cscli parsers install cyrille37/sympa_ww-logsParse web service of Sympa - Mailing List Management Software
and extract these cases:
and fill the meta "evt.Meta.sympa_warn" for scenario processing.
These cases are not present in http_access_log as 404 because Sympa replies with HTTP 200 and an user html error message.
1filenames:2 - /var/log/sympa.log3labels:4 type: syslog
1source: journalctl2journalctl_filter:3 - "_SYSTEMD_UNIT=wwsympa.service"4labels:5 type: syslog
1# cyrille37/sympa_ww-logs2# Version: 2025-11-093#4# @see sympa_ww-logs.md5#6# Docs:7# - [Parser creation : skeleton](https://docs.crowdsec.net/docs/next/log_processor/parsers/create/#parser-creation--skeleton)8# - [expression language](https://expr-lang.org/docs/language-definition)9#10name: cyrille37/sympa_ww-logs11description: "Parse wwsympa syslog lines"12#debug: true13filter: evt.Parsed.program == 'wwsympa'14onsuccess: next_stage1516nodes:17 - grok:18 pattern: '%{WORD:sympa_loglevel} %{GREEDYDATA:sympa_where_action} (?:\[robot %{DATA:sympa_robot}\]) (?:\[session %{DATA:sympa_session}\]) (?:\[client %{IPORHOST:sympa_client_ip}\])(?: \[user %{DATA:sympa_user}\])?( %{GREEDYDATA:sympa_message})?'19 apply_on: message20 nodes:21 - filter: "evt.Parsed.sympa_message contains 'Unknown action'"22 statics:23 - meta: sympa_warn24 value: unknow-action25 - filter: "evt.Parsed.sympa_message contains 'Unknown list'"26 statics:27 - meta: sympa_warn28 value: unknow-list2930statics:31 - meta: service32 value: wwsympa33 - meta: source_ip34 expression: "evt.Parsed.sympa_client_ip"35 - meta: sympa_where_action36 expression: "evt.Parsed.sympa_where_action"37 - meta: sympa_robot38 expression: "evt.Parsed.sympa_robot"39 - meta: sympa_warn40 expression: "evt.Meta.sympa_warn"41 - meta: sympa_message42 expression: "evt.Parsed.sympa_message"4344