diff --git a/.index.json b/.index.json
index c2c70de59a0..58b380a2a37 100644
--- a/.index.json
+++ b/.index.json
@@ -2147,6 +2147,27 @@
     "fulljackz/pureftpd-bf"
    ]
   },
+  "gauth-fr/immich": {
+   "path": "collections/gauth-fr/immich.yml",
+   "version": "0.1",
+   "versions": {
+    "0.1": {
+     "digest": "b18a419be300518ec1c82139f892af0d854dda2ff38ef13310568d48f632d5d1",
+     "deprecated": false
+    }
+   },
+   "long_description": "QSBjb2xsZWN0aW9uIHRvIGRlZmVuZCBbSW1taWNoXShodHRwczovL2ltbWljaC5hcHApIGluc3RhbmNlIGFnYWluc3QgY29tbW9uIGF0dGFja3MgOgogLSBJbW1pY2ggcGFyc2VyCiAtIEltbWljaCBicnV0ZWZvcmNlIGRldGVjdGlvbgoKIyMgQWNxdWlzaXRpb24gdGVtcGxhdGUKCkV4YW1wbGUgYWNxdWlzaXRpb24gZm9yIHRoaXMgY29sbGVjdGlvbiA6CgpJZiB1c2luZyBMT0dfRklMRSBlbnZpcm9ubWVudCB2YXJpYWJsZToKYGBgeWFtbAotLS0KZmlsZW5hbWVzOgogLSAvdmFyL2xvZy9pbW1pY2gvaW1taWNoX3NlcnZlci5sb2cKbGFiZWxzOgogIHR5cGU6IGltbWljaApgYGAKCkZvciBEb2NrZXIgZGlyZWN0bHkKYGBgeWFtbAotLS0Kc291cmNlOiBkb2NrZXIKY29udGFpbmVyX25hbWU6CiAtIGltbWljaF9zZXJ2ZXIKI2NvbnRhaW5lcl9pZDoKIyAtIDg0M2VlOTJkMjMxYgpsYWJlbHM6CiAgdHlwZTogaW1taWNoCmBgYAo=",
+   "content": "cGFyc2VyczoKICAtIGdhdXRoLWZyL2ltbWljaC1sb2dzCnNjZW5hcmlvczoKICAtIGdhdXRoLWZyL2ltbWljaC1iZgpkZXNjcmlwdGlvbjogIkltbWljaCBzdXBwb3J0IDogcGFyc2VyIGFuZCBicnV0ZS1mb3JjZSBkZXRlY3Rpb24iCmF1dGhvcjogZ2F1dGgtZnIKdGFnczoKICAtIGxpbnV4CiAgLSBicnV0ZS1mb3JjZQogIC0gaW1taWNoCg==",
+   "description": "Immich support : parser and brute-force detection",
+   "author": "gauth-fr",
+   "labels": null,
+   "parsers": [
+    "gauth-fr/immich-logs"
+   ],
+   "scenarios": [
+    "gauth-fr/immich-bf"
+   ]
+  },
   "hitech95/nginx-mail": {
    "path": "collections/hitech95/nginx-mail.yaml",
    "version": "0.1",
@@ -4811,15 +4832,19 @@
   "gauth-fr/immich-logs": {
    "path": "parsers/s01-parse/gauth-fr/immich-logs.yaml",
    "stage": "s01-parse",
-   "version": "0.1",
+   "version": "0.2",
    "versions": {
     "0.1": {
      "digest": "5a9e8bfc8183eac0ae04713773e2fe932771a70eeebbd191b88d48abca944aad",
      "deprecated": false
+    },
+    "0.2": {
+     "digest": "a8e655f18af1598eee89e0bc8a417f52c6c48139c8124b4e9bdee32357faa85d",
+     "deprecated": false
     }
    },
    "long_description": "UGFyc2VyIGZvciBbSW1taWNoXShodHRwczovL2dpdGh1Yi5jb20vaW1taWNoLWFwcC9pbW1pY2gpIExvZ3MuCgpgYGB5YW1sCi0tLQpmaWxlbmFtZXM6CiAtIC92YXIvbG9nL2ltbWljaF9zZXJ2ZXIubG9nCmxhYmVsczoKICB0eXBlOiBpbW1pY2gKYGBgCgpgYGB5YW1sCi0tLQpzb3VyY2U6IGRvY2tlcgpjb250YWluZXJfbmFtZToKIC0gaW1taWNoX3NlcnZlcgojY29udGFpbmVyX2lkOgojIC0gODQzZWU5MmQyMzFiCmxhYmVsczoKICB0eXBlOiBpbW1pY2gKYGBgCg==",
-   "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCiNkZWJ1ZzogZmFsc2UKbmFtZTogZ2F1dGgtZnIvaW1taWNoLWxvZ3MKZGVzY3JpcHRpb246ICJQYXJzZSBJbW1pY2ggbG9ncyIKZmlsdGVyOiAiZXZ0LlBhcnNlZC5wcm9ncmFtID09ICdpbW1pY2gnIgpwYXR0ZXJuX3N5bnRheDoKICBJTU1JQ0hfQ1VTVE9NREFURV9QTTogIiV7TU9OVEhOVU0yfS8le01PTlRIREFZfS8le1lFQVJ9LCAle1RJTUV9IChBTXxQTXxhbXxwbSkiCiAgSU1NSUNIX0NVU1RPTURBVEU6ICIle01PTlRITlVNMn0vJXtNT05USERBWX0vJXtZRUFSfSwgJXtUSU1FfSIKbm9kZXM6CiAgLSBncm9rOgogICAgICBwYXR0ZXJuOiAiLiole0lNTUlDSF9DVVNUT01EQVRFX1BNOnRpbWVzdGFtcH0gICAgV0FSTiBcXFtBdXRoU2VydmljZV0gRmFpbGVkIGxvZ2luIGF0dGVtcHQgZm9yIHVzZXIgJXtFTUFJTEFERFJFU1M6dXNlcm5hbWV9IGZyb20gaXAgYWRkcmVzcyAle0lQOnNvdXJjZV9pcH0iCiAgICAgICNbTmVzdF0gNyAgLSAwOC8wMi8yMDIzLCA3OjM0OjAzIFBNICAgIFdBUk4gW0F1dGhTZXJ2aWNlXSBGYWlsZWQgbG9naW4gYXR0ZW1wdCBmb3IgdXNlciBmZHNAaGRkLmNvbSBmcm9tIGlwIGFkZHJlc3MgMTc2LjE3Mi40NC4yMTEKCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgICAgIHN0YXRpY3M6CiAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgdmFsdWU6IGltbWljaF9mYWlsZWRfYXV0aAogICAgICAgIC0gdGFyZ2V0OiBldnQuU3RyVGltZUZvcm1hdAogICAgICAgICAgdmFsdWU6ICIwMS8wMi8yMDA2LCAzOjA0OjA1IFBNIgogIC0gZ3JvazoKICAgICAgcGF0dGVybjogIi4qJXtJTU1JQ0hfQ1VTVE9NREFURTp0aW1lc3RhbXB9ICAgIFdBUk4gXFxbQXV0aFNlcnZpY2VdIEZhaWxlZCBsb2dpbiBhdHRlbXB0IGZvciB1c2VyICV7RU1BSUxBRERSRVNTOnVzZXJuYW1lfSBmcm9tIGlwIGFkZHJlc3MgJXtJUDpzb3VyY2VfaXB9IgogICAgICAjW05lc3RdIDcgIC0gMDgvMDIvMjAyMywgNzozNDowMyAgICBXQVJOIFtBdXRoU2VydmljZV0gRmFpbGVkIGxvZ2luIGF0dGVtcHQgZm9yIHVzZXIgZmRzQGhkZC5jb20gZnJvbSBpcCBhZGRyZXNzIDE3Ni4xNzIuNDQuMjExCgogICAgICBhcHBseV9vbjogbWVzc2FnZQogICAgICBzdGF0aWNzOgogICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgIHZhbHVlOiBpbW1pY2hfZmFpbGVkX2F1dGgKICAgICAgICAtIHRhcmdldDogZXZ0LlN0clRpbWVGb3JtYXQKICAgICAgICAgIHZhbHVlOiAiMDEvMDIvMjAwNiwgMTU6MDQ6MDUiCgpzdGF0aWNzOgogICAgLSBtZXRhOiBzZXJ2aWNlCiAgICAgIHZhbHVlOiBpbW1pY2gKICAgIC0gbWV0YTogdXNlcgogICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC51c2VybmFtZSIKICAgIC0gbWV0YTogc291cmNlX2lwCiAgICAgIGV4cHJlc3Npb246ICJldnQuUGFyc2VkLnNvdXJjZV9pcCIKICAgIC0gdGFyZ2V0OiBldnQuU3RyVGltZQogICAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLnRpbWVzdGFtcAo=",
+   "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCiNkZWJ1ZzogZmFsc2UKbmFtZTogZ2F1dGgtZnIvaW1taWNoLWxvZ3MKZGVzY3JpcHRpb246ICJQYXJzZSBJbW1pY2ggbG9ncyIKZmlsdGVyOiAiZXZ0LlBhcnNlZC5wcm9ncmFtID09ICdpbW1pY2gnIgpwYXR0ZXJuX3N5bnRheDoKICBJTU1JQ0hfQ1VTVE9NREFURV9QTTogIiV7TU9OVEhOVU0yfS8le01PTlRIREFZfS8le1lFQVJ9LCAle1RJTUV9IChBTXxQTXxhbXxwbSkiCiAgSU1NSUNIX0NVU1RPTURBVEU6ICIle01PTlRITlVNMn0vJXtNT05USERBWX0vJXtZRUFSfSwgJXtUSU1FfSIKbm9kZXM6CiAgLSBncm9rOgogICAgICBwYXR0ZXJuOiAiLiole0lNTUlDSF9DVVNUT01EQVRFX1BNOnRpbWVzdGFtcH0uKkZhaWxlZCBsb2dpbiBhdHRlbXB0IGZvciB1c2VyICV7RU1BSUxBRERSRVNTOnVzZXJuYW1lfSBmcm9tIGlwIGFkZHJlc3MgJXtJUDpzb3VyY2VfaXB9LioiCiAgICAgICNbTmVzdF0gNyAgLSAwOC8wMi8yMDIzLCA3OjM0OjAzIFBNICAgIFdBUk4gW0F1dGhTZXJ2aWNlXSBGYWlsZWQgbG9naW4gYXR0ZW1wdCBmb3IgdXNlciBmZHNAaGRkLmNvbSBmcm9tIGlwIGFkZHJlc3MgMTc2LjE3Mi40NC4yMTEKCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgICAgIHN0YXRpY3M6CiAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgdmFsdWU6IGltbWljaF9mYWlsZWRfYXV0aAogICAgICAgIC0gdGFyZ2V0OiBldnQuU3RyVGltZUZvcm1hdAogICAgICAgICAgdmFsdWU6ICIwMS8wMi8yMDA2LCAzOjA0OjA1IFBNIgogIC0gZ3JvazoKICAgICAgcGF0dGVybjogIi4qJXtJTU1JQ0hfQ1VTVE9NREFURTp0aW1lc3RhbXB9LipGYWlsZWQgbG9naW4gYXR0ZW1wdCBmb3IgdXNlciAle0VNQUlMQUREUkVTUzp1c2VybmFtZX0gZnJvbSBpcCBhZGRyZXNzICV7SVA6c291cmNlX2lwfS4qIgogICAgICAjW05lc3RdIDcgIC0gMDgvMDIvMjAyMywgNzozNDowMyAgICBXQVJOIFtBdXRoU2VydmljZV0gRmFpbGVkIGxvZ2luIGF0dGVtcHQgZm9yIHVzZXIgZmRzQGhkZC5jb20gZnJvbSBpcCBhZGRyZXNzIDE3Ni4xNzIuNDQuMjExCgogICAgICBhcHBseV9vbjogbWVzc2FnZQogICAgICBzdGF0aWNzOgogICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgIHZhbHVlOiBpbW1pY2hfZmFpbGVkX2F1dGgKICAgICAgICAtIHRhcmdldDogZXZ0LlN0clRpbWVGb3JtYXQKICAgICAgICAgIHZhbHVlOiAiMDEvMDIvMjAwNiwgMTU6MDQ6MDUiCgpzdGF0aWNzOgogICAgLSBtZXRhOiBzZXJ2aWNlCiAgICAgIHZhbHVlOiBpbW1pY2gKICAgIC0gbWV0YTogdXNlcgogICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC51c2VybmFtZSIKICAgIC0gbWV0YTogc291cmNlX2lwCiAgICAgIGV4cHJlc3Npb246ICJldnQuUGFyc2VkLnNvdXJjZV9pcCIKICAgIC0gdGFyZ2V0OiBldnQuU3RyVGltZQogICAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLnRpbWVzdGFtcAo=",
    "description": "Parse Immich logs",
    "author": "gauth-fr",
    "labels": null
diff --git a/.tests/immich-logs/immich-logs.log b/.tests/immich-logs/immich-logs.log
index 3b6f6bc12a9..bd81b1a5584 100644
--- a/.tests/immich-logs/immich-logs.log
+++ b/.tests/immich-logs/immich-logs.log
@@ -1,3 +1,4 @@
 [Nest] 7  - 08/02/2023, 7:32:47 PM    WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254
 [Nest] 7  - 08/02/2023, 7:34:03 PM    WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.211
-[Nest] 7  - 08/02/2023, 7:34:03    WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.212
\ No newline at end of file
+[Nest] 7  - 08/02/2023, 7:34:03    WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.212
+\x1b[33m[Nest] 6  - \x1b[39m08/04/2023, 8:47:38 PM \x1b[33m   WARN\x1b[39m \x1b[38;5;3m[AuthService] \x1b[39m\x1b[33mFailed login attempt for user fjdi@fkdk.cof from ip address 176.171.169.54\x1b
\ No newline at end of file
diff --git a/.tests/immich-logs/parser.assert b/.tests/immich-logs/parser.assert
index 08e91b14bf5..20eb1ffc004 100644
--- a/.tests/immich-logs/parser.assert
+++ b/.tests/immich-logs/parser.assert
@@ -1,5 +1,5 @@
 len(results) == 4
-len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 3
+len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 4
 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true
 results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "[Nest] 7  - 08/02/2023, 7:32:47 PM    WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254"
 results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "immich"
@@ -15,61 +15,79 @@ results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "[Nes
 results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "immich"
 results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "immich-logs.log"
 results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file"
-len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 3
+results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "immich"
+results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "\\x1b[33m[Nest] 6  - \\x1b[39m08/04/2023, 8:47:38 PM \\x1b[33m   WARN\\x1b[39m \\x1b[38;5;3m[AuthService] \\x1b[39m\\x1b[33mFailed login attempt for user fjdi@fkdk.cof from ip address 176.171.169.54\\x1b"
+results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "immich-logs.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file"
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4
 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false
 results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false
 results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false
-len(results["s01-parse"]["gauth-fr/immich-logs"]) == 3
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false
+len(results["s01-parse"]["gauth-fr/immich-logs"]) == 4
 results["s01-parse"]["gauth-fr/immich-logs"][0].Success == true
-results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Parsed["source_ip"] == "192.168.0.254"
 results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM"
 results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Parsed["username"] == "azaz@qsqs.com"
 results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Parsed["message"] == "[Nest] 7  - 08/02/2023, 7:32:47 PM    WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254"
 results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Parsed["program"] == "immich"
+results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Parsed["source_ip"] == "192.168.0.254"
+results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["datasource_path"] == "immich-logs.log"
 results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["datasource_type"] == "file"
 results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["log_type"] == "immich_failed_auth"
 results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["service"] == "immich"
 results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["source_ip"] == "192.168.0.254"
 results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["user"] == "azaz@qsqs.com"
-results["s01-parse"]["gauth-fr/immich-logs"][0].Evt.Meta["datasource_path"] == "immich-logs.log"
 results["s01-parse"]["gauth-fr/immich-logs"][1].Success == true
 results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Parsed["source_ip"] == "176.172.44.211"
 results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Parsed["timestamp"] == "08/02/2023, 7:34:03 PM"
 results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Parsed["username"] == "fds@hdd.com"
 results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Parsed["message"] == "[Nest] 7  - 08/02/2023, 7:34:03 PM    WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.211"
 results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Parsed["program"] == "immich"
-results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["datasource_type"] == "file"
-results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["log_type"] == "immich_failed_auth"
-results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["service"] == "immich"
 results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["source_ip"] == "176.172.44.211"
 results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["user"] == "fds@hdd.com"
 results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["datasource_path"] == "immich-logs.log"
+results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["log_type"] == "immich_failed_auth"
+results["s01-parse"]["gauth-fr/immich-logs"][1].Evt.Meta["service"] == "immich"
 results["s01-parse"]["gauth-fr/immich-logs"][2].Success == true
-results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Parsed["program"] == "immich"
 results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Parsed["source_ip"] == "176.172.44.212"
 results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Parsed["timestamp"] == "08/02/2023, 7:34:03"
 results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Parsed["username"] == "fds@hdd.com"
 results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Parsed["message"] == "[Nest] 7  - 08/02/2023, 7:34:03    WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.212"
+results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Parsed["program"] == "immich"
 results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["datasource_path"] == "immich-logs.log"
 results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["datasource_type"] == "file"
 results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["log_type"] == "immich_failed_auth"
 results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["service"] == "immich"
 results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["source_ip"] == "176.172.44.212"
 results["s01-parse"]["gauth-fr/immich-logs"][2].Evt.Meta["user"] == "fds@hdd.com"
-len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 3
+results["s01-parse"]["gauth-fr/immich-logs"][3].Success == true
+results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Parsed["username"] == "fjdi@fkdk.cof"
+results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Parsed["message"] == "\\x1b[33m[Nest] 6  - \\x1b[39m08/04/2023, 8:47:38 PM \\x1b[33m   WARN\\x1b[39m \\x1b[38;5;3m[AuthService] \\x1b[39m\\x1b[33mFailed login attempt for user fjdi@fkdk.cof from ip address 176.171.169.54\\x1b"
+results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Parsed["program"] == "immich"
+results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Parsed["source_ip"] == "176.171.169.54"
+results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Parsed["timestamp"] == "08/04/2023, 8:47:38 PM"
+results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["datasource_path"] == "immich-logs.log"
+results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["log_type"] == "immich_failed_auth"
+results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["service"] == "immich"
+results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["source_ip"] == "176.171.169.54"
+results["s01-parse"]["gauth-fr/immich-logs"][3].Evt.Meta["user"] == "fjdi@fkdk.cof"
+len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 4
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "[Nest] 7  - 08/02/2023, 7:32:47 PM    WARN [AuthService] Failed login attempt for user azaz@qsqs.com from ip address 192.168.0.254"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "immich"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "192.168.0.254"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "08/02/2023, 7:32:47 PM"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["username"] == "azaz@qsqs.com"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "azaz@qsqs.com"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "immich-logs.log"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "immich_failed_auth"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "immich"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.0.254"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-08-02T19:32:47Z"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "azaz@qsqs.com"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-08-02T19:32:47Z"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "[Nest] 7  - 08/02/2023, 7:34:03 PM    WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.211"
@@ -77,26 +95,40 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"]
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "176.172.44.211"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "08/02/2023, 7:34:03 PM"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "fds@hdd.com"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "immich-logs.log"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "immich_failed_auth"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "immich"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "176.172.44.211"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-08-02T19:34:03Z"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "fds@hdd.com"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "immich-logs.log"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-08-02T19:34:03Z"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "[Nest] 7  - 08/02/2023, 7:34:03    WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.212"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "immich"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "176.172.44.212"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "08/02/2023, 7:34:03"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "fds@hdd.com"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-08-02T07:34:03Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "[Nest] 7  - 08/02/2023, 7:34:03    WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.212"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "immich"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["user"] == "fds@hdd.com"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "immich-logs.log"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "immich_failed_auth"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "immich"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "176.172.44.212"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2023-08-02T07:34:03Z"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2023-08-02T07:34:03Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "immich"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "176.171.169.54"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "08/04/2023, 8:47:38 PM"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "fjdi@fkdk.cof"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "\\x1b[33m[Nest] 6  - \\x1b[39m08/04/2023, 8:47:38 PM \\x1b[33m   WARN\\x1b[39m \\x1b[38;5;3m[AuthService] \\x1b[39m\\x1b[33mFailed login attempt for user fjdi@fkdk.cof from ip address 176.171.169.54\\x1b"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "immich"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "176.171.169.54"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2023-08-04T20:47:38Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["user"] == "fjdi@fkdk.cof"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "immich-logs.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "immich_failed_auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2023-08-04T20:47:38Z"
 len(results["success"][""]) == 0
\ No newline at end of file
diff --git a/collections/gauth-fr/immich.md b/collections/gauth-fr/immich.md
new file mode 100644
index 00000000000..5334c21d97a
--- /dev/null
+++ b/collections/gauth-fr/immich.md
@@ -0,0 +1,28 @@
+A collection to defend [Immich](https://immich.app) instance against common attacks :
+ - Immich parser
+ - Immich bruteforce detection
+
+## Acquisition template
+
+Example acquisition for this collection :
+
+If using LOG_FILE environment variable:
+```yaml
+---
+filenames:
+ - /var/log/immich/immich_server.log
+labels:
+  type: immich
+```
+
+For Docker directly
+```yaml
+---
+source: docker
+container_name:
+ - immich_server
+#container_id:
+# - 843ee92d231b
+labels:
+  type: immich
+```
diff --git a/collections/gauth-fr/immich.yml b/collections/gauth-fr/immich.yml
new file mode 100644
index 00000000000..d97eb8772f2
--- /dev/null
+++ b/collections/gauth-fr/immich.yml
@@ -0,0 +1,10 @@
+parsers:
+  - gauth-fr/immich-logs
+scenarios:
+  - gauth-fr/immich-bf
+description: "Immich support : parser and brute-force detection"
+author: gauth-fr
+tags:
+  - linux
+  - brute-force
+  - immich
diff --git a/parsers/s01-parse/gauth-fr/immich-logs.yaml b/parsers/s01-parse/gauth-fr/immich-logs.yaml
index 46b5989834d..e49d3f2bfbb 100644
--- a/parsers/s01-parse/gauth-fr/immich-logs.yaml
+++ b/parsers/s01-parse/gauth-fr/immich-logs.yaml
@@ -8,7 +8,7 @@ pattern_syntax:
   IMMICH_CUSTOMDATE: "%{MONTHNUM2}/%{MONTHDAY}/%{YEAR}, %{TIME}"
 nodes:
   - grok:
-      pattern: ".*%{IMMICH_CUSTOMDATE_PM:timestamp}    WARN \\[AuthService] Failed login attempt for user %{EMAILADDRESS:username} from ip address %{IP:source_ip}"
+      pattern: ".*%{IMMICH_CUSTOMDATE_PM:timestamp}.*Failed login attempt for user %{EMAILADDRESS:username} from ip address %{IP:source_ip}.*"
       #[Nest] 7  - 08/02/2023, 7:34:03 PM    WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.211
 
       apply_on: message
@@ -18,7 +18,7 @@ nodes:
         - target: evt.StrTimeFormat
           value: "01/02/2006, 3:04:05 PM"
   - grok:
-      pattern: ".*%{IMMICH_CUSTOMDATE:timestamp}    WARN \\[AuthService] Failed login attempt for user %{EMAILADDRESS:username} from ip address %{IP:source_ip}"
+      pattern: ".*%{IMMICH_CUSTOMDATE:timestamp}.*Failed login attempt for user %{EMAILADDRESS:username} from ip address %{IP:source_ip}.*"
       #[Nest] 7  - 08/02/2023, 7:34:03    WARN [AuthService] Failed login attempt for user fds@hdd.com from ip address 176.172.44.211
 
       apply_on: message