\"/api/create\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321\",\"x-request-id\":\"multi-ip-v6-test-id\"}" +results["s00-raw"]["crowdsecurity/cri-logs"][7].Evt.Parsed["program"] == "envoy" +results["s00-raw"]["crowdsecurity/cri-logs"][7].Evt.Parsed["stream"] == "stdout" +basename(results["s00-raw"]["crowdsecurity/cri-logs"][7].Evt.Meta["datasource_path"]) == "envoy.log" +results["s00-raw"]["crowdsecurity/cri-logs"][7].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/cri-logs"][7].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/cri-logs"][8].Success == true +results["s00-raw"]["crowdsecurity/cri-logs"][8].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:37:00.000000000+00:00" +results["s00-raw"]["crowdsecurity/cri-logs"][8].Evt.Parsed["logsource"] == "cri" +results["s00-raw"]["crowdsecurity/cri-logs"][8].Evt.Parsed["logtag"] == "F" +results["s00-raw"]["crowdsecurity/cri-logs"][8].Evt.Parsed["message"] == "[2026-01-24T01:37:00.000Z] \"GET /api/proxy HTTP/1.1\" 200 - 0 512 30 15 \"192.168.1.100, 10.42.0.1\" \"Mozilla/5.0\" \"multi-ip-clf-v4\" \"proxy.example.com\" \"tcp://10.42.0.82:8080\"" +results["s00-raw"]["crowdsecurity/cri-logs"][8].Evt.Parsed["program"] == "envoy" +results["s00-raw"]["crowdsecurity/cri-logs"][8].Evt.Parsed["stream"] == "stdout" +basename(results["s00-raw"]["crowdsecurity/cri-logs"][8].Evt.Meta["datasource_path"]) == "envoy.log" +results["s00-raw"]["crowdsecurity/cri-logs"][8].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/cri-logs"][8].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/cri-logs"][9].Success == true +results["s00-raw"]["crowdsecurity/cri-logs"][9].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:38:00.000000000+00:00" +results["s00-raw"]["crowdsecurity/cri-logs"][9].Evt.Parsed["logsource"] == "cri" +results["s00-raw"]["crowdsecurity/cri-logs"][9].Evt.Parsed["logtag"] == "F" +results["s00-raw"]["crowdsecurity/cri-logs"][9].Evt.Parsed["message"] == "[2026-01-24T01:38:00.000Z] \"POST /api/proxy6 HTTP/1.1\" 201 - 0 1024 40 20 \"fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321\" \"curl/8.10.1\" \"multi-ip-clf-v6\" \"proxy6.example.com\" \"tcp://[fd00:1234:5678::e18]:8080\"" +results["s00-raw"]["crowdsecurity/cri-logs"][9].Evt.Parsed["program"] == "envoy" +results["s00-raw"]["crowdsecurity/cri-logs"][9].Evt.Parsed["stream"] == "stdout" +basename(results["s00-raw"]["crowdsecurity/cri-logs"][9].Evt.Meta["datasource_path"]) == "envoy.log" +results["s00-raw"]["crowdsecurity/cri-logs"][9].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/cri-logs"][9].Evt.Whitelisted == false +len(results["s01-parse"]["yanis-kouidri/envoy-logs"]) == 10 results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Success == true results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Parsed["cri_timestamp"] == "2025-12-31T17:37:40.493035218+01:00" results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Parsed["http_user_agent"] == "Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0" @@ -66,26 +126,26 @@ results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Meta["log_type"] == "htt results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Meta["service"] == "http" results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Meta["source_ip"] == "10.0.0.12" results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Meta["target_fqdn"] == "www.example.com" -results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10443" -results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["duration"] == 11 -results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["response_flags"] == "-" -results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/app-www-example-com/rule/0/match/0/www_example_com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["method"] == "GET" +results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream" results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T16:37:40.479Z" results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/app-www-example-com/rule/0" +results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "10.0.0.12" +results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "10.0.0.12:59292" +results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/2" results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.82:8080" +results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["x-request-id"] == "3bbc0252-2d5c-49fe-bd89-104e9b61770b" +results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/app-www-example-com/rule/0/match/0/www_example_com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"][":authority"] == "www.example.com" results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["bytes_sent"] == 121258 -results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream" -results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "10.42.0.77:51216" +results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10443" results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["user-agent"] == "Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0" -results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"][":authority"] == "www.example.com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["response_code"] == 200 +results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["response_flags"] == "-" +results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "10.42.0.77:51216" results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/assets/image.webp" -results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "10.0.0.12" -results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["x-request-id"] == "3bbc0252-2d5c-49fe-bd89-104e9b61770b" -results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "10.0.0.12:59292" -results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["method"] == "GET" -results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/2" -results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 +results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["duration"] == 11 results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Whitelisted == false results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Success == true results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Parsed["cri_timestamp"] == "2025-12-31T18:22:06.456373561+01:00" @@ -112,23 +172,23 @@ results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Meta["log_type"] == "htt results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Meta["service"] == "http" results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Meta["source_ip"] == "192.168.1.45" results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Meta["target_fqdn"] == "10.0.0.13" -results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["duration"] == 0 +results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"][":authority"] == "10.0.0.13" results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["method"] == "GET" +results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/http-to-https-filter-redirect/rule/0/match/0/*" results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T17:22:04.951Z" +results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "192.168.1.45" +results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "192.168.1.45:33045" +results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["duration"] == 0 +results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["response_code"] == 301 results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["user-agent"] == "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" -results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["x-request-id"] == "a9864e02-c6f5-4375-a27d-3ffd7f312811" -results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["bytes_sent"] == 0 +results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10080" results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/1.1" -results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["response_flags"] == "-" -results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "192.168.1.45:33045" -results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["response_code"] == 301 results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["response_code_details"] == "direct_response" -results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/http-to-https-filter-redirect/rule/0/match/0/*" +results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["response_flags"] == "-" +results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["x-request-id"] == "a9864e02-c6f5-4375-a27d-3ffd7f312811" +results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/" -results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "192.168.1.45" -results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"][":authority"] == "10.0.0.13" -results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10080" results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Whitelisted == false results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Success == true results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Parsed["cri_timestamp"] == "2025-12-31T18:30:06.518608527+01:00" @@ -156,25 +216,25 @@ results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Meta["service"] == "http results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Meta["source_ip"] == "172.16.2.33" results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Meta["target_fqdn"] == "foo.example.com" results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["bytes_sent"] == 0 -results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "172.16.2.33:49578" -results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/app-foo-example-com/rule/0" +results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.88:1337" +results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["user-agent"] == "curl/8.5.0" results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "172.16.2.33" +results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["x-request-id"] == "fff03852-5ae8-468b-a528-434d095ddc49" +results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"][":authority"] == "foo.example.com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10443" +results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "172.16.2.33:49578" +results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["duration"] == 5 results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["method"] == "HEAD" -results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["response_flags"] == "-" -results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T17:30:03.228Z" -results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "10.42.0.77:47106" -results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["x-request-id"] == "fff03852-5ae8-468b-a528-434d095ddc49" -results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/2" results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["response_code"] == 404 results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream" +results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["response_flags"] == "-" results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/app-foo-example-com/rule/0/match/0/foo_example_com" -results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.88:1337" -results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["user-agent"] == "curl/8.5.0" +results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T17:30:03.228Z" +results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/2" +results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/app-foo-example-com/rule/0" +results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "10.42.0.77:47106" results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/.env" -results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 -results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["duration"] == 5 -results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"][":authority"] == "foo.example.com" results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Whitelisted == false results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Success == true results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["bytes_received"] == "154" @@ -211,7 +271,247 @@ results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Meta["service"] == "http results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Meta["source_ip"] == "10.0.35.28" results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Meta["target_fqdn"] == "locations" results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Whitelisted == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 4 +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Success == true +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["bytes_received"] == "0" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["bytes_sent"] == "256" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:34:36.743000000+00:00" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["duration"] == "50" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["http_user_agent"] == "curl/8.10.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["http_version"] == "1.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["logsource"] == "cri" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["logtag"] == "F" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["message"] == "[2026-01-24T01:34:36.743Z] \"GET /test HTTP/1.1\" 200 - 0 256 50 25 \"[fd00:1234:5678::5a24]\" \"curl/8.10.1\" \"test-request-id\" \"example.com\" \"tcp://[fd00:1234:5678::e18]:8080\"" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["program"] == "envoy" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["raw_remote_addr"] == "[fd00:1234:5678::5a24]" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["remote_addr"] == "fd00:1234:5678::5a24" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["request"] == "/test" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["request_id"] == "test-request-id" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["response_flags"] == "-" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["status"] == "200" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["stream"] == "stdout" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["target_fqdn"] == "example.com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["time"] == "2026-01-24T01:34:36.743Z" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["upstream_host"] == "tcp://[fd00:1234:5678::e18]:8080" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["upstream_service_time"] == "25" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["verb"] == "GET" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Parsed["x_forwarded_for"] == "[fd00:1234:5678::5a24]" +basename(results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Meta["datasource_path"]) == "envoy.log" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Meta["http_path"] == "/test" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Meta["http_status"] == "200" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Meta["http_user_agent"] == "curl/8.10.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Meta["http_verb"] == "GET" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Meta["log_type"] == "http_access-log" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Meta["service"] == "http" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Meta["source_ip"] == "fd00:1234:5678::5a24" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Meta["target_fqdn"] == "example.com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][4].Evt.Whitelisted == false +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Success == true +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:34:36.743000000+00:00" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Parsed["http_user_agent"] == "curl/8.10.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Parsed["logsource"] == "cri" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Parsed["logtag"] == "F" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Parsed["message"] == "{\":authority\":\"example.com\",\"bytes_received\":0,\"bytes_sent\":0,\"connection_termination_details\":null,\"downstream_local_address\":\"[fd00:1234:5678::e18]:10080\",\"downstream_remote_address\":\"[fd00:1234:5678::5a24]:43000\",\"duration\":0,\"method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"requested_server_name\":null,\"response_code\":301,\"response_code_details\":\"direct_response\",\"response_flags\":\"-\",\"route_name\":\"httproute/namespace/route-name/rule/0/match/0/*\",\"start_time\":\"2026-01-24T01:34:36.743Z\",\"upstream_cluster\":null,\"upstream_host\":null,\"upstream_local_address\":null,\"upstream_transport_failure_reason\":null,\"user-agent\":\"curl/8.10.1\",\"x-envoy-origin-path\":\"/\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"fd00:1234:5678::5a24\",\"x-request-id\":\"6d6e08ba-02a3-4a26-968a-2183aa33a56d\"}" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Parsed["program"] == "envoy" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Parsed["raw_remote_addr"] == "[fd00:1234:5678::5a24]:43000" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Parsed["remote_addr"] == "fd00:1234:5678::5a24" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Parsed["request"] == "/" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Parsed["status"] == "301" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Parsed["stream"] == "stdout" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Parsed["target_fqdn"] == "example.com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Parsed["time"] == "2026-01-24T01:34:36.743Z" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Parsed["verb"] == "GET" +basename(results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Meta["datasource_path"]) == "envoy.log" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Meta["http_path"] == "/" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Meta["http_status"] == "301" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Meta["http_user_agent"] == "curl/8.10.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Meta["http_verb"] == "GET" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Meta["log_type"] == "http_access-log" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Meta["service"] == "http" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Meta["source_ip"] == "fd00:1234:5678::5a24" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Meta["target_fqdn"] == "example.com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Unmarshaled["envoy"][":authority"] == "example.com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "[fd00:1234:5678::5a24]:43000" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Unmarshaled["envoy"]["response_code"] == 301 +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Unmarshaled["envoy"]["duration"] == 0 +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Unmarshaled["envoy"]["method"] == "GET" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Unmarshaled["envoy"]["response_code_details"] == "direct_response" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Unmarshaled["envoy"]["user-agent"] == "curl/8.10.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Unmarshaled["envoy"]["bytes_sent"] == 0 +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "[fd00:1234:5678::e18]:10080" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Unmarshaled["envoy"]["response_flags"] == "-" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "fd00:1234:5678::5a24" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Unmarshaled["envoy"]["x-request-id"] == "6d6e08ba-02a3-4a26-968a-2183aa33a56d" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/1.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/namespace/route-name/rule/0/match/0/*" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Unmarshaled["envoy"]["start_time"] == "2026-01-24T01:34:36.743Z" +results["s01-parse"]["yanis-kouidri/envoy-logs"][5].Evt.Whitelisted == false +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Success == true +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:35:00.000000000+00:00" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Parsed["http_user_agent"] == "Mozilla/5.0" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Parsed["logsource"] == "cri" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Parsed["logtag"] == "F" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Parsed["message"] == "{\":authority\":\"proxy.example.com\",\"bytes_received\":0,\"bytes_sent\":512,\"connection_termination_details\":null,\"downstream_local_address\":\"10.42.0.77:10443\",\"downstream_remote_address\":\"10.42.0.1:54321\",\"duration\":15,\"method\":\"GET\",\"protocol\":\"HTTP/2\",\"requested_server_name\":null,\"response_code\":200,\"response_code_details\":\"via_upstream\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/proxy-example-com/rule/0/match/0/proxy_example_com\",\"start_time\":\"2026-01-24T01:35:00.000Z\",\"upstream_cluster\":\"httproute/app/proxy-example-com/rule/0\",\"upstream_host\":\"10.42.0.82:8080\",\"upstream_local_address\":\"10.42.0.77:51216\",\"upstream_transport_failure_reason\":null,\"user-agent\":\"Mozilla/5.0\",\"x-envoy-origin-path\":\"/api/data\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"192.168.1.100, 10.42.0.1\",\"x-request-id\":\"multi-ip-v4-test-id\"}" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Parsed["program"] == "envoy" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Parsed["raw_remote_addr"] == "10.42.0.1:54321" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Parsed["remote_addr"] == "10.42.0.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Parsed["request"] == "/api/data" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Parsed["status"] == "200" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Parsed["stream"] == "stdout" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Parsed["target_fqdn"] == "proxy.example.com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Parsed["time"] == "2026-01-24T01:35:00.000Z" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Parsed["verb"] == "GET" +basename(results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Meta["datasource_path"]) == "envoy.log" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Meta["http_path"] == "/api/data" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Meta["http_status"] == "200" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Meta["http_user_agent"] == "Mozilla/5.0" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Meta["http_verb"] == "GET" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Meta["log_type"] == "http_access-log" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Meta["service"] == "http" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Meta["source_ip"] == "10.42.0.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Meta["target_fqdn"] == "proxy.example.com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "10.42.0.1:54321" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["response_code"] == 200 +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["response_flags"] == "-" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["start_time"] == "2026-01-24T01:35:00.000Z" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.82:8080" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "10.42.0.77:51216" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["user-agent"] == "Mozilla/5.0" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"][":authority"] == "proxy.example.com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10443" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/2" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "192.168.1.100, 10.42.0.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["x-request-id"] == "multi-ip-v4-test-id" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["bytes_sent"] == 512 +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["duration"] == 15 +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["method"] == "GET" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/proxy-example-com/rule/0/match/0/proxy_example_com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/proxy-example-com/rule/0" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/api/data" +results["s01-parse"]["yanis-kouidri/envoy-logs"][6].Evt.Whitelisted == false +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Success == true +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:36:00.000000000+00:00" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Parsed["http_user_agent"] == "curl/8.10.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Parsed["logsource"] == "cri" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Parsed["logtag"] == "F" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Parsed["message"] == "{\":authority\":\"proxy6.example.com\",\"bytes_received\":0,\"bytes_sent\":1024,\"connection_termination_details\":null,\"downstream_local_address\":\"[fd00:1234:5678::e18]:10080\",\"downstream_remote_address\":\"[fd00:1234:5678::1]:54321\",\"duration\":20,\"method\":\"POST\",\"protocol\":\"HTTP/1.1\",\"requested_server_name\":null,\"response_code\":201,\"response_code_details\":\"via_upstream\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/proxy6-example-com/rule/0/match/0/proxy6_example_com\",\"start_time\":\"2026-01-24T01:36:00.000Z\",\"upstream_cluster\":\"httproute/app/proxy6-example-com/rule/0\",\"upstream_host\":\"[fd00:1234:5678::e18]:8080\",\"upstream_local_address\":\"[fd00:1234:5678::e18]:51216\",\"upstream_transport_failure_reason\":null,\"user-agent\":\"curl/8.10.1\",\"x-envoy-origin-path\":\"/api/create\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321\",\"x-request-id\":\"multi-ip-v6-test-id\"}" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Parsed["program"] == "envoy" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Parsed["raw_remote_addr"] == "[fd00:1234:5678::1]:54321" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Parsed["remote_addr"] == "fd00:1234:5678::1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Parsed["request"] == "/api/create" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Parsed["status"] == "201" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Parsed["stream"] == "stdout" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Parsed["target_fqdn"] == "proxy6.example.com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Parsed["time"] == "2026-01-24T01:36:00.000Z" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Parsed["verb"] == "POST" +basename(results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Meta["datasource_path"]) == "envoy.log" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Meta["http_path"] == "/api/create" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Meta["http_status"] == "201" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Meta["http_user_agent"] == "curl/8.10.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Meta["http_verb"] == "POST" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Meta["log_type"] == "http_access-log" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Meta["service"] == "http" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Meta["source_ip"] == "fd00:1234:5678::1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Meta["target_fqdn"] == "proxy6.example.com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["bytes_sent"] == 1024 +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["duration"] == 20 +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/proxy6-example-com/rule/0/match/0/proxy6_example_com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["user-agent"] == "curl/8.10.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "[fd00:1234:5678::e18]:10080" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["response_flags"] == "-" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["start_time"] == "2026-01-24T01:36:00.000Z" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "[fd00:1234:5678::e18]:51216" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/api/create" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"][":authority"] == "proxy6.example.com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["response_code"] == 201 +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/proxy6-example-com/rule/0" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["upstream_host"] == "[fd00:1234:5678::e18]:8080" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["x-request-id"] == "multi-ip-v6-test-id" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "[fd00:1234:5678::1]:54321" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["method"] == "POST" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/1.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream" +results["s01-parse"]["yanis-kouidri/envoy-logs"][7].Evt.Whitelisted == false +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Success == true +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["bytes_received"] == "0" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["bytes_sent"] == "512" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:37:00.000000000+00:00" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["duration"] == "30" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["http_user_agent"] == "Mozilla/5.0" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["http_version"] == "1.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["logsource"] == "cri" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["logtag"] == "F" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["message"] == "[2026-01-24T01:37:00.000Z] \"GET /api/proxy HTTP/1.1\" 200 - 0 512 30 15 \"192.168.1.100, 10.42.0.1\" \"Mozilla/5.0\" \"multi-ip-clf-v4\" \"proxy.example.com\" \"tcp://10.42.0.82:8080\"" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["program"] == "envoy" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["raw_remote_addr"] == "192.168.1.100, 10.42.0.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["remote_addr"] == "192.168.1.100" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["request"] == "/api/proxy" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["request_id"] == "multi-ip-clf-v4" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["response_flags"] == "-" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["status"] == "200" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["stream"] == "stdout" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["target_fqdn"] == "proxy.example.com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["time"] == "2026-01-24T01:37:00.000Z" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["upstream_host"] == "tcp://10.42.0.82:8080" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["upstream_service_time"] == "15" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["verb"] == "GET" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Parsed["x_forwarded_for"] == "192.168.1.100, 10.42.0.1" +basename(results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Meta["datasource_path"]) == "envoy.log" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Meta["http_path"] == "/api/proxy" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Meta["http_status"] == "200" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Meta["http_user_agent"] == "Mozilla/5.0" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Meta["http_verb"] == "GET" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Meta["log_type"] == "http_access-log" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Meta["service"] == "http" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Meta["source_ip"] == "192.168.1.100" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Meta["target_fqdn"] == "proxy.example.com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][8].Evt.Whitelisted == false +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Success == true +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["bytes_received"] == "0" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["bytes_sent"] == "1024" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:38:00.000000000+00:00" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["duration"] == "40" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["http_user_agent"] == "curl/8.10.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["http_version"] == "1.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["logsource"] == "cri" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["logtag"] == "F" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["message"] == "[2026-01-24T01:38:00.000Z] \"POST /api/proxy6 HTTP/1.1\" 201 - 0 1024 40 20 \"fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321\" \"curl/8.10.1\" \"multi-ip-clf-v6\" \"proxy6.example.com\" \"tcp://[fd00:1234:5678::e18]:8080\"" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["program"] == "envoy" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["raw_remote_addr"] == "fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["remote_addr"] == "fd00:1234:5678::5a24" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["request"] == "/api/proxy6" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["request_id"] == "multi-ip-clf-v6" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["response_flags"] == "-" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["status"] == "201" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["stream"] == "stdout" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["target_fqdn"] == "proxy6.example.com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["time"] == "2026-01-24T01:38:00.000Z" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["upstream_host"] == "tcp://[fd00:1234:5678::e18]:8080" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["upstream_service_time"] == "20" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["verb"] == "POST" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Parsed["x_forwarded_for"] == "fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321" +basename(results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Meta["datasource_path"]) == "envoy.log" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Meta["http_path"] == "/api/proxy6" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Meta["http_status"] == "201" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Meta["http_user_agent"] == "curl/8.10.1" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Meta["http_verb"] == "POST" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Meta["log_type"] == "http_access-log" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Meta["service"] == "http" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Meta["source_ip"] == "fd00:1234:5678::5a24" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Meta["target_fqdn"] == "proxy6.example.com" +results["s01-parse"]["yanis-kouidri/envoy-logs"][9].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 10 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["cri_timestamp"] == "2025-12-31T17:37:40.493035218+01:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_user_agent"] == "Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0" @@ -239,26 +539,26 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_fqdn"] == "www.example.com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-12-31T16:37:40.479Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-12-31T16:37:40.479Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["user-agent"] == "Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["x-request-id"] == "3bbc0252-2d5c-49fe-bd89-104e9b61770b" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["response_flags"] == "-" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/app-www-example-com/rule/0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["duration"] == 11 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T16:37:40.479Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.82:8080" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/assets/image.webp" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"][":authority"] == "www.example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/app-www-example-com/rule/0/match/0/www_example_com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10443" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "10.0.0.12:59292" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["duration"] == 11 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["response_code"] == 200 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["response_flags"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.82:8080" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["bytes_sent"] == 121258 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["method"] == "GET" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "10.0.0.12" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["bytes_sent"] == 121258 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10443" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["response_code"] == 200 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/app-www-example-com/rule/0/match/0/www_example_com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "10.42.0.77:51216" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["user-agent"] == "Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "10.0.0.12" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/app-www-example-com/rule/0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/assets/image.webp" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"][":authority"] == "www.example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T16:37:40.479Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["cri_timestamp"] == "2025-12-31T18:22:06.456373561+01:00" @@ -287,23 +587,23 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_fqdn"] == "10.0.0.13" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-12-31T17:22:04.951Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-12-31T17:22:04.951Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "192.168.1.45:33045" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/http-to-https-filter-redirect/rule/0/match/0/*" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["x-request-id"] == "a9864e02-c6f5-4375-a27d-3ffd7f312811" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["bytes_sent"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10080" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["duration"] == 0 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["response_code"] == 301 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["user-agent"] == "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T17:22:04.951Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "192.168.1.45" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10080" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["duration"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["bytes_sent"] == 0 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["method"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["user-agent"] == "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["x-request-id"] == "a9864e02-c6f5-4375-a27d-3ffd7f312811" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["response_flags"] == "-" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"][":authority"] == "10.0.0.13" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "192.168.1.45:33045" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["response_code_details"] == "direct_response" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["response_flags"] == "-" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T17:22:04.951Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/http-to-https-filter-redirect/rule/0/match/0/*" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["cri_timestamp"] == "2025-12-31T18:30:06.518608527+01:00" @@ -333,25 +633,25 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_fqdn results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-12-31T17:30:03.228Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2025-12-31T17:30:03.228Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"][":authority"] == "foo.example.com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["method"] == "HEAD" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.88:1337" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "172.16.2.33" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10443" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["response_flags"] == "-" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/app-foo-example-com/rule/0" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["response_code"] == 404 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/app-foo-example-com/rule/0/match/0/foo_example_com" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T17:30:03.228Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "10.42.0.77:47106" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/.env" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["bytes_sent"] == 0 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "172.16.2.33:49578" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["method"] == "HEAD" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["user-agent"] == "curl/8.5.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/.env" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["duration"] == 5 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/app-foo-example-com/rule/0/match/0/foo_example_com" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["user-agent"] == "curl/8.5.0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["x-request-id"] == "fff03852-5ae8-468b-a528-434d095ddc49" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "172.16.2.33:49578" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["response_code"] == 404 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/app-foo-example-com/rule/0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.88:1337" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "10.42.0.77:47106" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "172.16.2.33" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["bytes_received"] == "154" @@ -390,7 +690,259 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_fqdn results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2016-04-15T20:17:00.31Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2016-04-15T20:17:00.31Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false -len(results["s02-enrich"]["crowdsecurity/http-logs"]) == 4 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["bytes_received"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["bytes_sent"] == "256" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:34:36.743000000+00:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["duration"] == "50" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["http_user_agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["http_version"] == "1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "cri" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logtag"] == "F" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "[2026-01-24T01:34:36.743Z] \"GET /test HTTP/1.1\" 200 - 0 256 50 25 \"[fd00:1234:5678::5a24]\" \"curl/8.10.1\" \"test-request-id\" \"example.com\" \"tcp://[fd00:1234:5678::e18]:8080\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "envoy" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["raw_remote_addr"] == "[fd00:1234:5678::5a24]" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_addr"] == "fd00:1234:5678::5a24" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["request"] == "/test" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["request_id"] == "test-request-id" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["response_flags"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["status"] == "200" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["stream"] == "stdout" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["target_fqdn"] == "example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["time"] == "2026-01-24T01:34:36.743Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["upstream_host"] == "tcp://[fd00:1234:5678::e18]:8080" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["upstream_service_time"] == "25" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["x_forwarded_for"] == "[fd00:1234:5678::5a24]" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "envoy.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["http_path"] == "/test" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["http_status"] == "200" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["http_user_agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "fd00:1234:5678::5a24" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["target_fqdn"] == "example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2026-01-24T01:34:36.743Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2026-01-24T01:34:36.743Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:34:36.743000000+00:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["http_user_agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["logsource"] == "cri" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["logtag"] == "F" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "{\":authority\":\"example.com\",\"bytes_received\":0,\"bytes_sent\":0,\"connection_termination_details\":null,\"downstream_local_address\":\"[fd00:1234:5678::e18]:10080\",\"downstream_remote_address\":\"[fd00:1234:5678::5a24]:43000\",\"duration\":0,\"method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"requested_server_name\":null,\"response_code\":301,\"response_code_details\":\"direct_response\",\"response_flags\":\"-\",\"route_name\":\"httproute/namespace/route-name/rule/0/match/0/*\",\"start_time\":\"2026-01-24T01:34:36.743Z\",\"upstream_cluster\":null,\"upstream_host\":null,\"upstream_local_address\":null,\"upstream_transport_failure_reason\":null,\"user-agent\":\"curl/8.10.1\",\"x-envoy-origin-path\":\"/\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"fd00:1234:5678::5a24\",\"x-request-id\":\"6d6e08ba-02a3-4a26-968a-2183aa33a56d\"}" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "envoy" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["raw_remote_addr"] == "[fd00:1234:5678::5a24]:43000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_addr"] == "fd00:1234:5678::5a24" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["request"] == "/" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["status"] == "301" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["stream"] == "stdout" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["target_fqdn"] == "example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["time"] == "2026-01-24T01:34:36.743Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["verb"] == "GET" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "envoy.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["http_path"] == "/" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["http_status"] == "301" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["http_user_agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "fd00:1234:5678::5a24" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_fqdn"] == "example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2026-01-24T01:34:36.743Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2026-01-24T01:34:36.743Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["envoy"]["bytes_sent"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "[fd00:1234:5678::e18]:10080" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["envoy"]["response_flags"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["envoy"]["user-agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["envoy"]["response_code"] == 301 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "fd00:1234:5678::5a24" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["envoy"]["x-request-id"] == "6d6e08ba-02a3-4a26-968a-2183aa33a56d" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["envoy"][":authority"] == "example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "[fd00:1234:5678::5a24]:43000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["envoy"]["duration"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["envoy"]["response_code_details"] == "direct_response" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/namespace/route-name/rule/0/match/0/*" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["envoy"]["start_time"] == "2026-01-24T01:34:36.743Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["envoy"]["method"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:35:00.000000000+00:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["http_user_agent"] == "Mozilla/5.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["logsource"] == "cri" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["logtag"] == "F" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "{\":authority\":\"proxy.example.com\",\"bytes_received\":0,\"bytes_sent\":512,\"connection_termination_details\":null,\"downstream_local_address\":\"10.42.0.77:10443\",\"downstream_remote_address\":\"10.42.0.1:54321\",\"duration\":15,\"method\":\"GET\",\"protocol\":\"HTTP/2\",\"requested_server_name\":null,\"response_code\":200,\"response_code_details\":\"via_upstream\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/proxy-example-com/rule/0/match/0/proxy_example_com\",\"start_time\":\"2026-01-24T01:35:00.000Z\",\"upstream_cluster\":\"httproute/app/proxy-example-com/rule/0\",\"upstream_host\":\"10.42.0.82:8080\",\"upstream_local_address\":\"10.42.0.77:51216\",\"upstream_transport_failure_reason\":null,\"user-agent\":\"Mozilla/5.0\",\"x-envoy-origin-path\":\"/api/data\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"192.168.1.100, 10.42.0.1\",\"x-request-id\":\"multi-ip-v4-test-id\"}" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "envoy" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["raw_remote_addr"] == "10.42.0.1:54321" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["remote_addr"] == "10.42.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["request"] == "/api/data" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["status"] == "200" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["stream"] == "stdout" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["target_fqdn"] == "proxy.example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["time"] == "2026-01-24T01:35:00.000Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["verb"] == "GET" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "envoy.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["http_path"] == "/api/data" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["http_status"] == "200" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["http_user_agent"] == "Mozilla/5.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "10.42.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["target_fqdn"] == "proxy.example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2026-01-24T01:35:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2026-01-24T01:35:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["bytes_sent"] == 512 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10443" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["response_code"] == 200 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.82:8080" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/api/data" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "10.42.0.1:54321" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/proxy-example-com/rule/0/match/0/proxy_example_com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/proxy-example-com/rule/0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "10.42.0.77:51216" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["x-request-id"] == "multi-ip-v4-test-id" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["duration"] == 15 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["user-agent"] == "Mozilla/5.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["method"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["response_flags"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["start_time"] == "2026-01-24T01:35:00.000Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "192.168.1.100, 10.42.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["envoy"][":authority"] == "proxy.example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:36:00.000000000+00:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["http_user_agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["logsource"] == "cri" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["logtag"] == "F" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "{\":authority\":\"proxy6.example.com\",\"bytes_received\":0,\"bytes_sent\":1024,\"connection_termination_details\":null,\"downstream_local_address\":\"[fd00:1234:5678::e18]:10080\",\"downstream_remote_address\":\"[fd00:1234:5678::1]:54321\",\"duration\":20,\"method\":\"POST\",\"protocol\":\"HTTP/1.1\",\"requested_server_name\":null,\"response_code\":201,\"response_code_details\":\"via_upstream\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/proxy6-example-com/rule/0/match/0/proxy6_example_com\",\"start_time\":\"2026-01-24T01:36:00.000Z\",\"upstream_cluster\":\"httproute/app/proxy6-example-com/rule/0\",\"upstream_host\":\"[fd00:1234:5678::e18]:8080\",\"upstream_local_address\":\"[fd00:1234:5678::e18]:51216\",\"upstream_transport_failure_reason\":null,\"user-agent\":\"curl/8.10.1\",\"x-envoy-origin-path\":\"/api/create\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321\",\"x-request-id\":\"multi-ip-v6-test-id\"}" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "envoy" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["raw_remote_addr"] == "[fd00:1234:5678::1]:54321" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["remote_addr"] == "fd00:1234:5678::1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["request"] == "/api/create" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["status"] == "201" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["stream"] == "stdout" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["target_fqdn"] == "proxy6.example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["time"] == "2026-01-24T01:36:00.000Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["verb"] == "POST" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"]) == "envoy.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["http_path"] == "/api/create" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["http_status"] == "201" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["http_user_agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["http_verb"] == "POST" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "fd00:1234:5678::1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["target_fqdn"] == "proxy6.example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2026-01-24T01:36:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2026-01-24T01:36:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["method"] == "POST" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["x-request-id"] == "multi-ip-v6-test-id" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["bytes_sent"] == 1024 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "[fd00:1234:5678::e18]:10080" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "[fd00:1234:5678::1]:54321" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["response_code"] == 201 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["response_flags"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/proxy6-example-com/rule/0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["upstream_host"] == "[fd00:1234:5678::e18]:8080" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/proxy6-example-com/rule/0/match/0/proxy6_example_com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["start_time"] == "2026-01-24T01:36:00.000Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "[fd00:1234:5678::e18]:51216" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["user-agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/api/create" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"][":authority"] == "proxy6.example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["duration"] == 20 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["bytes_received"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["bytes_sent"] == "512" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:37:00.000000000+00:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["duration"] == "30" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["http_user_agent"] == "Mozilla/5.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["http_version"] == "1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["logsource"] == "cri" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["logtag"] == "F" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["message"] == "[2026-01-24T01:37:00.000Z] \"GET /api/proxy HTTP/1.1\" 200 - 0 512 30 15 \"192.168.1.100, 10.42.0.1\" \"Mozilla/5.0\" \"multi-ip-clf-v4\" \"proxy.example.com\" \"tcp://10.42.0.82:8080\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["program"] == "envoy" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["raw_remote_addr"] == "192.168.1.100, 10.42.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["remote_addr"] == "192.168.1.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["request"] == "/api/proxy" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["request_id"] == "multi-ip-clf-v4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["response_flags"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["status"] == "200" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["stream"] == "stdout" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["target_fqdn"] == "proxy.example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["time"] == "2026-01-24T01:37:00.000Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["upstream_host"] == "tcp://10.42.0.82:8080" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["upstream_service_time"] == "15" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["x_forwarded_for"] == "192.168.1.100, 10.42.0.1" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"]) == "envoy.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["http_path"] == "/api/proxy" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["http_status"] == "200" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["http_user_agent"] == "Mozilla/5.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["source_ip"] == "192.168.1.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["target_fqdn"] == "proxy.example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2026-01-24T01:37:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Enriched["MarshaledTime"] == "2026-01-24T01:37:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["bytes_received"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["bytes_sent"] == "1024" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:38:00.000000000+00:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["duration"] == "40" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["http_user_agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["http_version"] == "1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["logsource"] == "cri" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["logtag"] == "F" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["message"] == "[2026-01-24T01:38:00.000Z] \"POST /api/proxy6 HTTP/1.1\" 201 - 0 1024 40 20 \"fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321\" \"curl/8.10.1\" \"multi-ip-clf-v6\" \"proxy6.example.com\" \"tcp://[fd00:1234:5678::e18]:8080\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["program"] == "envoy" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["raw_remote_addr"] == "fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["remote_addr"] == "fd00:1234:5678::5a24" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["request"] == "/api/proxy6" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["request_id"] == "multi-ip-clf-v6" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["response_flags"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["status"] == "201" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["stream"] == "stdout" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["target_fqdn"] == "proxy6.example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["time"] == "2026-01-24T01:38:00.000Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["upstream_host"] == "tcp://[fd00:1234:5678::e18]:8080" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["upstream_service_time"] == "20" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["verb"] == "POST" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["x_forwarded_for"] == "fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"]) == "envoy.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["http_path"] == "/api/proxy6" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["http_status"] == "201" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["http_user_agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["http_verb"] == "POST" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "fd00:1234:5678::5a24" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["target_fqdn"] == "proxy6.example.com" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2026-01-24T01:38:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Enriched["MarshaledTime"] == "2026-01-24T01:38:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/http-logs"]) == 10 results["s02-enrich"]["crowdsecurity/http-logs"][0].Success == true results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["cri_timestamp"] == "2025-12-31T17:37:40.493035218+01:00" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_dir"] == "/assets/" @@ -425,26 +977,26 @@ results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["source_ip"] == "10 results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["target_fqdn"] == "www.example.com" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["timestamp"] == "2025-12-31T16:37:40.479Z" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Enriched["MarshaledTime"] == "2025-12-31T16:37:40.479Z" +results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"][":authority"] == "www.example.com" +results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10443" -results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["response_flags"] == "-" -results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "10.0.0.12" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["duration"] == 11 results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["method"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "10.0.0.12" +results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T16:37:40.479Z" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/app-www-example-com/rule/0" -results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["user-agent"] == "Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["x-request-id"] == "3bbc0252-2d5c-49fe-bd89-104e9b61770b" -results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 -results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "10.0.0.12:59292" +results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["response_code"] == 200 results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/app-www-example-com/rule/0/match/0/www_example_com" -results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.82:8080" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "10.42.0.77:51216" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/assets/image.webp" -results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"][":authority"] == "www.example.com" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["bytes_sent"] == 121258 +results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "10.0.0.12:59292" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/2" -results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["response_code"] == 200 -results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream" +results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["response_flags"] == "-" +results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.82:8080" +results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["user-agent"] == "Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/http-logs"][1].Success == true results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["cri_timestamp"] == "2025-12-31T18:22:06.456373561+01:00" @@ -477,23 +1029,23 @@ results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Meta["source_ip"] == "19 results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Meta["target_fqdn"] == "10.0.0.13" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Meta["timestamp"] == "2025-12-31T17:22:04.951Z" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Enriched["MarshaledTime"] == "2025-12-31T17:22:04.951Z" +results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["method"] == "GET" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["user-agent"] == "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" -results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "192.168.1.45" -results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 -results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10080" -results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/1.1" -results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["response_flags"] == "-" -results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T17:22:04.951Z" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["x-request-id"] == "a9864e02-c6f5-4375-a27d-3ffd7f312811" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"][":authority"] == "10.0.0.13" -results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["duration"] == 0 -results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["method"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/1.1" +results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "192.168.1.45:33045" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["response_code"] == 301 +results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T17:22:04.951Z" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/" -results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["bytes_sent"] == 0 -results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "192.168.1.45:33045" +results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "192.168.1.45" +results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10080" +results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["duration"] == 0 results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["response_code_details"] == "direct_response" +results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["response_flags"] == "-" results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/http-to-https-filter-redirect/rule/0/match/0/*" +results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 +results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["bytes_sent"] == 0 results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/http-logs"][2].Success == true results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["cri_timestamp"] == "2025-12-31T18:30:06.518608527+01:00" @@ -528,26 +1080,26 @@ results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Meta["source_ip"] == "17 results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Meta["target_fqdn"] == "foo.example.com" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Meta["timestamp"] == "2025-12-31T17:30:03.228Z" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Enriched["MarshaledTime"] == "2025-12-31T17:30:03.228Z" -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/2" +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["x-request-id"] == "fff03852-5ae8-468b-a528-434d095ddc49" +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["bytes_sent"] == 0 results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["response_flags"] == "-" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/app-foo-example-com/rule/0/match/0/foo_example_com" +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/app-foo-example-com/rule/0" +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10443" +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "172.16.2.33:49578" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "10.42.0.77:47106" -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"][":authority"] == "foo.example.com" -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["bytes_sent"] == 0 -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["method"] == "HEAD" -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T17:30:03.228Z" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["user-agent"] == "curl/8.5.0" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/.env" -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "172.16.2.33:49578" -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["response_code"] == 404 +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["method"] == "HEAD" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.88:1337" -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["x-request-id"] == "fff03852-5ae8-468b-a528-434d095ddc49" -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/app-foo-example-com/rule/0" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "172.16.2.33" -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 -results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10443" +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"][":authority"] == "foo.example.com" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["duration"] == 5 +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/2" +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["response_code"] == 404 +results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T17:30:03.228Z" results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/http-logs"][3].Success == true results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["bytes_received"] == "154" @@ -592,4 +1144,290 @@ results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Meta["target_fqdn"] == " results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Meta["timestamp"] == "2016-04-15T20:17:00.31Z" results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Enriched["MarshaledTime"] == "2016-04-15T20:17:00.31Z" results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/http-logs"][4].Success == true +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["bytes_received"] == "0" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["bytes_sent"] == "256" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:34:36.743000000+00:00" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["duration"] == "50" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["file_dir"] == "/" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["file_frag"] == "test" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["file_name"] == "test" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["http_user_agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["http_version"] == "1.1" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["impact_completion"] == "true" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["logsource"] == "cri" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["logtag"] == "F" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["message"] == "[2026-01-24T01:34:36.743Z] \"GET /test HTTP/1.1\" 200 - 0 256 50 25 \"[fd00:1234:5678::5a24]\" \"curl/8.10.1\" \"test-request-id\" \"example.com\" \"tcp://[fd00:1234:5678::e18]:8080\"" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["program"] == "envoy" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["raw_remote_addr"] == "[fd00:1234:5678::5a24]" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["remote_addr"] == "fd00:1234:5678::5a24" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["request"] == "/test" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["request_id"] == "test-request-id" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["response_flags"] == "-" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["static_ressource"] == "false" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["status"] == "200" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["stream"] == "stdout" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["target_fqdn"] == "example.com" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["time"] == "2026-01-24T01:34:36.743Z" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["upstream_host"] == "tcp://[fd00:1234:5678::e18]:8080" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["upstream_service_time"] == "25" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["x_forwarded_for"] == "[fd00:1234:5678::5a24]" +basename(results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["datasource_path"]) == "envoy.log" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["http_args_len"] == "0" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["http_path"] == "/test" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["http_status"] == "200" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["http_user_agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["source_ip"] == "fd00:1234:5678::5a24" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["target_fqdn"] == "example.com" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["timestamp"] == "2026-01-24T01:34:36.743Z" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Enriched["MarshaledTime"] == "2026-01-24T01:34:36.743Z" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/http-logs"][5].Success == true +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:34:36.743000000+00:00" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["file_dir"] == "/" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["http_user_agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["impact_completion"] == "true" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["logsource"] == "cri" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["logtag"] == "F" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["message"] == "{\":authority\":\"example.com\",\"bytes_received\":0,\"bytes_sent\":0,\"connection_termination_details\":null,\"downstream_local_address\":\"[fd00:1234:5678::e18]:10080\",\"downstream_remote_address\":\"[fd00:1234:5678::5a24]:43000\",\"duration\":0,\"method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"requested_server_name\":null,\"response_code\":301,\"response_code_details\":\"direct_response\",\"response_flags\":\"-\",\"route_name\":\"httproute/namespace/route-name/rule/0/match/0/*\",\"start_time\":\"2026-01-24T01:34:36.743Z\",\"upstream_cluster\":null,\"upstream_host\":null,\"upstream_local_address\":null,\"upstream_transport_failure_reason\":null,\"user-agent\":\"curl/8.10.1\",\"x-envoy-origin-path\":\"/\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"fd00:1234:5678::5a24\",\"x-request-id\":\"6d6e08ba-02a3-4a26-968a-2183aa33a56d\"}" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["program"] == "envoy" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["raw_remote_addr"] == "[fd00:1234:5678::5a24]:43000" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["remote_addr"] == "fd00:1234:5678::5a24" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["request"] == "/" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["static_ressource"] == "false" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["status"] == "301" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["stream"] == "stdout" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["target_fqdn"] == "example.com" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["time"] == "2026-01-24T01:34:36.743Z" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["verb"] == "GET" +basename(results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["datasource_path"]) == "envoy.log" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["http_args_len"] == "0" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["http_path"] == "/" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["http_status"] == "301" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["http_user_agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["source_ip"] == "fd00:1234:5678::5a24" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["target_fqdn"] == "example.com" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["timestamp"] == "2026-01-24T01:34:36.743Z" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Enriched["MarshaledTime"] == "2026-01-24T01:34:36.743Z" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["envoy"]["method"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["envoy"]["response_code"] == 301 +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["envoy"]["response_code_details"] == "direct_response" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["envoy"]["user-agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["envoy"]["bytes_sent"] == 0 +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "[fd00:1234:5678::5a24]:43000" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["envoy"]["duration"] == 0 +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/namespace/route-name/rule/0/match/0/*" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["envoy"]["x-request-id"] == "6d6e08ba-02a3-4a26-968a-2183aa33a56d" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["envoy"][":authority"] == "example.com" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/1.1" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["envoy"]["response_flags"] == "-" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["envoy"]["start_time"] == "2026-01-24T01:34:36.743Z" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "fd00:1234:5678::5a24" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "[fd00:1234:5678::e18]:10080" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/http-logs"][6].Success == true +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:35:00.000000000+00:00" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["file_dir"] == "/api/" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["file_frag"] == "data" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["file_name"] == "data" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["http_user_agent"] == "Mozilla/5.0" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["impact_completion"] == "true" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["logsource"] == "cri" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["logtag"] == "F" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["message"] == "{\":authority\":\"proxy.example.com\",\"bytes_received\":0,\"bytes_sent\":512,\"connection_termination_details\":null,\"downstream_local_address\":\"10.42.0.77:10443\",\"downstream_remote_address\":\"10.42.0.1:54321\",\"duration\":15,\"method\":\"GET\",\"protocol\":\"HTTP/2\",\"requested_server_name\":null,\"response_code\":200,\"response_code_details\":\"via_upstream\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/proxy-example-com/rule/0/match/0/proxy_example_com\",\"start_time\":\"2026-01-24T01:35:00.000Z\",\"upstream_cluster\":\"httproute/app/proxy-example-com/rule/0\",\"upstream_host\":\"10.42.0.82:8080\",\"upstream_local_address\":\"10.42.0.77:51216\",\"upstream_transport_failure_reason\":null,\"user-agent\":\"Mozilla/5.0\",\"x-envoy-origin-path\":\"/api/data\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"192.168.1.100, 10.42.0.1\",\"x-request-id\":\"multi-ip-v4-test-id\"}" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["program"] == "envoy" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["raw_remote_addr"] == "10.42.0.1:54321" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["remote_addr"] == "10.42.0.1" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["request"] == "/api/data" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["static_ressource"] == "false" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["status"] == "200" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["stream"] == "stdout" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["target_fqdn"] == "proxy.example.com" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["time"] == "2026-01-24T01:35:00.000Z" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["verb"] == "GET" +basename(results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["datasource_path"]) == "envoy.log" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["http_args_len"] == "0" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["http_path"] == "/api/data" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["http_status"] == "200" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["http_user_agent"] == "Mozilla/5.0" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["source_ip"] == "10.42.0.1" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["target_fqdn"] == "proxy.example.com" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["timestamp"] == "2026-01-24T01:35:00Z" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Enriched["MarshaledTime"] == "2026-01-24T01:35:00Z" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["duration"] == 15 +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "10.42.0.77:51216" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "192.168.1.100, 10.42.0.1" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["bytes_sent"] == 512 +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/proxy-example-com/rule/0" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/api/data" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["x-request-id"] == "multi-ip-v4-test-id" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/2" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/proxy-example-com/rule/0/match/0/proxy_example_com" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["start_time"] == "2026-01-24T01:35:00.000Z" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["user-agent"] == "Mozilla/5.0" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "10.42.0.1:54321" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["method"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["response_code"] == 200 +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["response_flags"] == "-" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.82:8080" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"][":authority"] == "proxy.example.com" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10443" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/http-logs"][7].Success == true +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:36:00.000000000+00:00" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["file_dir"] == "/api/" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["file_frag"] == "create" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["file_name"] == "create" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["http_user_agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["impact_completion"] == "true" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["logsource"] == "cri" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["logtag"] == "F" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["message"] == "{\":authority\":\"proxy6.example.com\",\"bytes_received\":0,\"bytes_sent\":1024,\"connection_termination_details\":null,\"downstream_local_address\":\"[fd00:1234:5678::e18]:10080\",\"downstream_remote_address\":\"[fd00:1234:5678::1]:54321\",\"duration\":20,\"method\":\"POST\",\"protocol\":\"HTTP/1.1\",\"requested_server_name\":null,\"response_code\":201,\"response_code_details\":\"via_upstream\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/proxy6-example-com/rule/0/match/0/proxy6_example_com\",\"start_time\":\"2026-01-24T01:36:00.000Z\",\"upstream_cluster\":\"httproute/app/proxy6-example-com/rule/0\",\"upstream_host\":\"[fd00:1234:5678::e18]:8080\",\"upstream_local_address\":\"[fd00:1234:5678::e18]:51216\",\"upstream_transport_failure_reason\":null,\"user-agent\":\"curl/8.10.1\",\"x-envoy-origin-path\":\"/api/create\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321\",\"x-request-id\":\"multi-ip-v6-test-id\"}" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["program"] == "envoy" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["raw_remote_addr"] == "[fd00:1234:5678::1]:54321" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["remote_addr"] == "fd00:1234:5678::1" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["request"] == "/api/create" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["static_ressource"] == "false" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["status"] == "201" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["stream"] == "stdout" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["target_fqdn"] == "proxy6.example.com" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["time"] == "2026-01-24T01:36:00.000Z" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Parsed["verb"] == "POST" +basename(results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Meta["datasource_path"]) == "envoy.log" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Meta["http_args_len"] == "0" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Meta["http_path"] == "/api/create" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Meta["http_status"] == "201" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Meta["http_user_agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Meta["http_verb"] == "POST" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Meta["source_ip"] == "fd00:1234:5678::1" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Meta["target_fqdn"] == "proxy6.example.com" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Meta["timestamp"] == "2026-01-24T01:36:00Z" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Enriched["MarshaledTime"] == "2026-01-24T01:36:00Z" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "[fd00:1234:5678::e18]:10080" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "[fd00:1234:5678::1]:54321" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["duration"] == 20 +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["start_time"] == "2026-01-24T01:36:00.000Z" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["method"] == "POST" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["response_flags"] == "-" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "[fd00:1234:5678::e18]:51216" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"][":authority"] == "proxy6.example.com" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/1.1" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/api/create" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["bytes_received"] == 0 +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["response_code"] == 201 +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/proxy6-example-com/rule/0/match/0/proxy6_example_com" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/proxy6-example-com/rule/0" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["upstream_host"] == "[fd00:1234:5678::e18]:8080" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["user-agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["x-request-id"] == "multi-ip-v6-test-id" +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Unmarshaled["envoy"]["bytes_sent"] == 1024 +results["s02-enrich"]["crowdsecurity/http-logs"][7].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/http-logs"][8].Success == true +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["bytes_received"] == "0" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["bytes_sent"] == "512" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:37:00.000000000+00:00" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["duration"] == "30" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["file_dir"] == "/api/" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["file_frag"] == "proxy" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["file_name"] == "proxy" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["http_user_agent"] == "Mozilla/5.0" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["http_version"] == "1.1" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["impact_completion"] == "true" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["logsource"] == "cri" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["logtag"] == "F" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["message"] == "[2026-01-24T01:37:00.000Z] \"GET /api/proxy HTTP/1.1\" 200 - 0 512 30 15 \"192.168.1.100, 10.42.0.1\" \"Mozilla/5.0\" \"multi-ip-clf-v4\" \"proxy.example.com\" \"tcp://10.42.0.82:8080\"" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["program"] == "envoy" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["raw_remote_addr"] == "192.168.1.100, 10.42.0.1" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["remote_addr"] == "192.168.1.100" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["request"] == "/api/proxy" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["request_id"] == "multi-ip-clf-v4" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["response_flags"] == "-" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["static_ressource"] == "false" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["status"] == "200" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["stream"] == "stdout" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["target_fqdn"] == "proxy.example.com" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["time"] == "2026-01-24T01:37:00.000Z" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["upstream_host"] == "tcp://10.42.0.82:8080" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["upstream_service_time"] == "15" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Parsed["x_forwarded_for"] == "192.168.1.100, 10.42.0.1" +basename(results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Meta["datasource_path"]) == "envoy.log" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Meta["http_args_len"] == "0" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Meta["http_path"] == "/api/proxy" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Meta["http_status"] == "200" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Meta["http_user_agent"] == "Mozilla/5.0" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Meta["source_ip"] == "192.168.1.100" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Meta["target_fqdn"] == "proxy.example.com" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Meta["timestamp"] == "2026-01-24T01:37:00Z" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Enriched["MarshaledTime"] == "2026-01-24T01:37:00Z" +results["s02-enrich"]["crowdsecurity/http-logs"][8].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/http-logs"][9].Success == true +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["bytes_received"] == "0" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["bytes_sent"] == "1024" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["cri_timestamp"] == "2026-01-24T01:38:00.000000000+00:00" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["duration"] == "40" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["file_dir"] == "/api/" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["file_frag"] == "proxy6" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["file_name"] == "proxy6" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["http_user_agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["http_version"] == "1.1" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["impact_completion"] == "true" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["logsource"] == "cri" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["logtag"] == "F" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["message"] == "[2026-01-24T01:38:00.000Z] \"POST /api/proxy6 HTTP/1.1\" 201 - 0 1024 40 20 \"fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321\" \"curl/8.10.1\" \"multi-ip-clf-v6\" \"proxy6.example.com\" \"tcp://[fd00:1234:5678::e18]:8080\"" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["program"] == "envoy" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["raw_remote_addr"] == "fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["remote_addr"] == "fd00:1234:5678::5a24" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["request"] == "/api/proxy6" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["request_id"] == "multi-ip-clf-v6" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["response_flags"] == "-" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["static_ressource"] == "false" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["status"] == "201" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["stream"] == "stdout" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["target_fqdn"] == "proxy6.example.com" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["time"] == "2026-01-24T01:38:00.000Z" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["upstream_host"] == "tcp://[fd00:1234:5678::e18]:8080" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["upstream_service_time"] == "20" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["verb"] == "POST" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Parsed["x_forwarded_for"] == "fd00:1234:5678::5a24, [fd00:1234:5678::1]:54321" +basename(results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Meta["datasource_path"]) == "envoy.log" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Meta["http_args_len"] == "0" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Meta["http_path"] == "/api/proxy6" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Meta["http_status"] == "201" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Meta["http_user_agent"] == "curl/8.10.1" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Meta["http_verb"] == "POST" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Meta["source_ip"] == "fd00:1234:5678::5a24" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Meta["target_fqdn"] == "proxy6.example.com" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Meta["timestamp"] == "2026-01-24T01:38:00Z" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Enriched["MarshaledTime"] == "2026-01-24T01:38:00Z" +results["s02-enrich"]["crowdsecurity/http-logs"][9].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/parsers/s01-parse/yanis-kouidri/envoy-logs.yaml b/parsers/s01-parse/yanis-kouidri/envoy-logs.yaml index e1f606a5b39..8ed6009afb0 100644 --- a/parsers/s01-parse/yanis-kouidri/envoy-logs.yaml +++ b/parsers/s01-parse/yanis-kouidri/envoy-logs.yaml @@ -12,7 +12,10 @@ nodes: - parsed: raw_remote_addr expression: evt.Parsed.x_forwarded_for - parsed: remote_addr - expression: "evt.Parsed.x_forwarded_for != nil ? Split(evt.Parsed.x_forwarded_for, ',')[0] : nil" + expression: | + let xff = evt.Parsed.x_forwarded_for ?? ''; + let first_ip = xff != '' ? Split(xff, ',')[0] : ''; + TrimPrefix(TrimSuffix(first_ip, "]"), "[") - filter: TrimSpace(evt.Parsed.message) startsWith "{" && UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "envoy") in ["", nil] statics: - parsed: time @@ -20,7 +23,11 @@ nodes: - parsed: raw_remote_addr expression: evt.Unmarshaled.envoy.downstream_remote_address - parsed: remote_addr - expression: "evt.Unmarshaled.envoy.downstream_remote_address != nil ? Split(evt.Unmarshaled.envoy.downstream_remote_address, ':')[0] : nil" + expression: | + let address = evt.Unmarshaled.envoy.downstream_remote_address ?? ''; + let last_colon = lastIndexOf(address, ':'); + let addr = last_colon >= 0 ? address[:last_colon] : address; + TrimPrefix(TrimSuffix(addr, "]"), "[") - parsed: request expression: evt.Unmarshaled.envoy["x-envoy-origin-path"] - parsed: verb