Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Severity: warning | Message: grok 'DATE_YMD' already registred | Log Parsers: schiz0phr3ne/prowlarr-logs, schiz0phr3ne/radarr-logs, schiz0phr3ne/sonarr-logs, Dominic-Wagner/vaultwarden-logs #1264

Open
instantdreams opened this issue Mar 7, 2025 · 1 comment
Open

Severity: warning | Message: grok 'DATE_YMD' already registred | Log Parsers: schiz0phr3ne/prowlarr-logs, schiz0phr3ne/radarr-logs, schiz0phr3ne/sonarr-logs, Dominic-Wagner/vaultwarden-logs #1264

instantdreams opened this issue Mar 7, 2025 · 1 comment

Comments

@instantdreams
Copy link

Describe the bug
On start of crowdsec, the following warning messages are produced:

crowdsec  | time="2025-03-04T15:23:23-07:00" level=warning msg="grok 'DATE_YMD' already registred" id=ancient-breeze name=schiz0phr3ne/prowlarr-logs stage=s01-parse
crowdsec  | time="2025-03-04T15:23:23-07:00" level=warning msg="grok 'DATE_YMD' already registred" id=lively-resonance name=schiz0phr3ne/radarr-logs stage=s01-parse
crowdsec  | time="2025-03-04T15:23:23-07:00" level=warning msg="grok 'DATE_YMD' already registred" id=autumn-shadow name=schiz0phr3ne/sonarr-logs stage=s01-parse
crowdsec  | time="2025-03-04T15:23:23-07:00" level=warning msg="grok 'DATE_YMD' already registred" id=proud-surf name=Dominic-Wagner/vaultwarden-logs stage=s01-parse

To Reproduce
Add the following collections to crowdsec:

  • schiz0phr3ne/prowlarr
  • schiz0phr3ne/radarr
  • schiz0phr3ne/sonarr
  • Dominic-Wagner/vaultwarden

Add the following entries to acquis.yaml:

---
source: loki
url: http://[ip-address]:3100/
query: |
  {docker_container_name="prowlarr"}
limit: 1000
log_level: warn
labels:
  type: Prowlarr
---
source: loki
url: http://[ip-address]:3100/
query: |
  {docker_container_name="radarr"}
limit: 1000
log_level: warn
labels:
  type: Radarr
---
source: loki
url: http://[ip-address]:3100/
query: |
  {docker_container_name="sonarr"}
limit: 1000
log_level: warn
labels:
  type: Sonarr
---
source: loki
url: http://[ip-address]:3100/
query: |
  {docker_container_name="vaultwarden"}
limit: 1000
log_level: warn
labels:
  type: Vaultwarden

Expected behavior
No warning messages, or an explanation of the warning message.

Screenshots
n/a

Additional context
Raising this issue to help harden each log parser.
@instantdreams instantdreams changed the title Severity: warning Message: grok 'DATE_YMD' already registred Log Parsers: schiz0phr3ne/prowlarr-logs, schiz0phr3ne/radarr-logs, schiz0phr3ne/sonarr-logs, Dominic-Wagner/vaultwarden-logs Severity: warning | Message: grok 'DATE_YMD' already registred | Log Parsers: schiz0phr3ne/prowlarr-logs, schiz0phr3ne/radarr-logs, schiz0phr3ne/sonarr-logs, Dominic-Wagner/vaultwarden-logs Mar 7, 2025
@LaurenceJJones
Copy link
Contributor

LaurenceJJones commented Mar 20, 2025
edited
Loading

Yes the issue is the grok patterns are shared between parsers even if the parser defines it own patterns they currently leak between them, we have a task in crowdsec to create a seperation between own patterns so this warning wont happen ever. However, for now the only workaround would be to modify each parser pattern to have a prefix EG: PROWLARR_DATE_YMD.

the warning is actually a problem if the pattern is different, however, they are not.

parsers/s01-parse/Dominic-Wagner/vaultwarden-logs.yaml:  DATE_YMD: "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}"
parsers/s01-parse/schiz0phr3ne/prowlarr-logs.yaml:  DATE_YMD: "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}"
parsers/s01-parse/schiz0phr3ne/radarr-logs.yaml:  DATE_YMD: "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}"
parsers/s01-parse/schiz0phr3ne/sonarr-logs.yaml:  DATE_YMD: "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}"

So either we update them or ignore the warnings for now till we update crowdsec to not leak them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@instantdreams @LaurenceJJones