Skip to content

Dateformat for Immich doesn't match with other formatsΒ #1602

New issue
New issue
Open
Open
Dateformat for Immich doesn't match with other formats#1602
@Peronia

Description

@Peronia
Peronia
opened on Dec 10, 2025

Describe the bug
When I use https://app.crowdsec.net/hub/author/gauth-fr/collections/immich for my Immich server, it can't parse the logs.
Here is an example log string (from journalctl): Dez 10 13:40:02 host immich[400]: [Nest] 400 - 10.12.2025, 13:40:02 WARN [Api:AuthService~8hfctsaf] Failed login attempt for user [email protected] from ip address 192.168.230.167.
Note the date format: 10.12.2025 instead of 12/10/2025. When I change the line IMMICH_CUSTOMDATE: "%{MONTHNUM2}/%{MONTHDAY}/%{YEAR}, %{TIME}" to IMMICH_CUSTOMDATE: "%{MONTHDAY}.%{MONTHNUM2}.%{YEAR}, %{TIME}" in immich-logs.yaml I can see this via explain:

cscli explain -l "Dez 10 13:40:02 host immich[400]: [Nest] 400  - 10.12.2025, 13:40:02    WARN [Api:AuthService~8hfctsaf] Failed login attempt for user [email protected] from ip address 192.168.230.167" -t syslog -v
line: Dez 10 13:40:02 host immich[400]: [Nest] 400  - 10.12.2025, 13:40:02    WARN [Api:AuthService~8hfctsaf] Failed login attempt for user [email protected] from ip address 192.168.230.167
        β”œ s00-raw
        |       β”” 🟒 crowdsecurity/syslog-logs (+12 ~9)
        |               β”” update evt.ExpectMode : %!s(int=0) -> 1
        |               β”” update evt.Stage :  -> s01-parse
        |               β”” update evt.Line.Raw :  -> Dez 10 13:40:02 host immich[400]: [Nest] 400  - 10.12.2025, 13:40:02    WARN [Api:AuthService~8hfctsaf] Failed login attempt for user [email protected] from ip address 192.168.230.167
        |               β”” update evt.Line.Src :  -> /tmp/cscli_explain22703678/cscli_test_tmp.log
        |               β”” update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-12-10 13:45:42.607593638 +0000 UTC
        |               β”” create evt.Line.Labels.type : syslog
        |               β”” update evt.Line.Process : %!s(bool=false) -> true
        |               β”” update evt.Line.Module :  -> file
        |               β”” create evt.Parsed.timestamp8601 : 
        |               β”” create evt.Parsed.facility : 
        |               β”” create evt.Parsed.logsource : syslog
        |               β”” create evt.Parsed.message : [Nest] 400  - 10.12.2025, 13:40:02    WARN [Api:AuthService~8hfctsaf] Failed login attempt for user [email protected] from ip address 192.168.230.167
        |               β”” create evt.Parsed.pid : 400
        |               β”” create evt.Parsed.priority : 
        |               β”” create evt.Parsed.program : immich
        |               β”” create evt.Parsed.timestamp : Dez 10 13:40:02
        |               β”” update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-12-10 13:45:42.607632844 +0000 UTC
        |               β”” update evt.StrTime :  -> Dez 10 13:40:02
        |               β”” create evt.Meta.datasource_path : /tmp/cscli_explain22703678/cscli_test_tmp.log
        |               β”” create evt.Meta.datasource_type : file
        |               β”” create evt.Meta.machine : host
        β”œ s01-parse
        |       β”” 🟒 gauth-fr/immich-logs (+6 ~4)
        |               β”” update evt.Stage : s01-parse -> s02-enrich
        |               β”” update evt.Parsed.timestamp : Dez 10 13:40:02 -> 10.12.2025, 13:40:02
        |               β”” create evt.Parsed.source_ip : 192.168.230.167
        |               β”” create evt.Parsed.username : [email protected]
        |               β”” update evt.StrTime : Dez 10 13:40:02 -> 10.12.2025, 13:40:02
        |               β”” update evt.StrTimeFormat :  -> 01/02/2006, 15:04:05
        |               β”” create evt.Meta.log_type : immich_failed_auth
        |               β”” create evt.Meta.service : immich
        |               β”” create evt.Meta.source_ip : 192.168.230.167
        |               β”” create evt.Meta.user : [email protected]
        β”œ s02-enrich
        |       β”œ 🟒 crowdsecurity/dateparse-enrich (+2 ~2)
        |               β”œ create evt.Enriched.MarshaledTime : 1970-01-01T01:00:10+01:00
        |               β”œ update evt.Time : 2025-12-10 13:45:42.607632844 +0000 UTC -> 1970-01-01 01:00:10 +0100 CET
        |               β”œ update evt.MarshaledTime :  -> 1970-01-01T01:00:10+01:00
        |               β”œ create evt.Meta.timestamp : 1970-01-01T01:00:10+01:00
        |       β”œ πŸ”΄ crowdsecurity/geoip-enrich
        |       β”” 🟒 crowdsecurity/public-dns-allowlist (unchanged)
        β”œ-------- parser success 🟒
        β”œ Scenarios
                β”œ 🟒 gauth-fr/immich-bf
                β”” 🟒 gauth-fr/immich-bf_user-enum

Maybe there other failures too, I test it only with this single change.

To Reproduce
cscli explain -l "Dez 10 13:40:02 host immich[400]: [Nest] 400 - 10.12.2025, 13:40:02 WARN [Api:AuthService~8hfctsaf] Failed login attempt for user [email protected] from ip address 192.168.230.167" -t syslog -v

Expected behavior
No errors and a parsable log entry

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
I'm running Immich via NixOS and so the logging is via syslog:

---
source: journalctl
journalctl_filter:
  - "SYSLOG_IDENTIFER=immich-server"
labels:
  type: syslog

I don't think that bother something, only the date format is in another language. But I would expect that this shouldn't matter Crowdsec at all.
Also note: My Server doesn't use UTC but Crowdsec does think this timestamp is UTC, that is NOT CORRECT.
update evt.Time : 2025-12-10 13:45:42.607632844 +0000 UTC -> 1970-01-01 01:00:10 +0100 CET

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions