From e4463c412b01a1018953064371125b49417ab5d3 Mon Sep 17 00:00:00 2001
From: "Thibault \"bui\" Koechlin" <thibault@crowdsec.net>
Date: Thu, 29 Dec 2022 15:03:32 +0100
Subject: [PATCH] Improve warnings around lack of `evt.StrTime` field (#1954)

* fix #1951 : improve error messages

* make hubtest warn you if you're missing evt.StrTime in your logs
---
 pkg/hubtest/parser_assert.go   | 27 +++++++++++++++++++++++++++
 pkg/leakybucket/timemachine.go |  7 +++++--
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/pkg/hubtest/parser_assert.go b/pkg/hubtest/parser_assert.go
index 766f47e70..82efed9e3 100644
--- a/pkg/hubtest/parser_assert.go
+++ b/pkg/hubtest/parser_assert.go
@@ -78,6 +78,7 @@ func (p *ParserAssert) LoadTest(filename string) error {
 }
 
 func (p *ParserAssert) AssertFile(testFile string) error {
+
 	file, err := os.Open(p.File)
 
 	if err != nil {
@@ -268,6 +269,32 @@ func LoadParserDump(filepath string) (*ParserResults, error) {
 	if err := yaml.Unmarshal(results, &pdump); err != nil {
 		return nil, err
 	}
+
+	/* we know that some variables should always be set,
+	let's check if they're present in last parser output of last stage */
+	stages := make([]string, 0, len(pdump))
+	for k := range pdump {
+		stages = append(stages, k)
+	}
+	sort.Strings(stages)
+	/*the very last one is set to 'success' which is just a bool indicating if the line was successfully parsed*/
+	lastStage := stages[len(stages)-2]
+
+	parsers := make([]string, 0, len(pdump[lastStage]))
+	for k := range pdump[lastStage] {
+		parsers = append(parsers, k)
+	}
+	sort.Strings(parsers)
+	lastParser := parsers[len(parsers)-1]
+
+	for idx, result := range pdump[lastStage][lastParser] {
+		if result.Evt.StrTime == "" {
+			log.Warningf("Line %d/%d is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.", idx, len(pdump[lastStage][lastParser]))
+		} else {
+			log.Debugf("Line %d/%d has evt.StrTime set to '%s'", idx, len(pdump[lastStage][lastParser]), result.Evt.StrTime)
+		}
+	}
+
 	return &pdump, nil
 }
 
diff --git a/pkg/leakybucket/timemachine.go b/pkg/leakybucket/timemachine.go
index a2cac4776..25a0c9308 100644
--- a/pkg/leakybucket/timemachine.go
+++ b/pkg/leakybucket/timemachine.go
@@ -4,7 +4,6 @@ import (
 	"time"
 
 	"github.com/crowdsecurity/crowdsec/pkg/types"
-	"github.com/davecgh/go-spew/spew"
 	log "github.com/sirupsen/logrus"
 )
 
@@ -14,7 +13,11 @@ func TimeMachinePour(l *Leaky, msg types.Event) {
 		err error
 	)
 	if msg.MarshaledTime == "" {
-		log.Warningf("Trying to time-machine event without timestamp : %s", spew.Sdump(msg))
+		log.WithFields(log.Fields{
+			"evt_type": msg.Line.Labels["type"],
+			"evt_src":  msg.Line.Src,
+			"scenario": l.Name,
+		}).Warningf("Trying to process event without evt.StrTime. Event cannot be poured to scenario")
 		return
 	}