feat: envoy parser / collection (#1622)

* Add parser for Envoy JSON logs via CRI

* Add Envoy parser documentation

* Add test instructions for Envoy JSON logs parser

* Add Envoy parser log entries

* align with other webservers

* add envoy collection

* clean envoy test fixture

* document envoy collection usage

* rename envoy parser to envoy-logs

* add envoy clf parsing

* refresh envoy clf asserts

* fix envoy clf escaping

---------

Co-authored-by: Yanis Kouidri <yanis.kouidri@gmail.com>
Co-authored-by: Laurence <laurence.jones@live.co.uk>

Author: 3 people

.tests/envoy-http-bad-user-agent/config.yaml

@@ -0,0 +1,14 @@
+parsers:
+- crowdsecurity/cri-logs
+- parsers/s01-parse/yanis-kouidri/envoy-logs.yaml
+- crowdsecurity/http-logs
+- crowdsecurity/dateparse-enrich
+scenarios:
+- crowdsecurity/http-bad-user-agent
+postoverflows:
+- ""
+log_file: envoy-http-bad-user-agent.log
+log_type: containerd
+ignore_parsers: true
+labels:
+    program: envoy

.tests/envoy-http-bad-user-agent/envoy-http-bad-user-agent.log

@@ -0,0 +1,2 @@
+2025-12-31T17:37:40.493035218+01:00 stdout F {"start_time":"2025-12-31T16:37:40.479Z","method":"GET","x-envoy-origin-path":"/admin","response_code":404,"user-agent":"Mozilla/5.0 zgrab/0.x","downstream_remote_address":"10.0.0.12:59292",":authority":"app.internal"}
+2025-12-31T17:37:41.493035218+01:00 stdout F {"start_time":"2025-12-31T16:37:41.479Z","method":"GET","x-envoy-origin-path":"/login","response_code":200,"user-agent":"Mozilla/5.0 zgrab/0.x","downstream_remote_address":"10.0.0.12:59292",":authority":"app.internal"}

.tests/envoy-http-bad-user-agent/scenario.assert

@@ -0,0 +1,33 @@
+len(results) == 1
+"10.0.0.12" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["10.0.0.12"].IP == "10.0.0.12"
+results[0].Overflow.Sources["10.0.0.12"].Range == ""
+results[0].Overflow.Sources["10.0.0.12"].GetScope() == "Ip"
+results[0].Overflow.Sources["10.0.0.12"].GetValue() == "10.0.0.12"
+basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "envoy-http-bad-user-agent.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("http_args_len") == "0"
+results[0].Overflow.Alert.Events[0].GetMeta("http_path") == "/admin"
+results[0].Overflow.Alert.Events[0].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Mozilla/5.0 zgrab/0.x"
+results[0].Overflow.Alert.Events[0].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.0.0.12"
+results[0].Overflow.Alert.Events[0].GetMeta("target_fqdn") == "app.internal"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-12-31T16:37:40.479Z"
+basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "envoy-http-bad-user-agent.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("http_args_len") == "0"
+results[0].Overflow.Alert.Events[1].GetMeta("http_path") == "/login"
+results[0].Overflow.Alert.Events[1].GetMeta("http_status") == "200"
+results[0].Overflow.Alert.Events[1].GetMeta("http_user_agent") == "Mozilla/5.0 zgrab/0.x"
+results[0].Overflow.Alert.Events[1].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "10.0.0.12"
+results[0].Overflow.Alert.Events[1].GetMeta("target_fqdn") == "app.internal"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-12-31T16:37:41.479Z"
+results[0].Overflow.Alert.GetScenario() == "crowdsecurity/http-bad-user-agent"
+results[0].Overflow.Alert.Remediation == true
+results[0].Overflow.Alert.GetEventsCount() == 2

.tests/envoy-http-crawl-non_statics/config.yaml

@@ -0,0 +1,14 @@
+parsers:
+- crowdsecurity/cri-logs
+- parsers/s01-parse/yanis-kouidri/envoy-logs.yaml
+- crowdsecurity/http-logs
+- crowdsecurity/dateparse-enrich
+scenarios:
+- crowdsecurity/http-crawl-non_statics
+postoverflows:
+- ""
+log_file: envoy-http-crawl-non_statics.log
+log_type: containerd
+ignore_parsers: true
+labels:
+    program: envoy

.tests/envoy-http-crawl-non_statics/envoy-http-crawl-non_statics.log

@@ -0,0 +1,41 @@
+2025-12-31T17:40:00.000000100+01:00 stdout F {"start_time":"2025-12-31T16:40:00.100Z","method":"GET","x-envoy-origin-path":"/page-01","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000110+01:00 stdout F {"start_time":"2025-12-31T16:40:00.110Z","method":"GET","x-envoy-origin-path":"/page-02","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000120+01:00 stdout F {"start_time":"2025-12-31T16:40:00.120Z","method":"GET","x-envoy-origin-path":"/page-03","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000130+01:00 stdout F {"start_time":"2025-12-31T16:40:00.130Z","method":"GET","x-envoy-origin-path":"/page-04","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000140+01:00 stdout F {"start_time":"2025-12-31T16:40:00.140Z","method":"GET","x-envoy-origin-path":"/page-05","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000150+01:00 stdout F {"start_time":"2025-12-31T16:40:00.150Z","method":"GET","x-envoy-origin-path":"/page-06","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000160+01:00 stdout F {"start_time":"2025-12-31T16:40:00.160Z","method":"GET","x-envoy-origin-path":"/page-07","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000170+01:00 stdout F {"start_time":"2025-12-31T16:40:00.170Z","method":"GET","x-envoy-origin-path":"/page-08","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000180+01:00 stdout F {"start_time":"2025-12-31T16:40:00.180Z","method":"GET","x-envoy-origin-path":"/page-09","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000190+01:00 stdout F {"start_time":"2025-12-31T16:40:00.190Z","method":"GET","x-envoy-origin-path":"/page-10","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000200+01:00 stdout F {"start_time":"2025-12-31T16:40:00.200Z","method":"GET","x-envoy-origin-path":"/page-11","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000210+01:00 stdout F {"start_time":"2025-12-31T16:40:00.210Z","method":"GET","x-envoy-origin-path":"/page-12","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000220+01:00 stdout F {"start_time":"2025-12-31T16:40:00.220Z","method":"GET","x-envoy-origin-path":"/page-13","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000230+01:00 stdout F {"start_time":"2025-12-31T16:40:00.230Z","method":"GET","x-envoy-origin-path":"/page-14","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000240+01:00 stdout F {"start_time":"2025-12-31T16:40:00.240Z","method":"GET","x-envoy-origin-path":"/page-15","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000250+01:00 stdout F {"start_time":"2025-12-31T16:40:00.250Z","method":"GET","x-envoy-origin-path":"/page-16","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000260+01:00 stdout F {"start_time":"2025-12-31T16:40:00.260Z","method":"GET","x-envoy-origin-path":"/page-17","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000270+01:00 stdout F {"start_time":"2025-12-31T16:40:00.270Z","method":"GET","x-envoy-origin-path":"/page-18","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000280+01:00 stdout F {"start_time":"2025-12-31T16:40:00.280Z","method":"GET","x-envoy-origin-path":"/page-19","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000290+01:00 stdout F {"start_time":"2025-12-31T16:40:00.290Z","method":"GET","x-envoy-origin-path":"/page-20","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000300+01:00 stdout F {"start_time":"2025-12-31T16:40:00.300Z","method":"GET","x-envoy-origin-path":"/page-21","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000310+01:00 stdout F {"start_time":"2025-12-31T16:40:00.310Z","method":"GET","x-envoy-origin-path":"/page-22","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000320+01:00 stdout F {"start_time":"2025-12-31T16:40:00.320Z","method":"GET","x-envoy-origin-path":"/page-23","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000330+01:00 stdout F {"start_time":"2025-12-31T16:40:00.330Z","method":"GET","x-envoy-origin-path":"/page-24","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000340+01:00 stdout F {"start_time":"2025-12-31T16:40:00.340Z","method":"GET","x-envoy-origin-path":"/page-25","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000350+01:00 stdout F {"start_time":"2025-12-31T16:40:00.350Z","method":"GET","x-envoy-origin-path":"/page-26","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000360+01:00 stdout F {"start_time":"2025-12-31T16:40:00.360Z","method":"GET","x-envoy-origin-path":"/page-27","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000370+01:00 stdout F {"start_time":"2025-12-31T16:40:00.370Z","method":"GET","x-envoy-origin-path":"/page-28","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000380+01:00 stdout F {"start_time":"2025-12-31T16:40:00.380Z","method":"GET","x-envoy-origin-path":"/page-29","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000390+01:00 stdout F {"start_time":"2025-12-31T16:40:00.390Z","method":"GET","x-envoy-origin-path":"/page-30","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000400+01:00 stdout F {"start_time":"2025-12-31T16:40:00.400Z","method":"GET","x-envoy-origin-path":"/page-31","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000410+01:00 stdout F {"start_time":"2025-12-31T16:40:00.410Z","method":"GET","x-envoy-origin-path":"/page-32","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000420+01:00 stdout F {"start_time":"2025-12-31T16:40:00.420Z","method":"GET","x-envoy-origin-path":"/page-33","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000430+01:00 stdout F {"start_time":"2025-12-31T16:40:00.430Z","method":"GET","x-envoy-origin-path":"/page-34","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000440+01:00 stdout F {"start_time":"2025-12-31T16:40:00.440Z","method":"GET","x-envoy-origin-path":"/page-35","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000450+01:00 stdout F {"start_time":"2025-12-31T16:40:00.450Z","method":"GET","x-envoy-origin-path":"/page-36","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000460+01:00 stdout F {"start_time":"2025-12-31T16:40:00.460Z","method":"GET","x-envoy-origin-path":"/page-37","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000470+01:00 stdout F {"start_time":"2025-12-31T16:40:00.470Z","method":"GET","x-envoy-origin-path":"/page-38","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000480+01:00 stdout F {"start_time":"2025-12-31T16:40:00.480Z","method":"GET","x-envoy-origin-path":"/page-39","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000490+01:00 stdout F {"start_time":"2025-12-31T16:40:00.490Z","method":"GET","x-envoy-origin-path":"/page-40","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000490+01:00 stdout F {"start_time":"2025-12-31T16:40:00.490Z","method":"GET","x-envoy-origin-path":"/page-41","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}

.tests/envoy-http-crawl-non_statics/scenario.assert

@@ -0,0 +1,81 @@
+len(results) == 1
+"10.0.0.13" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["10.0.0.13"].IP == "10.0.0.13"
+results[0].Overflow.Sources["10.0.0.13"].Range == ""
+results[0].Overflow.Sources["10.0.0.13"].GetScope() == "Ip"
+results[0].Overflow.Sources["10.0.0.13"].GetValue() == "10.0.0.13"
+basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "envoy-http-crawl-non_statics.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("http_args_len") == "0"
+results[0].Overflow.Alert.Events[0].GetMeta("http_path") == "/page-36"
+results[0].Overflow.Alert.Events[0].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Mozilla/5.0"
+results[0].Overflow.Alert.Events[0].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.0.0.13"
+results[0].Overflow.Alert.Events[0].GetMeta("target_fqdn") == "crawl.internal"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-12-31T16:40:00.45Z"
+basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "envoy-http-crawl-non_statics.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("http_args_len") == "0"
+results[0].Overflow.Alert.Events[1].GetMeta("http_path") == "/page-37"
+results[0].Overflow.Alert.Events[1].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[1].GetMeta("http_user_agent") == "Mozilla/5.0"
+results[0].Overflow.Alert.Events[1].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "10.0.0.13"
+results[0].Overflow.Alert.Events[1].GetMeta("target_fqdn") == "crawl.internal"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-12-31T16:40:00.46Z"
+basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "envoy-http-crawl-non_statics.log"
+results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[2].GetMeta("http_args_len") == "0"
+results[0].Overflow.Alert.Events[2].GetMeta("http_path") == "/page-38"
+results[0].Overflow.Alert.Events[2].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[2].GetMeta("http_user_agent") == "Mozilla/5.0"
+results[0].Overflow.Alert.Events[2].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[2].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "10.0.0.13"
+results[0].Overflow.Alert.Events[2].GetMeta("target_fqdn") == "crawl.internal"
+results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-12-31T16:40:00.47Z"
+basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "envoy-http-crawl-non_statics.log"
+results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[3].GetMeta("http_args_len") == "0"
+results[0].Overflow.Alert.Events[3].GetMeta("http_path") == "/page-39"
+results[0].Overflow.Alert.Events[3].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[3].GetMeta("http_user_agent") == "Mozilla/5.0"
+results[0].Overflow.Alert.Events[3].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[3].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "10.0.0.13"
+results[0].Overflow.Alert.Events[3].GetMeta("target_fqdn") == "crawl.internal"
+results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-12-31T16:40:00.48Z"
+basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "envoy-http-crawl-non_statics.log"
+results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[4].GetMeta("http_args_len") == "0"
+results[0].Overflow.Alert.Events[4].GetMeta("http_path") == "/page-40"
+results[0].Overflow.Alert.Events[4].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[4].GetMeta("http_user_agent") == "Mozilla/5.0"
+results[0].Overflow.Alert.Events[4].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[4].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "10.0.0.13"
+results[0].Overflow.Alert.Events[4].GetMeta("target_fqdn") == "crawl.internal"
+results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-12-31T16:40:00.49Z"
+basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "envoy-http-crawl-non_statics.log"
+results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[5].GetMeta("http_args_len") == "0"
+results[0].Overflow.Alert.Events[5].GetMeta("http_path") == "/page-41"
+results[0].Overflow.Alert.Events[5].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[5].GetMeta("http_user_agent") == "Mozilla/5.0"
+results[0].Overflow.Alert.Events[5].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[5].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "10.0.0.13"
+results[0].Overflow.Alert.Events[5].GetMeta("target_fqdn") == "crawl.internal"
+results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-12-31T16:40:00.49Z"
+results[0].Overflow.Alert.GetScenario() == "crowdsecurity/http-crawl-non_statics"
+results[0].Overflow.Alert.Remediation == true
+results[0].Overflow.Alert.GetEventsCount() == 41