diff --git a/.tests/envoy-http-bad-user-agent/config.yaml b/.tests/envoy-http-bad-user-agent/config.yaml
new file mode 100644
index 00000000000..734fef813cb
--- /dev/null
+++ b/.tests/envoy-http-bad-user-agent/config.yaml
@@ -0,0 +1,14 @@
+parsers:
+- crowdsecurity/cri-logs
+- parsers/s01-parse/yanis-kouidri/envoy-logs.yaml
+- crowdsecurity/http-logs
+- crowdsecurity/dateparse-enrich
+scenarios:
+- crowdsecurity/http-bad-user-agent
+postoverflows:
+- ""
+log_file: envoy-http-bad-user-agent.log
+log_type: containerd
+ignore_parsers: true
+labels:
+    program: envoy
diff --git a/.tests/envoy-http-bad-user-agent/envoy-http-bad-user-agent.log b/.tests/envoy-http-bad-user-agent/envoy-http-bad-user-agent.log
new file mode 100644
index 00000000000..97ab31a1111
--- /dev/null
+++ b/.tests/envoy-http-bad-user-agent/envoy-http-bad-user-agent.log
@@ -0,0 +1,2 @@
+2025-12-31T17:37:40.493035218+01:00 stdout F {"start_time":"2025-12-31T16:37:40.479Z","method":"GET","x-envoy-origin-path":"/admin","response_code":404,"user-agent":"Mozilla/5.0 zgrab/0.x","downstream_remote_address":"10.0.0.12:59292",":authority":"app.internal"}
+2025-12-31T17:37:41.493035218+01:00 stdout F {"start_time":"2025-12-31T16:37:41.479Z","method":"GET","x-envoy-origin-path":"/login","response_code":200,"user-agent":"Mozilla/5.0 zgrab/0.x","downstream_remote_address":"10.0.0.12:59292",":authority":"app.internal"}
diff --git a/.tests/envoy-http-bad-user-agent/scenario.assert b/.tests/envoy-http-bad-user-agent/scenario.assert
new file mode 100644
index 00000000000..66e22d2f595
--- /dev/null
+++ b/.tests/envoy-http-bad-user-agent/scenario.assert
@@ -0,0 +1,33 @@
+len(results) == 1
+"10.0.0.12" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["10.0.0.12"].IP == "10.0.0.12"
+results[0].Overflow.Sources["10.0.0.12"].Range == ""
+results[0].Overflow.Sources["10.0.0.12"].GetScope() == "Ip"
+results[0].Overflow.Sources["10.0.0.12"].GetValue() == "10.0.0.12"
+basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "envoy-http-bad-user-agent.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("http_args_len") == "0"
+results[0].Overflow.Alert.Events[0].GetMeta("http_path") == "/admin"
+results[0].Overflow.Alert.Events[0].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Mozilla/5.0 zgrab/0.x"
+results[0].Overflow.Alert.Events[0].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.0.0.12"
+results[0].Overflow.Alert.Events[0].GetMeta("target_fqdn") == "app.internal"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-12-31T16:37:40.479Z"
+basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "envoy-http-bad-user-agent.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("http_args_len") == "0"
+results[0].Overflow.Alert.Events[1].GetMeta("http_path") == "/login"
+results[0].Overflow.Alert.Events[1].GetMeta("http_status") == "200"
+results[0].Overflow.Alert.Events[1].GetMeta("http_user_agent") == "Mozilla/5.0 zgrab/0.x"
+results[0].Overflow.Alert.Events[1].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "10.0.0.12"
+results[0].Overflow.Alert.Events[1].GetMeta("target_fqdn") == "app.internal"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-12-31T16:37:41.479Z"
+results[0].Overflow.Alert.GetScenario() == "crowdsecurity/http-bad-user-agent"
+results[0].Overflow.Alert.Remediation == true
+results[0].Overflow.Alert.GetEventsCount() == 2
diff --git a/.tests/envoy-http-crawl-non_statics/config.yaml b/.tests/envoy-http-crawl-non_statics/config.yaml
new file mode 100644
index 00000000000..ee76d75cb5b
--- /dev/null
+++ b/.tests/envoy-http-crawl-non_statics/config.yaml
@@ -0,0 +1,14 @@
+parsers:
+- crowdsecurity/cri-logs
+- parsers/s01-parse/yanis-kouidri/envoy-logs.yaml
+- crowdsecurity/http-logs
+- crowdsecurity/dateparse-enrich
+scenarios:
+- crowdsecurity/http-crawl-non_statics
+postoverflows:
+- ""
+log_file: envoy-http-crawl-non_statics.log
+log_type: containerd
+ignore_parsers: true
+labels:
+    program: envoy
diff --git a/.tests/envoy-http-crawl-non_statics/envoy-http-crawl-non_statics.log b/.tests/envoy-http-crawl-non_statics/envoy-http-crawl-non_statics.log
new file mode 100644
index 00000000000..ab3aada4130
--- /dev/null
+++ b/.tests/envoy-http-crawl-non_statics/envoy-http-crawl-non_statics.log
@@ -0,0 +1,41 @@
+2025-12-31T17:40:00.000000100+01:00 stdout F {"start_time":"2025-12-31T16:40:00.100Z","method":"GET","x-envoy-origin-path":"/page-01","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000110+01:00 stdout F {"start_time":"2025-12-31T16:40:00.110Z","method":"GET","x-envoy-origin-path":"/page-02","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000120+01:00 stdout F {"start_time":"2025-12-31T16:40:00.120Z","method":"GET","x-envoy-origin-path":"/page-03","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000130+01:00 stdout F {"start_time":"2025-12-31T16:40:00.130Z","method":"GET","x-envoy-origin-path":"/page-04","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000140+01:00 stdout F {"start_time":"2025-12-31T16:40:00.140Z","method":"GET","x-envoy-origin-path":"/page-05","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000150+01:00 stdout F {"start_time":"2025-12-31T16:40:00.150Z","method":"GET","x-envoy-origin-path":"/page-06","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000160+01:00 stdout F {"start_time":"2025-12-31T16:40:00.160Z","method":"GET","x-envoy-origin-path":"/page-07","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000170+01:00 stdout F {"start_time":"2025-12-31T16:40:00.170Z","method":"GET","x-envoy-origin-path":"/page-08","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000180+01:00 stdout F {"start_time":"2025-12-31T16:40:00.180Z","method":"GET","x-envoy-origin-path":"/page-09","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000190+01:00 stdout F {"start_time":"2025-12-31T16:40:00.190Z","method":"GET","x-envoy-origin-path":"/page-10","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000200+01:00 stdout F {"start_time":"2025-12-31T16:40:00.200Z","method":"GET","x-envoy-origin-path":"/page-11","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000210+01:00 stdout F {"start_time":"2025-12-31T16:40:00.210Z","method":"GET","x-envoy-origin-path":"/page-12","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000220+01:00 stdout F {"start_time":"2025-12-31T16:40:00.220Z","method":"GET","x-envoy-origin-path":"/page-13","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000230+01:00 stdout F {"start_time":"2025-12-31T16:40:00.230Z","method":"GET","x-envoy-origin-path":"/page-14","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000240+01:00 stdout F {"start_time":"2025-12-31T16:40:00.240Z","method":"GET","x-envoy-origin-path":"/page-15","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000250+01:00 stdout F {"start_time":"2025-12-31T16:40:00.250Z","method":"GET","x-envoy-origin-path":"/page-16","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000260+01:00 stdout F {"start_time":"2025-12-31T16:40:00.260Z","method":"GET","x-envoy-origin-path":"/page-17","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000270+01:00 stdout F {"start_time":"2025-12-31T16:40:00.270Z","method":"GET","x-envoy-origin-path":"/page-18","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000280+01:00 stdout F {"start_time":"2025-12-31T16:40:00.280Z","method":"GET","x-envoy-origin-path":"/page-19","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000290+01:00 stdout F {"start_time":"2025-12-31T16:40:00.290Z","method":"GET","x-envoy-origin-path":"/page-20","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000300+01:00 stdout F {"start_time":"2025-12-31T16:40:00.300Z","method":"GET","x-envoy-origin-path":"/page-21","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000310+01:00 stdout F {"start_time":"2025-12-31T16:40:00.310Z","method":"GET","x-envoy-origin-path":"/page-22","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000320+01:00 stdout F {"start_time":"2025-12-31T16:40:00.320Z","method":"GET","x-envoy-origin-path":"/page-23","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000330+01:00 stdout F {"start_time":"2025-12-31T16:40:00.330Z","method":"GET","x-envoy-origin-path":"/page-24","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000340+01:00 stdout F {"start_time":"2025-12-31T16:40:00.340Z","method":"GET","x-envoy-origin-path":"/page-25","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000350+01:00 stdout F {"start_time":"2025-12-31T16:40:00.350Z","method":"GET","x-envoy-origin-path":"/page-26","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000360+01:00 stdout F {"start_time":"2025-12-31T16:40:00.360Z","method":"GET","x-envoy-origin-path":"/page-27","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000370+01:00 stdout F {"start_time":"2025-12-31T16:40:00.370Z","method":"GET","x-envoy-origin-path":"/page-28","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000380+01:00 stdout F {"start_time":"2025-12-31T16:40:00.380Z","method":"GET","x-envoy-origin-path":"/page-29","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000390+01:00 stdout F {"start_time":"2025-12-31T16:40:00.390Z","method":"GET","x-envoy-origin-path":"/page-30","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000400+01:00 stdout F {"start_time":"2025-12-31T16:40:00.400Z","method":"GET","x-envoy-origin-path":"/page-31","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000410+01:00 stdout F {"start_time":"2025-12-31T16:40:00.410Z","method":"GET","x-envoy-origin-path":"/page-32","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000420+01:00 stdout F {"start_time":"2025-12-31T16:40:00.420Z","method":"GET","x-envoy-origin-path":"/page-33","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000430+01:00 stdout F {"start_time":"2025-12-31T16:40:00.430Z","method":"GET","x-envoy-origin-path":"/page-34","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000440+01:00 stdout F {"start_time":"2025-12-31T16:40:00.440Z","method":"GET","x-envoy-origin-path":"/page-35","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000450+01:00 stdout F {"start_time":"2025-12-31T16:40:00.450Z","method":"GET","x-envoy-origin-path":"/page-36","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000460+01:00 stdout F {"start_time":"2025-12-31T16:40:00.460Z","method":"GET","x-envoy-origin-path":"/page-37","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000470+01:00 stdout F {"start_time":"2025-12-31T16:40:00.470Z","method":"GET","x-envoy-origin-path":"/page-38","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000480+01:00 stdout F {"start_time":"2025-12-31T16:40:00.480Z","method":"GET","x-envoy-origin-path":"/page-39","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000490+01:00 stdout F {"start_time":"2025-12-31T16:40:00.490Z","method":"GET","x-envoy-origin-path":"/page-40","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
+2025-12-31T17:40:00.000000490+01:00 stdout F {"start_time":"2025-12-31T16:40:00.490Z","method":"GET","x-envoy-origin-path":"/page-41","response_code":404,"user-agent":"Mozilla/5.0","downstream_remote_address":"10.0.0.13:40000",":authority":"crawl.internal"}
diff --git a/.tests/envoy-http-crawl-non_statics/scenario.assert b/.tests/envoy-http-crawl-non_statics/scenario.assert
new file mode 100644
index 00000000000..512b8c9fbb0
--- /dev/null
+++ b/.tests/envoy-http-crawl-non_statics/scenario.assert
@@ -0,0 +1,81 @@
+len(results) == 1
+"10.0.0.13" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["10.0.0.13"].IP == "10.0.0.13"
+results[0].Overflow.Sources["10.0.0.13"].Range == ""
+results[0].Overflow.Sources["10.0.0.13"].GetScope() == "Ip"
+results[0].Overflow.Sources["10.0.0.13"].GetValue() == "10.0.0.13"
+basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "envoy-http-crawl-non_statics.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("http_args_len") == "0"
+results[0].Overflow.Alert.Events[0].GetMeta("http_path") == "/page-36"
+results[0].Overflow.Alert.Events[0].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Mozilla/5.0"
+results[0].Overflow.Alert.Events[0].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.0.0.13"
+results[0].Overflow.Alert.Events[0].GetMeta("target_fqdn") == "crawl.internal"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-12-31T16:40:00.45Z"
+basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "envoy-http-crawl-non_statics.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("http_args_len") == "0"
+results[0].Overflow.Alert.Events[1].GetMeta("http_path") == "/page-37"
+results[0].Overflow.Alert.Events[1].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[1].GetMeta("http_user_agent") == "Mozilla/5.0"
+results[0].Overflow.Alert.Events[1].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "10.0.0.13"
+results[0].Overflow.Alert.Events[1].GetMeta("target_fqdn") == "crawl.internal"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-12-31T16:40:00.46Z"
+basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "envoy-http-crawl-non_statics.log"
+results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[2].GetMeta("http_args_len") == "0"
+results[0].Overflow.Alert.Events[2].GetMeta("http_path") == "/page-38"
+results[0].Overflow.Alert.Events[2].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[2].GetMeta("http_user_agent") == "Mozilla/5.0"
+results[0].Overflow.Alert.Events[2].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[2].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "10.0.0.13"
+results[0].Overflow.Alert.Events[2].GetMeta("target_fqdn") == "crawl.internal"
+results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-12-31T16:40:00.47Z"
+basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "envoy-http-crawl-non_statics.log"
+results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[3].GetMeta("http_args_len") == "0"
+results[0].Overflow.Alert.Events[3].GetMeta("http_path") == "/page-39"
+results[0].Overflow.Alert.Events[3].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[3].GetMeta("http_user_agent") == "Mozilla/5.0"
+results[0].Overflow.Alert.Events[3].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[3].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "10.0.0.13"
+results[0].Overflow.Alert.Events[3].GetMeta("target_fqdn") == "crawl.internal"
+results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-12-31T16:40:00.48Z"
+basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "envoy-http-crawl-non_statics.log"
+results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[4].GetMeta("http_args_len") == "0"
+results[0].Overflow.Alert.Events[4].GetMeta("http_path") == "/page-40"
+results[0].Overflow.Alert.Events[4].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[4].GetMeta("http_user_agent") == "Mozilla/5.0"
+results[0].Overflow.Alert.Events[4].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[4].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "10.0.0.13"
+results[0].Overflow.Alert.Events[4].GetMeta("target_fqdn") == "crawl.internal"
+results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-12-31T16:40:00.49Z"
+basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "envoy-http-crawl-non_statics.log"
+results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[5].GetMeta("http_args_len") == "0"
+results[0].Overflow.Alert.Events[5].GetMeta("http_path") == "/page-41"
+results[0].Overflow.Alert.Events[5].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[5].GetMeta("http_user_agent") == "Mozilla/5.0"
+results[0].Overflow.Alert.Events[5].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[5].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "10.0.0.13"
+results[0].Overflow.Alert.Events[5].GetMeta("target_fqdn") == "crawl.internal"
+results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-12-31T16:40:00.49Z"
+results[0].Overflow.Alert.GetScenario() == "crowdsecurity/http-crawl-non_statics"
+results[0].Overflow.Alert.Remediation == true
+results[0].Overflow.Alert.GetEventsCount() == 41
diff --git a/.tests/envoy-logs/config.yaml b/.tests/envoy-logs/config.yaml
new file mode 100644
index 00000000000..82838268555
--- /dev/null
+++ b/.tests/envoy-logs/config.yaml
@@ -0,0 +1,13 @@
+parsers:
+    - crowdsecurity/cri-logs
+    - ./parsers/s01-parse/yanis-kouidri/envoy-logs.yaml
+    - crowdsecurity/http-logs
+    - crowdsecurity/dateparse-enrich
+scenarios:
+    - ""
+postoverflows:
+    - ""
+log_file: envoy.log
+log_type: containerd
+labels: 
+    program: envoy
diff --git a/.tests/envoy-logs/envoy.log b/.tests/envoy-logs/envoy.log
new file mode 100644
index 00000000000..13265dba9c9
--- /dev/null
+++ b/.tests/envoy-logs/envoy.log
@@ -0,0 +1,4 @@
+2025-12-31T17:37:40.493035218+01:00 stdout F {":authority":"www.example.com","bytes_received":0,"bytes_sent":121258,"connection_termination_details":null,"downstream_local_address":"10.42.0.77:10443","downstream_remote_address":"10.0.0.12:59292","duration":11,"method":"GET","protocol":"HTTP/2","requested_server_name":null,"response_code":200,"response_code_details":"via_upstream","response_flags":"-","route_name":"httproute/app/app-www-example-com/rule/0/match/0/www_example_com","start_time":"2025-12-31T16:37:40.479Z","upstream_cluster":"httproute/app/app-www-example-com/rule/0","upstream_host":"10.42.0.82:8080","upstream_local_address":"10.42.0.77:51216","upstream_transport_failure_reason":null,"user-agent":"Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0","x-envoy-origin-path":"/assets/image.webp","x-envoy-upstream-service-time":null,"x-forwarded-for":"10.0.0.12","x-request-id":"3bbc0252-2d5c-49fe-bd89-104e9b61770b"}
+2025-12-31T18:22:06.456373561+01:00 stdout F {":authority":"10.0.0.13","bytes_received":0,"bytes_sent":0,"connection_termination_details":null,"downstream_local_address":"10.42.0.77:10080","downstream_remote_address":"192.168.1.45:33045","duration":0,"method":"GET","protocol":"HTTP/1.1","requested_server_name":null,"response_code":301,"response_code_details":"direct_response","response_flags":"-","route_name":"httproute/app/http-to-https-filter-redirect/rule/0/match/0/*","start_time":"2025-12-31T17:22:04.951Z","upstream_cluster":null,"upstream_host":null,"upstream_local_address":null,"upstream_transport_failure_reason":null,"user-agent":"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36","x-envoy-origin-path":"/","x-envoy-upstream-service-time":null,"x-forwarded-for":"192.168.1.45","x-request-id":"a9864e02-c6f5-4375-a27d-3ffd7f312811"}
+2025-12-31T18:30:06.518608527+01:00 stdout F {":authority":"foo.example.com","bytes_received":0,"bytes_sent":0,"connection_termination_details":null,"downstream_local_address":"10.42.0.77:10443","downstream_remote_address":"172.16.2.33:49578","duration":5,"method":"HEAD","protocol":"HTTP/2","requested_server_name":null,"response_code":404,"response_code_details":"via_upstream","response_flags":"-","route_name":"httproute/app/app-foo-example-com/rule/0/match/0/foo_example_com","start_time":"2025-12-31T17:30:03.228Z","upstream_cluster":"httproute/app/app-foo-example-com/rule/0","upstream_host":"10.42.0.88:1337","upstream_local_address":"10.42.0.77:47106","upstream_transport_failure_reason":null,"user-agent":"curl/8.5.0","x-envoy-origin-path":"/.env","x-envoy-upstream-service-time":null,"x-forwarded-for":"172.16.2.33","x-request-id":"fff03852-5ae8-468b-a528-434d095ddc49"}
+2025-12-31T19:00:00.310000000+01:00 stdout F [2016-04-15T20:17:00.310Z] "POST /api/v1/locations HTTP/2" 204 - 154 0 226 100 "10.0.35.28" "nsq2http" "cc21d9b0-cf5c-432b-8c7e-98aeb7988cd2" "locations" "tcp://10.0.2.1:80"
diff --git a/.tests/envoy-logs/parser.assert b/.tests/envoy-logs/parser.assert
new file mode 100644
index 00000000000..119627278f3
--- /dev/null
+++ b/.tests/envoy-logs/parser.assert
@@ -0,0 +1,595 @@
+len(results) == 4
+len(results["s00-raw"]["crowdsecurity/cri-logs"]) == 4
+results["s00-raw"]["crowdsecurity/cri-logs"][0].Success == true
+results["s00-raw"]["crowdsecurity/cri-logs"][0].Evt.Parsed["cri_timestamp"] == "2025-12-31T17:37:40.493035218+01:00"
+results["s00-raw"]["crowdsecurity/cri-logs"][0].Evt.Parsed["logsource"] == "cri"
+results["s00-raw"]["crowdsecurity/cri-logs"][0].Evt.Parsed["logtag"] == "F"
+results["s00-raw"]["crowdsecurity/cri-logs"][0].Evt.Parsed["message"] == "{\":authority\":\"www.example.com\",\"bytes_received\":0,\"bytes_sent\":121258,\"connection_termination_details\":null,\"downstream_local_address\":\"10.42.0.77:10443\",\"downstream_remote_address\":\"10.0.0.12:59292\",\"duration\":11,\"method\":\"GET\",\"protocol\":\"HTTP/2\",\"requested_server_name\":null,\"response_code\":200,\"response_code_details\":\"via_upstream\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/app-www-example-com/rule/0/match/0/www_example_com\",\"start_time\":\"2025-12-31T16:37:40.479Z\",\"upstream_cluster\":\"httproute/app/app-www-example-com/rule/0\",\"upstream_host\":\"10.42.0.82:8080\",\"upstream_local_address\":\"10.42.0.77:51216\",\"upstream_transport_failure_reason\":null,\"user-agent\":\"Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0\",\"x-envoy-origin-path\":\"/assets/image.webp\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"10.0.0.12\",\"x-request-id\":\"3bbc0252-2d5c-49fe-bd89-104e9b61770b\"}"
+results["s00-raw"]["crowdsecurity/cri-logs"][0].Evt.Parsed["program"] == "envoy"
+results["s00-raw"]["crowdsecurity/cri-logs"][0].Evt.Parsed["stream"] == "stdout"
+basename(results["s00-raw"]["crowdsecurity/cri-logs"][0].Evt.Meta["datasource_path"]) == "envoy.log"
+results["s00-raw"]["crowdsecurity/cri-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/cri-logs"][0].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/cri-logs"][1].Success == true
+results["s00-raw"]["crowdsecurity/cri-logs"][1].Evt.Parsed["cri_timestamp"] == "2025-12-31T18:22:06.456373561+01:00"
+results["s00-raw"]["crowdsecurity/cri-logs"][1].Evt.Parsed["logsource"] == "cri"
+results["s00-raw"]["crowdsecurity/cri-logs"][1].Evt.Parsed["logtag"] == "F"
+results["s00-raw"]["crowdsecurity/cri-logs"][1].Evt.Parsed["message"] == "{\":authority\":\"10.0.0.13\",\"bytes_received\":0,\"bytes_sent\":0,\"connection_termination_details\":null,\"downstream_local_address\":\"10.42.0.77:10080\",\"downstream_remote_address\":\"192.168.1.45:33045\",\"duration\":0,\"method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"requested_server_name\":null,\"response_code\":301,\"response_code_details\":\"direct_response\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/http-to-https-filter-redirect/rule/0/match/0/*\",\"start_time\":\"2025-12-31T17:22:04.951Z\",\"upstream_cluster\":null,\"upstream_host\":null,\"upstream_local_address\":null,\"upstream_transport_failure_reason\":null,\"user-agent\":\"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36\",\"x-envoy-origin-path\":\"/\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"192.168.1.45\",\"x-request-id\":\"a9864e02-c6f5-4375-a27d-3ffd7f312811\"}"
+results["s00-raw"]["crowdsecurity/cri-logs"][1].Evt.Parsed["program"] == "envoy"
+results["s00-raw"]["crowdsecurity/cri-logs"][1].Evt.Parsed["stream"] == "stdout"
+basename(results["s00-raw"]["crowdsecurity/cri-logs"][1].Evt.Meta["datasource_path"]) == "envoy.log"
+results["s00-raw"]["crowdsecurity/cri-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/cri-logs"][1].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/cri-logs"][2].Success == true
+results["s00-raw"]["crowdsecurity/cri-logs"][2].Evt.Parsed["cri_timestamp"] == "2025-12-31T18:30:06.518608527+01:00"
+results["s00-raw"]["crowdsecurity/cri-logs"][2].Evt.Parsed["logsource"] == "cri"
+results["s00-raw"]["crowdsecurity/cri-logs"][2].Evt.Parsed["logtag"] == "F"
+results["s00-raw"]["crowdsecurity/cri-logs"][2].Evt.Parsed["message"] == "{\":authority\":\"foo.example.com\",\"bytes_received\":0,\"bytes_sent\":0,\"connection_termination_details\":null,\"downstream_local_address\":\"10.42.0.77:10443\",\"downstream_remote_address\":\"172.16.2.33:49578\",\"duration\":5,\"method\":\"HEAD\",\"protocol\":\"HTTP/2\",\"requested_server_name\":null,\"response_code\":404,\"response_code_details\":\"via_upstream\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/app-foo-example-com/rule/0/match/0/foo_example_com\",\"start_time\":\"2025-12-31T17:30:03.228Z\",\"upstream_cluster\":\"httproute/app/app-foo-example-com/rule/0\",\"upstream_host\":\"10.42.0.88:1337\",\"upstream_local_address\":\"10.42.0.77:47106\",\"upstream_transport_failure_reason\":null,\"user-agent\":\"curl/8.5.0\",\"x-envoy-origin-path\":\"/.env\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"172.16.2.33\",\"x-request-id\":\"fff03852-5ae8-468b-a528-434d095ddc49\"}"
+results["s00-raw"]["crowdsecurity/cri-logs"][2].Evt.Parsed["program"] == "envoy"
+results["s00-raw"]["crowdsecurity/cri-logs"][2].Evt.Parsed["stream"] == "stdout"
+basename(results["s00-raw"]["crowdsecurity/cri-logs"][2].Evt.Meta["datasource_path"]) == "envoy.log"
+results["s00-raw"]["crowdsecurity/cri-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/cri-logs"][2].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/cri-logs"][3].Success == true
+results["s00-raw"]["crowdsecurity/cri-logs"][3].Evt.Parsed["cri_timestamp"] == "2025-12-31T19:00:00.310000000+01:00"
+results["s00-raw"]["crowdsecurity/cri-logs"][3].Evt.Parsed["logsource"] == "cri"
+results["s00-raw"]["crowdsecurity/cri-logs"][3].Evt.Parsed["logtag"] == "F"
+results["s00-raw"]["crowdsecurity/cri-logs"][3].Evt.Parsed["message"] == "[2016-04-15T20:17:00.310Z] \"POST /api/v1/locations HTTP/2\" 204 - 154 0 226 100 \"10.0.35.28\" \"nsq2http\" \"cc21d9b0-cf5c-432b-8c7e-98aeb7988cd2\" \"locations\" \"tcp://10.0.2.1:80\""
+results["s00-raw"]["crowdsecurity/cri-logs"][3].Evt.Parsed["program"] == "envoy"
+results["s00-raw"]["crowdsecurity/cri-logs"][3].Evt.Parsed["stream"] == "stdout"
+basename(results["s00-raw"]["crowdsecurity/cri-logs"][3].Evt.Meta["datasource_path"]) == "envoy.log"
+results["s00-raw"]["crowdsecurity/cri-logs"][3].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/cri-logs"][3].Evt.Whitelisted == false
+len(results["s01-parse"]["yanis-kouidri/envoy-logs"]) == 4
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Success == true
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Parsed["cri_timestamp"] == "2025-12-31T17:37:40.493035218+01:00"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Parsed["http_user_agent"] == "Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Parsed["logsource"] == "cri"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Parsed["logtag"] == "F"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Parsed["message"] == "{\":authority\":\"www.example.com\",\"bytes_received\":0,\"bytes_sent\":121258,\"connection_termination_details\":null,\"downstream_local_address\":\"10.42.0.77:10443\",\"downstream_remote_address\":\"10.0.0.12:59292\",\"duration\":11,\"method\":\"GET\",\"protocol\":\"HTTP/2\",\"requested_server_name\":null,\"response_code\":200,\"response_code_details\":\"via_upstream\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/app-www-example-com/rule/0/match/0/www_example_com\",\"start_time\":\"2025-12-31T16:37:40.479Z\",\"upstream_cluster\":\"httproute/app/app-www-example-com/rule/0\",\"upstream_host\":\"10.42.0.82:8080\",\"upstream_local_address\":\"10.42.0.77:51216\",\"upstream_transport_failure_reason\":null,\"user-agent\":\"Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0\",\"x-envoy-origin-path\":\"/assets/image.webp\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"10.0.0.12\",\"x-request-id\":\"3bbc0252-2d5c-49fe-bd89-104e9b61770b\"}"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Parsed["program"] == "envoy"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Parsed["raw_remote_addr"] == "10.0.0.12:59292"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Parsed["remote_addr"] == "10.0.0.12"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Parsed["request"] == "/assets/image.webp"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Parsed["status"] == "200"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Parsed["stream"] == "stdout"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Parsed["target_fqdn"] == "www.example.com"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Parsed["time"] == "2025-12-31T16:37:40.479Z"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Parsed["verb"] == "GET"
+basename(results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Meta["datasource_path"]) == "envoy.log"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Meta["http_path"] == "/assets/image.webp"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Meta["http_status"] == "200"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Meta["http_user_agent"] == "Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Meta["http_verb"] == "GET"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Meta["log_type"] == "http_access-log"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Meta["service"] == "http"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Meta["source_ip"] == "10.0.0.12"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Meta["target_fqdn"] == "www.example.com"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10443"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["duration"] == 11
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["response_flags"] == "-"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/app-www-example-com/rule/0/match/0/www_example_com"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T16:37:40.479Z"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/app-www-example-com/rule/0"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.82:8080"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["bytes_sent"] == 121258
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "10.42.0.77:51216"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["user-agent"] == "Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"][":authority"] == "www.example.com"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["response_code"] == 200
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/assets/image.webp"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "10.0.0.12"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["x-request-id"] == "3bbc0252-2d5c-49fe-bd89-104e9b61770b"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "10.0.0.12:59292"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["method"] == "GET"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/2"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Unmarshaled["envoy"]["bytes_received"] == 0
+results["s01-parse"]["yanis-kouidri/envoy-logs"][0].Evt.Whitelisted == false
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Success == true
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Parsed["cri_timestamp"] == "2025-12-31T18:22:06.456373561+01:00"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Parsed["logsource"] == "cri"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Parsed["logtag"] == "F"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Parsed["message"] == "{\":authority\":\"10.0.0.13\",\"bytes_received\":0,\"bytes_sent\":0,\"connection_termination_details\":null,\"downstream_local_address\":\"10.42.0.77:10080\",\"downstream_remote_address\":\"192.168.1.45:33045\",\"duration\":0,\"method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"requested_server_name\":null,\"response_code\":301,\"response_code_details\":\"direct_response\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/http-to-https-filter-redirect/rule/0/match/0/*\",\"start_time\":\"2025-12-31T17:22:04.951Z\",\"upstream_cluster\":null,\"upstream_host\":null,\"upstream_local_address\":null,\"upstream_transport_failure_reason\":null,\"user-agent\":\"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36\",\"x-envoy-origin-path\":\"/\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"192.168.1.45\",\"x-request-id\":\"a9864e02-c6f5-4375-a27d-3ffd7f312811\"}"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Parsed["program"] == "envoy"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Parsed["raw_remote_addr"] == "192.168.1.45:33045"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Parsed["remote_addr"] == "192.168.1.45"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Parsed["request"] == "/"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Parsed["status"] == "301"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Parsed["stream"] == "stdout"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Parsed["target_fqdn"] == "10.0.0.13"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Parsed["time"] == "2025-12-31T17:22:04.951Z"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Parsed["verb"] == "GET"
+basename(results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Meta["datasource_path"]) == "envoy.log"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Meta["http_path"] == "/"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Meta["http_status"] == "301"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Meta["http_verb"] == "GET"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Meta["log_type"] == "http_access-log"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Meta["service"] == "http"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Meta["source_ip"] == "192.168.1.45"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Meta["target_fqdn"] == "10.0.0.13"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["duration"] == 0
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["method"] == "GET"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T17:22:04.951Z"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["user-agent"] == "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["x-request-id"] == "a9864e02-c6f5-4375-a27d-3ffd7f312811"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["bytes_received"] == 0
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["bytes_sent"] == 0
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/1.1"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["response_flags"] == "-"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "192.168.1.45:33045"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["response_code"] == 301
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["response_code_details"] == "direct_response"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/http-to-https-filter-redirect/rule/0/match/0/*"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "192.168.1.45"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"][":authority"] == "10.0.0.13"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10080"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][1].Evt.Whitelisted == false
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Success == true
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Parsed["cri_timestamp"] == "2025-12-31T18:30:06.518608527+01:00"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Parsed["http_user_agent"] == "curl/8.5.0"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Parsed["logsource"] == "cri"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Parsed["logtag"] == "F"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Parsed["message"] == "{\":authority\":\"foo.example.com\",\"bytes_received\":0,\"bytes_sent\":0,\"connection_termination_details\":null,\"downstream_local_address\":\"10.42.0.77:10443\",\"downstream_remote_address\":\"172.16.2.33:49578\",\"duration\":5,\"method\":\"HEAD\",\"protocol\":\"HTTP/2\",\"requested_server_name\":null,\"response_code\":404,\"response_code_details\":\"via_upstream\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/app-foo-example-com/rule/0/match/0/foo_example_com\",\"start_time\":\"2025-12-31T17:30:03.228Z\",\"upstream_cluster\":\"httproute/app/app-foo-example-com/rule/0\",\"upstream_host\":\"10.42.0.88:1337\",\"upstream_local_address\":\"10.42.0.77:47106\",\"upstream_transport_failure_reason\":null,\"user-agent\":\"curl/8.5.0\",\"x-envoy-origin-path\":\"/.env\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"172.16.2.33\",\"x-request-id\":\"fff03852-5ae8-468b-a528-434d095ddc49\"}"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Parsed["program"] == "envoy"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Parsed["raw_remote_addr"] == "172.16.2.33:49578"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Parsed["remote_addr"] == "172.16.2.33"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Parsed["request"] == "/.env"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Parsed["status"] == "404"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Parsed["stream"] == "stdout"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Parsed["target_fqdn"] == "foo.example.com"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Parsed["time"] == "2025-12-31T17:30:03.228Z"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Parsed["verb"] == "HEAD"
+basename(results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Meta["datasource_path"]) == "envoy.log"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Meta["http_path"] == "/.env"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Meta["http_status"] == "404"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Meta["http_user_agent"] == "curl/8.5.0"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Meta["http_verb"] == "HEAD"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Meta["log_type"] == "http_access-log"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Meta["service"] == "http"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Meta["source_ip"] == "172.16.2.33"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Meta["target_fqdn"] == "foo.example.com"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["bytes_sent"] == 0
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "172.16.2.33:49578"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/app-foo-example-com/rule/0"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "172.16.2.33"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10443"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["method"] == "HEAD"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["response_flags"] == "-"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T17:30:03.228Z"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "10.42.0.77:47106"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["x-request-id"] == "fff03852-5ae8-468b-a528-434d095ddc49"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/2"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["response_code"] == 404
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/app-foo-example-com/rule/0/match/0/foo_example_com"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.88:1337"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["user-agent"] == "curl/8.5.0"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/.env"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["bytes_received"] == 0
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"]["duration"] == 5
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Unmarshaled["envoy"][":authority"] == "foo.example.com"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][2].Evt.Whitelisted == false
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Success == true
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["bytes_received"] == "154"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["bytes_sent"] == "0"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["cri_timestamp"] == "2025-12-31T19:00:00.310000000+01:00"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["duration"] == "226"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["http_user_agent"] == "nsq2http"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["http_version"] == "2"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["logsource"] == "cri"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["logtag"] == "F"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["message"] == "[2016-04-15T20:17:00.310Z] \"POST /api/v1/locations HTTP/2\" 204 - 154 0 226 100 \"10.0.35.28\" \"nsq2http\" \"cc21d9b0-cf5c-432b-8c7e-98aeb7988cd2\" \"locations\" \"tcp://10.0.2.1:80\""
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["program"] == "envoy"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["raw_remote_addr"] == "10.0.35.28"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["remote_addr"] == "10.0.35.28"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["request"] == "/api/v1/locations"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["request_id"] == "cc21d9b0-cf5c-432b-8c7e-98aeb7988cd2"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["response_flags"] == "-"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["status"] == "204"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["stream"] == "stdout"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["target_fqdn"] == "locations"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["time"] == "2016-04-15T20:17:00.310Z"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["upstream_host"] == "tcp://10.0.2.1:80"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["upstream_service_time"] == "100"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["verb"] == "POST"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Parsed["x_forwarded_for"] == "10.0.35.28"
+basename(results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Meta["datasource_path"]) == "envoy.log"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Meta["http_path"] == "/api/v1/locations"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Meta["http_status"] == "204"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Meta["http_user_agent"] == "nsq2http"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Meta["http_verb"] == "POST"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Meta["log_type"] == "http_access-log"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Meta["service"] == "http"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Meta["source_ip"] == "10.0.35.28"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Meta["target_fqdn"] == "locations"
+results["s01-parse"]["yanis-kouidri/envoy-logs"][3].Evt.Whitelisted == false
+len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 4
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["cri_timestamp"] == "2025-12-31T17:37:40.493035218+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_user_agent"] == "Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "cri"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logtag"] == "F"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "{\":authority\":\"www.example.com\",\"bytes_received\":0,\"bytes_sent\":121258,\"connection_termination_details\":null,\"downstream_local_address\":\"10.42.0.77:10443\",\"downstream_remote_address\":\"10.0.0.12:59292\",\"duration\":11,\"method\":\"GET\",\"protocol\":\"HTTP/2\",\"requested_server_name\":null,\"response_code\":200,\"response_code_details\":\"via_upstream\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/app-www-example-com/rule/0/match/0/www_example_com\",\"start_time\":\"2025-12-31T16:37:40.479Z\",\"upstream_cluster\":\"httproute/app/app-www-example-com/rule/0\",\"upstream_host\":\"10.42.0.82:8080\",\"upstream_local_address\":\"10.42.0.77:51216\",\"upstream_transport_failure_reason\":null,\"user-agent\":\"Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0\",\"x-envoy-origin-path\":\"/assets/image.webp\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"10.0.0.12\",\"x-request-id\":\"3bbc0252-2d5c-49fe-bd89-104e9b61770b\"}"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "envoy"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["raw_remote_addr"] == "10.0.0.12:59292"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "10.0.0.12"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["request"] == "/assets/image.webp"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["status"] == "200"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["stream"] == "stdout"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["target_fqdn"] == "www.example.com"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time"] == "2025-12-31T16:37:40.479Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["verb"] == "GET"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "envoy.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_path"] == "/assets/image.webp"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_status"] == "200"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_user_agent"] == "Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_verb"] == "GET"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "http_access-log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "http"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "10.0.0.12"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_fqdn"] == "www.example.com"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-12-31T16:37:40.479Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-12-31T16:37:40.479Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["user-agent"] == "Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["x-request-id"] == "3bbc0252-2d5c-49fe-bd89-104e9b61770b"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["response_flags"] == "-"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/app-www-example-com/rule/0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["duration"] == 11
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T16:37:40.479Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.82:8080"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/assets/image.webp"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"][":authority"] == "www.example.com"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["bytes_received"] == 0
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "10.0.0.12:59292"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["method"] == "GET"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "10.0.0.12"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["bytes_sent"] == 121258
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10443"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["response_code"] == 200
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/app-www-example-com/rule/0/match/0/www_example_com"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "10.42.0.77:51216"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["cri_timestamp"] == "2025-12-31T18:22:06.456373561+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "cri"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logtag"] == "F"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "{\":authority\":\"10.0.0.13\",\"bytes_received\":0,\"bytes_sent\":0,\"connection_termination_details\":null,\"downstream_local_address\":\"10.42.0.77:10080\",\"downstream_remote_address\":\"192.168.1.45:33045\",\"duration\":0,\"method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"requested_server_name\":null,\"response_code\":301,\"response_code_details\":\"direct_response\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/http-to-https-filter-redirect/rule/0/match/0/*\",\"start_time\":\"2025-12-31T17:22:04.951Z\",\"upstream_cluster\":null,\"upstream_host\":null,\"upstream_local_address\":null,\"upstream_transport_failure_reason\":null,\"user-agent\":\"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36\",\"x-envoy-origin-path\":\"/\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"192.168.1.45\",\"x-request-id\":\"a9864e02-c6f5-4375-a27d-3ffd7f312811\"}"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "envoy"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["raw_remote_addr"] == "192.168.1.45:33045"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "192.168.1.45"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["request"] == "/"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["status"] == "301"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["stream"] == "stdout"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["target_fqdn"] == "10.0.0.13"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["time"] == "2025-12-31T17:22:04.951Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["verb"] == "GET"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "envoy.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["http_path"] == "/"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["http_status"] == "301"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["http_verb"] == "GET"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "http_access-log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "http"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.1.45"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_fqdn"] == "10.0.0.13"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-12-31T17:22:04.951Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-12-31T17:22:04.951Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["bytes_received"] == 0
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "192.168.1.45:33045"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/http-to-https-filter-redirect/rule/0/match/0/*"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["x-request-id"] == "a9864e02-c6f5-4375-a27d-3ffd7f312811"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["bytes_sent"] == 0
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/1.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["response_code"] == 301
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["user-agent"] == "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "192.168.1.45"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10080"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["duration"] == 0
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["method"] == "GET"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"][":authority"] == "10.0.0.13"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["response_code_details"] == "direct_response"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["response_flags"] == "-"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T17:22:04.951Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["cri_timestamp"] == "2025-12-31T18:30:06.518608527+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["http_user_agent"] == "curl/8.5.0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "cri"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logtag"] == "F"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "{\":authority\":\"foo.example.com\",\"bytes_received\":0,\"bytes_sent\":0,\"connection_termination_details\":null,\"downstream_local_address\":\"10.42.0.77:10443\",\"downstream_remote_address\":\"172.16.2.33:49578\",\"duration\":5,\"method\":\"HEAD\",\"protocol\":\"HTTP/2\",\"requested_server_name\":null,\"response_code\":404,\"response_code_details\":\"via_upstream\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/app-foo-example-com/rule/0/match/0/foo_example_com\",\"start_time\":\"2025-12-31T17:30:03.228Z\",\"upstream_cluster\":\"httproute/app/app-foo-example-com/rule/0\",\"upstream_host\":\"10.42.0.88:1337\",\"upstream_local_address\":\"10.42.0.77:47106\",\"upstream_transport_failure_reason\":null,\"user-agent\":\"curl/8.5.0\",\"x-envoy-origin-path\":\"/.env\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"172.16.2.33\",\"x-request-id\":\"fff03852-5ae8-468b-a528-434d095ddc49\"}"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "envoy"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["raw_remote_addr"] == "172.16.2.33:49578"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "172.16.2.33"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["request"] == "/.env"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["status"] == "404"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["stream"] == "stdout"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["target_fqdn"] == "foo.example.com"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["time"] == "2025-12-31T17:30:03.228Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["verb"] == "HEAD"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "envoy.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["http_path"] == "/.env"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["http_status"] == "404"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["http_user_agent"] == "curl/8.5.0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["http_verb"] == "HEAD"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "http_access-log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "http"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "172.16.2.33"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["target_fqdn"] == "foo.example.com"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-12-31T17:30:03.228Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2025-12-31T17:30:03.228Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"][":authority"] == "foo.example.com"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["method"] == "HEAD"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.88:1337"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "172.16.2.33"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10443"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["response_flags"] == "-"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/app-foo-example-com/rule/0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["response_code"] == 404
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T17:30:03.228Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "10.42.0.77:47106"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/.env"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["bytes_received"] == 0
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["bytes_sent"] == 0
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "172.16.2.33:49578"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["duration"] == 5
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/app-foo-example-com/rule/0/match/0/foo_example_com"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["user-agent"] == "curl/8.5.0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["envoy"]["x-request-id"] == "fff03852-5ae8-468b-a528-434d095ddc49"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["bytes_received"] == "154"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["bytes_sent"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["cri_timestamp"] == "2025-12-31T19:00:00.310000000+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["duration"] == "226"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["http_user_agent"] == "nsq2http"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["http_version"] == "2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "cri"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logtag"] == "F"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "[2016-04-15T20:17:00.310Z] \"POST /api/v1/locations HTTP/2\" 204 - 154 0 226 100 \"10.0.35.28\" \"nsq2http\" \"cc21d9b0-cf5c-432b-8c7e-98aeb7988cd2\" \"locations\" \"tcp://10.0.2.1:80\""
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "envoy"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["raw_remote_addr"] == "10.0.35.28"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_addr"] == "10.0.35.28"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["request"] == "/api/v1/locations"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["request_id"] == "cc21d9b0-cf5c-432b-8c7e-98aeb7988cd2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["response_flags"] == "-"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["status"] == "204"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["stream"] == "stdout"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["target_fqdn"] == "locations"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["time"] == "2016-04-15T20:17:00.310Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["upstream_host"] == "tcp://10.0.2.1:80"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["upstream_service_time"] == "100"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["verb"] == "POST"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["x_forwarded_for"] == "10.0.35.28"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "envoy.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["http_path"] == "/api/v1/locations"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["http_status"] == "204"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["http_user_agent"] == "nsq2http"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["http_verb"] == "POST"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "http_access-log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "http"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "10.0.35.28"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_fqdn"] == "locations"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2016-04-15T20:17:00.31Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2016-04-15T20:17:00.31Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false
+len(results["s02-enrich"]["crowdsecurity/http-logs"]) == 4
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Success == true
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["cri_timestamp"] == "2025-12-31T17:37:40.493035218+01:00"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_dir"] == "/assets/"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_ext"] == ".webp"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_frag"] == "image"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_name"] == "image.webp"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["http_user_agent"] == "Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["impact_completion"] == "true"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["logsource"] == "cri"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["logtag"] == "F"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["message"] == "{\":authority\":\"www.example.com\",\"bytes_received\":0,\"bytes_sent\":121258,\"connection_termination_details\":null,\"downstream_local_address\":\"10.42.0.77:10443\",\"downstream_remote_address\":\"10.0.0.12:59292\",\"duration\":11,\"method\":\"GET\",\"protocol\":\"HTTP/2\",\"requested_server_name\":null,\"response_code\":200,\"response_code_details\":\"via_upstream\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/app-www-example-com/rule/0/match/0/www_example_com\",\"start_time\":\"2025-12-31T16:37:40.479Z\",\"upstream_cluster\":\"httproute/app/app-www-example-com/rule/0\",\"upstream_host\":\"10.42.0.82:8080\",\"upstream_local_address\":\"10.42.0.77:51216\",\"upstream_transport_failure_reason\":null,\"user-agent\":\"Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0\",\"x-envoy-origin-path\":\"/assets/image.webp\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"10.0.0.12\",\"x-request-id\":\"3bbc0252-2d5c-49fe-bd89-104e9b61770b\"}"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["program"] == "envoy"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["raw_remote_addr"] == "10.0.0.12:59292"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["remote_addr"] == "10.0.0.12"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["request"] == "/assets/image.webp"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["static_ressource"] == "true"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["status"] == "200"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["stream"] == "stdout"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["target_fqdn"] == "www.example.com"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["time"] == "2025-12-31T16:37:40.479Z"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["verb"] == "GET"
+basename(results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["datasource_path"]) == "envoy.log"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_args_len"] == "0"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_path"] == "/assets/image.webp"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_status"] == "200"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_user_agent"] == "Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_verb"] == "GET"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["log_type"] == "http_access-log"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["service"] == "http"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["source_ip"] == "10.0.0.12"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["target_fqdn"] == "www.example.com"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["timestamp"] == "2025-12-31T16:37:40.479Z"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Enriched["MarshaledTime"] == "2025-12-31T16:37:40.479Z"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10443"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["response_flags"] == "-"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "10.0.0.12"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["duration"] == 11
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["method"] == "GET"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T16:37:40.479Z"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/app-www-example-com/rule/0"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["user-agent"] == "Mozilla/4.0 (Windows NT 9.0; Win64; x64; rv:136.0) Gecko/20101 Firefox/136.0"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["x-request-id"] == "3bbc0252-2d5c-49fe-bd89-104e9b61770b"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["bytes_received"] == 0
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "10.0.0.12:59292"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/app-www-example-com/rule/0/match/0/www_example_com"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.82:8080"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "10.42.0.77:51216"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/assets/image.webp"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"][":authority"] == "www.example.com"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["bytes_sent"] == 121258
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/2"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["response_code"] == 200
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Success == true
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["cri_timestamp"] == "2025-12-31T18:22:06.456373561+01:00"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["file_dir"] == "/"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["impact_completion"] == "true"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["logsource"] == "cri"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["logtag"] == "F"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["message"] == "{\":authority\":\"10.0.0.13\",\"bytes_received\":0,\"bytes_sent\":0,\"connection_termination_details\":null,\"downstream_local_address\":\"10.42.0.77:10080\",\"downstream_remote_address\":\"192.168.1.45:33045\",\"duration\":0,\"method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"requested_server_name\":null,\"response_code\":301,\"response_code_details\":\"direct_response\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/http-to-https-filter-redirect/rule/0/match/0/*\",\"start_time\":\"2025-12-31T17:22:04.951Z\",\"upstream_cluster\":null,\"upstream_host\":null,\"upstream_local_address\":null,\"upstream_transport_failure_reason\":null,\"user-agent\":\"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36\",\"x-envoy-origin-path\":\"/\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"192.168.1.45\",\"x-request-id\":\"a9864e02-c6f5-4375-a27d-3ffd7f312811\"}"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["program"] == "envoy"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["raw_remote_addr"] == "192.168.1.45:33045"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["remote_addr"] == "192.168.1.45"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["request"] == "/"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["static_ressource"] == "false"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["status"] == "301"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["stream"] == "stdout"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["target_fqdn"] == "10.0.0.13"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["time"] == "2025-12-31T17:22:04.951Z"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Parsed["verb"] == "GET"
+basename(results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Meta["datasource_path"]) == "envoy.log"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Meta["http_args_len"] == "0"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Meta["http_path"] == "/"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Meta["http_status"] == "301"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Meta["http_verb"] == "GET"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Meta["log_type"] == "http_access-log"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Meta["service"] == "http"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Meta["source_ip"] == "192.168.1.45"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Meta["target_fqdn"] == "10.0.0.13"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Meta["timestamp"] == "2025-12-31T17:22:04.951Z"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Enriched["MarshaledTime"] == "2025-12-31T17:22:04.951Z"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["user-agent"] == "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "192.168.1.45"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["bytes_received"] == 0
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10080"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/1.1"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["response_flags"] == "-"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T17:22:04.951Z"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["x-request-id"] == "a9864e02-c6f5-4375-a27d-3ffd7f312811"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"][":authority"] == "10.0.0.13"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["duration"] == 0
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["method"] == "GET"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["response_code"] == 301
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["bytes_sent"] == 0
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "192.168.1.45:33045"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["response_code_details"] == "direct_response"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/http-to-https-filter-redirect/rule/0/match/0/*"
+results["s02-enrich"]["crowdsecurity/http-logs"][1].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Success == true
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["cri_timestamp"] == "2025-12-31T18:30:06.518608527+01:00"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["file_dir"] == "/"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["file_frag"] == ".env"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["file_name"] == ".env"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["http_user_agent"] == "curl/8.5.0"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["impact_completion"] == "false"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["logsource"] == "cri"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["logtag"] == "F"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["message"] == "{\":authority\":\"foo.example.com\",\"bytes_received\":0,\"bytes_sent\":0,\"connection_termination_details\":null,\"downstream_local_address\":\"10.42.0.77:10443\",\"downstream_remote_address\":\"172.16.2.33:49578\",\"duration\":5,\"method\":\"HEAD\",\"protocol\":\"HTTP/2\",\"requested_server_name\":null,\"response_code\":404,\"response_code_details\":\"via_upstream\",\"response_flags\":\"-\",\"route_name\":\"httproute/app/app-foo-example-com/rule/0/match/0/foo_example_com\",\"start_time\":\"2025-12-31T17:30:03.228Z\",\"upstream_cluster\":\"httproute/app/app-foo-example-com/rule/0\",\"upstream_host\":\"10.42.0.88:1337\",\"upstream_local_address\":\"10.42.0.77:47106\",\"upstream_transport_failure_reason\":null,\"user-agent\":\"curl/8.5.0\",\"x-envoy-origin-path\":\"/.env\",\"x-envoy-upstream-service-time\":null,\"x-forwarded-for\":\"172.16.2.33\",\"x-request-id\":\"fff03852-5ae8-468b-a528-434d095ddc49\"}"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["program"] == "envoy"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["raw_remote_addr"] == "172.16.2.33:49578"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["remote_addr"] == "172.16.2.33"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["request"] == "/.env"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["static_ressource"] == "false"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["status"] == "404"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["stream"] == "stdout"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["target_fqdn"] == "foo.example.com"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["time"] == "2025-12-31T17:30:03.228Z"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Parsed["verb"] == "HEAD"
+basename(results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Meta["datasource_path"]) == "envoy.log"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Meta["http_args_len"] == "0"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Meta["http_path"] == "/.env"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Meta["http_status"] == "404"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Meta["http_user_agent"] == "curl/8.5.0"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Meta["http_verb"] == "HEAD"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Meta["log_type"] == "http_access-log"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Meta["service"] == "http"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Meta["source_ip"] == "172.16.2.33"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Meta["target_fqdn"] == "foo.example.com"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Meta["timestamp"] == "2025-12-31T17:30:03.228Z"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Enriched["MarshaledTime"] == "2025-12-31T17:30:03.228Z"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["protocol"] == "HTTP/2"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["response_flags"] == "-"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["route_name"] == "httproute/app/app-foo-example-com/rule/0/match/0/foo_example_com"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["upstream_local_address"] == "10.42.0.77:47106"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"][":authority"] == "foo.example.com"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["bytes_sent"] == 0
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["method"] == "HEAD"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["start_time"] == "2025-12-31T17:30:03.228Z"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["user-agent"] == "curl/8.5.0"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["x-envoy-origin-path"] == "/.env"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["downstream_remote_address"] == "172.16.2.33:49578"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["response_code"] == 404
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["response_code_details"] == "via_upstream"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["upstream_host"] == "10.42.0.88:1337"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["x-request-id"] == "fff03852-5ae8-468b-a528-434d095ddc49"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["upstream_cluster"] == "httproute/app/app-foo-example-com/rule/0"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["x-forwarded-for"] == "172.16.2.33"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["bytes_received"] == 0
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["downstream_local_address"] == "10.42.0.77:10443"
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Unmarshaled["envoy"]["duration"] == 5
+results["s02-enrich"]["crowdsecurity/http-logs"][2].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Success == true
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["bytes_received"] == "154"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["bytes_sent"] == "0"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["cri_timestamp"] == "2025-12-31T19:00:00.310000000+01:00"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["duration"] == "226"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["file_dir"] == "/api/v1/"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["file_frag"] == "locations"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["file_name"] == "locations"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["http_user_agent"] == "nsq2http"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["http_version"] == "2"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["impact_completion"] == "true"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["logsource"] == "cri"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["logtag"] == "F"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["message"] == "[2016-04-15T20:17:00.310Z] \"POST /api/v1/locations HTTP/2\" 204 - 154 0 226 100 \"10.0.35.28\" \"nsq2http\" \"cc21d9b0-cf5c-432b-8c7e-98aeb7988cd2\" \"locations\" \"tcp://10.0.2.1:80\""
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["program"] == "envoy"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["raw_remote_addr"] == "10.0.35.28"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["remote_addr"] == "10.0.35.28"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["request"] == "/api/v1/locations"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["request_id"] == "cc21d9b0-cf5c-432b-8c7e-98aeb7988cd2"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["response_flags"] == "-"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["static_ressource"] == "false"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["status"] == "204"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["stream"] == "stdout"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["target_fqdn"] == "locations"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["time"] == "2016-04-15T20:17:00.310Z"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["upstream_host"] == "tcp://10.0.2.1:80"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["upstream_service_time"] == "100"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["verb"] == "POST"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Parsed["x_forwarded_for"] == "10.0.35.28"
+basename(results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Meta["datasource_path"]) == "envoy.log"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Meta["http_args_len"] == "0"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Meta["http_path"] == "/api/v1/locations"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Meta["http_status"] == "204"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Meta["http_user_agent"] == "nsq2http"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Meta["http_verb"] == "POST"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Meta["log_type"] == "http_access-log"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Meta["service"] == "http"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Meta["source_ip"] == "10.0.35.28"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Meta["target_fqdn"] == "locations"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Meta["timestamp"] == "2016-04-15T20:17:00.31Z"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Enriched["MarshaledTime"] == "2016-04-15T20:17:00.31Z"
+results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Whitelisted == false
+len(results["success"][""]) == 0
diff --git a/.tests/envoy-logs/scenario.assert b/.tests/envoy-logs/scenario.assert
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/collections/yanis-kouidri/envoy.md b/collections/yanis-kouidri/envoy.md
new file mode 100644
index 00000000000..3efb52f8c8e
--- /dev/null
+++ b/collections/yanis-kouidri/envoy.md
@@ -0,0 +1,28 @@
+## Envoy collection
+
+A collection to defend Envoy Gateway against common attacks:
+ - Envoy default access log format and JSON parser (CRI/containerd)
+ - base http scenarios (crawl, 404 scan, bf)
+
+## Acquisition template
+
+Example acquisition for this collection:
+
+```yaml
+filenames:
+  - /path/to/file
+labels:
+  type: envoy
+```
+
+Example acquisition for Kubernetes (containerd/CRI):
+
+```yaml
+container_runtime: containerd
+agent:
+  acquisition:
+    - namespace: envoy-gateway-system
+      podName: envoy-envoy-gateway-system-envoy-gateway-*
+      program: envoy
+      poll_without_inotify: true
+```
diff --git a/collections/yanis-kouidri/envoy.yaml b/collections/yanis-kouidri/envoy.yaml
new file mode 100644
index 00000000000..7e0731a5f00
--- /dev/null
+++ b/collections/yanis-kouidri/envoy.yaml
@@ -0,0 +1,10 @@
+parsers:
+  - yanis-kouidri/envoy-logs
+collections:
+  - crowdsecurity/base-http-scenarios
+description: "Envoy support: parser and generic http scenarios"
+author: yanis-kouidri
+tags:
+  - envoy
+  - http
+  - bruteforce
diff --git a/parsers/s01-parse/yanis-kouidri/envoy-logs.md b/parsers/s01-parse/yanis-kouidri/envoy-logs.md
new file mode 100644
index 00000000000..c2147a0e4a9
--- /dev/null
+++ b/parsers/s01-parse/yanis-kouidri/envoy-logs.md
@@ -0,0 +1,60 @@
+# Envoy JSON logs parser (CRI)
+
+## Description
+
+This parser decodes [Envoy Gateway](https://gateway.envoyproxy.io/) logs in the default access log format and JSON (when encapsulated in CRI for Kubernetes/containerd). It extracts HTTP metadata and forwards the event to crowdsecurity/http-logs and other enrichment parsers.
+
+Then it can proceed by http scenarios like the ones in the Envoy collection.
+
+Example Log (CRI/JSON)
+
+```log
+2023-10-27T10:00:00.000000Z stdout F {"start_time":"2023-10-27T10:00:00.000Z","method":"GET","x-envoy-origin-path":"/admin","response_code":404,"user-agent":"Mozilla/5.0...","downstream_remote_address":"1.2.3.4:5678",":authority":"example.com"}
+```
+
+### Extracted Fields
+
+- `source_ip`: Client IP address.
+- `http_path`: Requested URL path.
+- `http_verb`: HTTP method (GET, POST, etc.).
+- `http_status`: Response code.
+- `target_fqdn`: Target domain.
+- `http_user_agent`: Client identifier.
+
+### Dependencies
+
+The following components must be installed for this parser to work correctly:
+
+- crowdsecurity/cri-logs.
+
+## Usage
+
+Example of agent part of a `values.yaml` to use with crowdsec helm installation on Kubernetes
+
+```yaml
+container_runtime: containerd
+agent:
+  acquisition:
+    - namespace: envoy-gateway-system
+      podName: envoy-envoy-gateway-system-envoy-gateway-*
+      program: envoy
+      poll_without_inotify: true
+
+  env:
+    - name: COLLECTIONS
+      value: "yanis-kouidri/envoy"
+```
+
+### Test
+
+Validate:
+
+```bash
+sudo cscli hubtest run envoy-logs
+```
+
+Get details:
+
+```bash
+sudo cscli hubtest explain envoy-logs
+```
diff --git a/parsers/s01-parse/yanis-kouidri/envoy-logs.yaml b/parsers/s01-parse/yanis-kouidri/envoy-logs.yaml
new file mode 100644
index 00000000000..e1f606a5b39
--- /dev/null
+++ b/parsers/s01-parse/yanis-kouidri/envoy-logs.yaml
@@ -0,0 +1,52 @@
+filter: "evt.Parsed.program == 'envoy'"
+onsuccess: next_stage
+name: yanis-kouidri/envoy-logs
+description: envoy access logs parser
+nodes:
+  # Default Envoy access log format:
+  # https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage
+  - grok:
+      pattern: '\[%{DATA:time}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:http_version}" %{NUMBER:status} %{DATA:response_flags} %{DATA:bytes_received} %{DATA:bytes_sent} %{DATA:duration} %{DATA:upstream_service_time} "%{DATA:x_forwarded_for}" "%{DATA:http_user_agent}" "%{DATA:request_id}" "%{DATA:target_fqdn}" "%{DATA:upstream_host}"'
+      apply_on: message
+    statics:
+      - parsed: raw_remote_addr
+        expression: evt.Parsed.x_forwarded_for
+      - parsed: remote_addr
+        expression: "evt.Parsed.x_forwarded_for != nil ? Split(evt.Parsed.x_forwarded_for, ',')[0] : nil"
+  - filter: TrimSpace(evt.Parsed.message) startsWith "{" && UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "envoy") in ["", nil]
+    statics:
+      - parsed: time
+        expression: evt.Unmarshaled.envoy.start_time
+      - parsed: raw_remote_addr
+        expression: evt.Unmarshaled.envoy.downstream_remote_address
+      - parsed: remote_addr
+        expression: "evt.Unmarshaled.envoy.downstream_remote_address != nil ? Split(evt.Unmarshaled.envoy.downstream_remote_address, ':')[0] : nil"
+      - parsed: request
+        expression: evt.Unmarshaled.envoy["x-envoy-origin-path"]
+      - parsed: verb
+        expression: evt.Unmarshaled.envoy.method
+      - parsed: status
+        expression: "evt.Unmarshaled.envoy.response_code != nil ? int(evt.Unmarshaled.envoy.response_code) : nil"
+      - parsed: http_user_agent
+        expression: evt.Unmarshaled.envoy["user-agent"]
+      - parsed: target_fqdn
+        expression: evt.Unmarshaled.envoy[":authority"]
+statics:
+  - target: evt.StrTime
+    expression: evt.Parsed.time
+  - meta: service
+    value: http
+  - meta: log_type
+    value: http_access-log
+  - meta: source_ip
+    expression: "evt.Parsed.remote_addr"
+  - meta: http_path
+    expression: "evt.Parsed.request"
+  - meta: http_verb
+    expression: "evt.Parsed.verb"
+  - meta: http_status
+    expression: "evt.Parsed.status"
+  - meta: http_user_agent
+    expression: "evt.Parsed.http_user_agent"
+  - meta: target_fqdn
+    expression: "evt.Parsed.target_fqdn"