I’ve mirrored my pfSense all log entries to my unraid folder. HAProxy log has been forwarded to the same log file on my unraid too, though I prefer it to be in a separate log file on unraid, but I don’t know how to do it.
My crowdsec docker container though can detect the HAProxy log entries, but all entries are unparsed, SSHd entries unparsed too.
Anyone has successfully made crowdsec parse both the HAProxy and SSHd log?
Update: ok. I misinterpreted the nonparsed count. I understood it should count all log entries that match the keywords “haproxy” or “sshd”.
Actually it will count only when crowdsec parser detects the keywords “haproxy” or “sshd” AND any fishy behavior in each log entry, e.g. when they found keyword “password failed”, etc…
I tried ssh to my unraid server with wrong passwords. If I enter wrong passwords three times, crowdsec parser counts 3.