crowdsec - goroutine crowdsec/StartRunSvc crashed: interface conversion: interface {} is []interface {}, not string

[PintjesB]

What happened?

During testing of a parser I keep getting this error when running csdev --cscli "$(dirname $PWD)/cscli" --crowdsec "$(dirname $PWD)/crowdsec" hubtest run s01-unifi-v1

error: interface conversion: interface {} is []interface {}, not string
version: v1.6.8-f209766e
BuildDate: 2025-03-25_13:38:26
GoVersion: 1.24.1
Platform: linux
goroutine 1 [running]:
runtime/debug.Stack()
	runtime/debug/stack.go:26 +0x5e
github.com/crowdsecurity/go-cs-lib/trace.(*traceKeeper).writeStackTrace(0x3a36f40, {0x20f5240, 0xc0002ea9f0})
	github.com/crowdsecurity/go-cs-lib@v0.0.16/trace/trace.go:152 +0x16e
github.com/crowdsecurity/go-cs-lib/trace.(*traceKeeper).catchPanic(0x3a36f40, {0x2449ca5, 0x14})
	github.com/crowdsecurity/go-cs-lib@v0.0.16/trace/trace.go:168 +0x12f
github.com/crowdsecurity/go-cs-lib/trace.CatchPanic(...)
	github.com/crowdsecurity/go-cs-lib@v0.0.16/trace/trace.go:37
panic({0x20f5240?, 0xc0002ea9f0?})
	runtime/panic.go:792 +0x132
github.com/crowdsecurity/crowdsec/pkg/parser.(*Node).compile(0xc00027ec88, 0xc000927e80, {0xc000ee37eb?})
	github.com/crowdsecurity/crowdsec/pkg/parser/node.go:494 +0x1d8d
github.com/crowdsecurity/crowdsec/pkg/parser.LoadStages({0xc000927e00, 0x2, 0x24655c0?}, 0xc000927e80, {0xc00177b918?})
	github.com/crowdsecurity/crowdsec/pkg/parser/stage.go:102 +0x1011
github.com/crowdsecurity/crowdsec/pkg/parser.LoadParsers(0xc00019dd00, 0xc001022b80)
	github.com/crowdsecurity/crowdsec/pkg/parser/unix_parser.go:134 +0x58a
main.initCrowdsec(0xc00019dd00, 0xc0009c1a10, 0x0)
	github.com/crowdsecurity/crowdsec/cmd/crowdsec/crowdsec.go:42 +0x10f
main.Serve(0xc00019dd00, 0xc0001081c0)
	github.com/crowdsecurity/crowdsec/cmd/crowdsec/serve.go:399 +0x65f
main.StartRunSvc()
	github.com/crowdsecurity/crowdsec/cmd/crowdsec/run_in_svc.go:64 +0x3f4
main.main()
	github.com/crowdsecurity/crowdsec/cmd/crowdsec/main.go:387 +0x478

What did you expect to happen?

To complete the test...

How can we reproduce it (as minimally and precisely as possible)?

This is the test config:

parsers:
    - crowdsecurity/unifi-logs
    - ./parsers/s01-parse/crowdsecurity/s01-unifi-v1.yaml
scenarios:
    - ""
postoverflows:
    - ""
log_file: s01-unifi-v1.log
log_type: unifi

The parser:

name: crowdsecurity/udmp-firewall-s01
description: "Parse Ubiquiti UDMP firewall log"
stage: s01-parse
pattern_syntax:
  ACTION: [ADR]
nodes:
  - grok:
      pattern: '%{SYSLOGTIMESTAMP:log_ts} %{DATA:host} [%{WORD:src_zone}_%{WORD:dst_zone}-{ACTION:action}-{INT:rule_id}] DESCR="%{DATA:fw_descr}" IN=%{WORD:in_iface} OUT=%{WORD:out_iface} MAC=%{MAC:mac} SRC=%{IPV4:src_ip} DST=%{IPV4:dst_ip} LEN=%{INT:len1} TOS=%{DATA:tos} PREC=%{DATA:prec} TTL=%{INT:ttl} ID=%{INT:id} PROTO=%{WORD:proto} SPT=%{INT:src_port} DPT=%{INT:dst_port} LEN=%{INT:len2} MARK=%{DATA:mark}'
      apply_on: message
statics:
  - target: type
    value: unifi_firewall_log # Standard CrowdSec field for event type
  - target: evt.Parsed.action_full # Derived action for more clarity
    expression: 'evt.Parsed.action == "a" ? "accept" : (evt.Parsed.action == "d" ? "drop" : (evt.Parsed.action == "r" ? "reject" : "unknown"))'
  - target: evt.Parsed.firewall_rule_name # Combine zone, action, and ID for a unique rule name
    expression: 'sprintf("%s_%s-%s-%s", evt.Parsed.src_zone, evt.Parsed.dst_zone, evt.Parsed.action_full, evt.Parsed.rule_id)'

Anything else we need to know?

No response

Crowdsec version

$ csdev version
version: v1.6.8-f209766e
Codename: alphaga
BuildDate: 2025-03-25_13:39:04
GoVersion: 1.24.1
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.6.8-f209766e-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog

OS version

# On Linux:
$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
$ uname -a
Linux crowdsec-testing 5.4.0-216-generic #236-Ubuntu SMP Fri Apr 11 19:53:21 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Enabled collections and parsers

No response

Acquisition config

Config show

Prometheus metrics

No response

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

[github-actions]

@PintjesB: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[blotus]

Hello,

This is because you are using [ADR] as the value for your custom pattern.
In YAML, this means a slice of strings, and crowdsec expects just a string here (we should definitely emit a proper error here instead of crashing).

In the meantime, you can work around this by specifying the pattern as ACTION: "[ADR]", which the YAML parser will interpret as a string.