From a811eef83b90892e1dfc365303e87769a5d8e49c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 12 May 2026 08:43:25 +0000
Subject: [PATCH 1/2] Initial plan


From b0745ea5a3e919fa563222555b12e5392f1d2d62 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 12 May 2026 08:49:57 +0000
Subject: [PATCH 2/2] fix: add support for Stirling-PDF 2.9.2+ new log format
 in parser

Agent-Logs-Url: https://github.com/crowdsecurity/hub/sessions/6518deb4-7872-4455-95ee-45ed2de286e5

Co-authored-by: buixor <990714+buixor@users.noreply.github.com>
---
 .tests/stirling-pdf-logs/parser.assert        | 107 +++++++++++++++++-
 .tests/stirling-pdf-logs/stirling-pdf.log     |   5 +-
 .../crowdsecurity/stirling-pdf-logs.yaml      |   6 +
 3 files changed, 113 insertions(+), 5 deletions(-)

diff --git a/.tests/stirling-pdf-logs/parser.assert b/.tests/stirling-pdf-logs/parser.assert
index 0da13264740..3725c984bb6 100644
--- a/.tests/stirling-pdf-logs/parser.assert
+++ b/.tests/stirling-pdf-logs/parser.assert
@@ -1,5 +1,5 @@
 len(results) == 4
-len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 10
+len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 13
 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true
 results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2024-10-10 12:59:53,237 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-102] Failed login attempt from IP: [::1]"
 results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "stirling-pdf"
@@ -60,7 +60,25 @@ results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["program"] == "stir
 results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_path"] == "stirling-pdf.log"
 results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_type"] == "file"
 results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Whitelisted == false
-len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 10
+results["s00-raw"]["crowdsecurity/non-syslog"][10].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Parsed["message"] == "2026-04-08 09:16:09,366 WARN s.s.p.s.c.a.AuthController [jetty-169] Invalid password for user: testuser from IP: 192.168.111.213"
+results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Parsed["program"] == "stirling-pdf"
+results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_path"] == "stirling-pdf.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][10].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/non-syslog"][11].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Parsed["message"] == "2026-04-08 09:24:58,908 WARN s.s.p.s.c.a.AuthController [jetty-275] Invalid password for user: testuser from IP: 192.168.111.213"
+results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Parsed["program"] == "stirling-pdf"
+results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_path"] == "stirling-pdf.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][11].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/non-syslog"][12].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Parsed["message"] == "2026-04-08 09:25:01,732 WARN s.s.p.s.c.a.AuthController [jetty-279] Invalid password for user: testuser from IP: 192.168.111.213"
+results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Parsed["program"] == "stirling-pdf"
+results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Meta["datasource_path"] == "stirling-pdf.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][12].Evt.Whitelisted == false
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 13
 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false
 results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false
 results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false
@@ -71,7 +89,10 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == false
 results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == false
 results["s00-raw"]["crowdsecurity/syslog-logs"][8].Success == false
 results["s00-raw"]["crowdsecurity/syslog-logs"][9].Success == false
-len(results["s01-parse"]["crowdsecurity/stirling-pdf-logs"]) == 10
+results["s00-raw"]["crowdsecurity/syslog-logs"][10].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][11].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][12].Success == false
+len(results["s01-parse"]["crowdsecurity/stirling-pdf-logs"]) == 13
 results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][0].Success == true
 results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][0].Evt.Parsed["log_level"] == "ERROR"
 results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][0].Evt.Parsed["message"] == "2024-10-10 12:59:53,237 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-102] Failed login attempt from IP: [::1]"
@@ -192,7 +213,43 @@ results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][9].Evt.Meta["log_type"]
 results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][9].Evt.Meta["service"] == "stirling-pdf"
 results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][9].Evt.Meta["source_ip"] == "192.168.111.213"
 results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][9].Evt.Whitelisted == false
-len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 10
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][10].Success == true
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][10].Evt.Parsed["log_level"] == "WARN"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][10].Evt.Parsed["message"] == "2026-04-08 09:16:09,366 WARN s.s.p.s.c.a.AuthController [jetty-169] Invalid password for user: testuser from IP: 192.168.111.213"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][10].Evt.Parsed["program"] == "stirling-pdf"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][10].Evt.Parsed["source_ip"] == "192.168.111.213"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][10].Evt.Parsed["timestamp"] == "2026-04-08 09:16:09,366"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][10].Evt.Meta["datasource_path"] == "stirling-pdf.log"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][10].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][10].Evt.Meta["log_type"] == "failed_authentication"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][10].Evt.Meta["service"] == "stirling-pdf"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][10].Evt.Meta["source_ip"] == "192.168.111.213"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][10].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][11].Success == true
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][11].Evt.Parsed["log_level"] == "WARN"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][11].Evt.Parsed["message"] == "2026-04-08 09:24:58,908 WARN s.s.p.s.c.a.AuthController [jetty-275] Invalid password for user: testuser from IP: 192.168.111.213"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][11].Evt.Parsed["program"] == "stirling-pdf"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][11].Evt.Parsed["source_ip"] == "192.168.111.213"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][11].Evt.Parsed["timestamp"] == "2026-04-08 09:24:58,908"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][11].Evt.Meta["datasource_path"] == "stirling-pdf.log"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][11].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][11].Evt.Meta["log_type"] == "failed_authentication"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][11].Evt.Meta["service"] == "stirling-pdf"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][11].Evt.Meta["source_ip"] == "192.168.111.213"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][11].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][12].Success == true
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][12].Evt.Parsed["log_level"] == "WARN"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][12].Evt.Parsed["message"] == "2026-04-08 09:25:01,732 WARN s.s.p.s.c.a.AuthController [jetty-279] Invalid password for user: testuser from IP: 192.168.111.213"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][12].Evt.Parsed["program"] == "stirling-pdf"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][12].Evt.Parsed["source_ip"] == "192.168.111.213"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][12].Evt.Parsed["timestamp"] == "2026-04-08 09:25:01,732"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][12].Evt.Meta["datasource_path"] == "stirling-pdf.log"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][12].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][12].Evt.Meta["log_type"] == "failed_authentication"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][12].Evt.Meta["service"] == "stirling-pdf"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][12].Evt.Meta["source_ip"] == "192.168.111.213"
+results["s01-parse"]["crowdsecurity/stirling-pdf-logs"][12].Evt.Whitelisted == false
+len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 13
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["log_level"] == "ERROR"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2024-10-10 12:59:53,237 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-102] Failed login attempt from IP: [::1]"
@@ -333,4 +390,46 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"]
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2024-10-10T13:04:30.558Z"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Enriched["MarshaledTime"] == "2024-10-10T13:04:30.558Z"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["log_level"] == "WARN"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["message"] == "2026-04-08 09:16:09,366 WARN s.s.p.s.c.a.AuthController [jetty-169] Invalid password for user: testuser from IP: 192.168.111.213"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["program"] == "stirling-pdf"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["source_ip"] == "192.168.111.213"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["timestamp"] == "2026-04-08 09:16:09,366"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"] == "stirling-pdf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["log_type"] == "failed_authentication"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["service"] == "stirling-pdf"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["source_ip"] == "192.168.111.213"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["timestamp"] == "2026-04-08T09:16:09.366Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Enriched["MarshaledTime"] == "2026-04-08T09:16:09.366Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["log_level"] == "WARN"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["message"] == "2026-04-08 09:24:58,908 WARN s.s.p.s.c.a.AuthController [jetty-275] Invalid password for user: testuser from IP: 192.168.111.213"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["program"] == "stirling-pdf"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["source_ip"] == "192.168.111.213"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["timestamp"] == "2026-04-08 09:24:58,908"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_path"] == "stirling-pdf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["log_type"] == "failed_authentication"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["service"] == "stirling-pdf"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_ip"] == "192.168.111.213"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["timestamp"] == "2026-04-08T09:24:58.908Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Enriched["MarshaledTime"] == "2026-04-08T09:24:58.908Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["log_level"] == "WARN"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["message"] == "2026-04-08 09:25:01,732 WARN s.s.p.s.c.a.AuthController [jetty-279] Invalid password for user: testuser from IP: 192.168.111.213"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["program"] == "stirling-pdf"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["source_ip"] == "192.168.111.213"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["timestamp"] == "2026-04-08 09:25:01,732"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_path"] == "stirling-pdf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["log_type"] == "failed_authentication"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["service"] == "stirling-pdf"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["source_ip"] == "192.168.111.213"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["timestamp"] == "2026-04-08T09:25:01.732Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Enriched["MarshaledTime"] == "2026-04-08T09:25:01.732Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Whitelisted == false
 len(results["success"][""]) == 0
diff --git a/.tests/stirling-pdf-logs/stirling-pdf.log b/.tests/stirling-pdf-logs/stirling-pdf.log
index b2abfc7ffbc..a0b0d7eca66 100644
--- a/.tests/stirling-pdf-logs/stirling-pdf.log
+++ b/.tests/stirling-pdf-logs/stirling-pdf.log
@@ -7,4 +7,7 @@
 2024-10-10 13:02:53,703 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-1176] Failed login attempt from IP: [::1]
 2024-10-10 13:02:56,524 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-1160] Failed login attempt from IP: [::1]
 2024-10-10 13:04:28,001 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-96] Failed login attempt from IP: 192.168.111.213
-2024-10-10 13:04:30,558 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-66] Failed login attempt from IP: 192.168.111.213
\ No newline at end of file
+2024-10-10 13:04:30,558 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-66] Failed login attempt from IP: 192.168.111.213
+2026-04-08 09:16:09,366 WARN s.s.p.s.c.a.AuthController [jetty-169] Invalid password for user: testuser from IP: 192.168.111.213
+2026-04-08 09:24:58,908 WARN s.s.p.s.c.a.AuthController [jetty-275] Invalid password for user: testuser from IP: 192.168.111.213
+2026-04-08 09:25:01,732 WARN s.s.p.s.c.a.AuthController [jetty-279] Invalid password for user: testuser from IP: 192.168.111.213
\ No newline at end of file
diff --git a/parsers/s01-parse/crowdsecurity/stirling-pdf-logs.yaml b/parsers/s01-parse/crowdsecurity/stirling-pdf-logs.yaml
index 3dfa13fa7f3..96b8002a7d8 100644
--- a/parsers/s01-parse/crowdsecurity/stirling-pdf-logs.yaml
+++ b/parsers/s01-parse/crowdsecurity/stirling-pdf-logs.yaml
@@ -10,6 +10,12 @@ nodes:
     statics:
       - meta: log_type
         value: failed_authentication
+  - grok:
+      pattern: "%{TIMESTAMP_ISO8601:timestamp} %{WORD:log_level} %{DATA:logger} \\[%{DATA:thread}\\] Invalid password for user: %{DATA:username} from IP: %{IP:source_ip}"
+      apply_on: message
+    statics:
+      - meta: log_type
+        value: failed_authentication
 statics:
   - meta: service
     value: stirling-pdf