diff --git a/infra/security/crowdsec-safeline.md b/infra/security/crowdsec-safeline.md
index c6754a7..f4abb88 100644
--- a/infra/security/crowdsec-safeline.md
+++ b/infra/security/crowdsec-safeline.md
@@ -31,7 +31,7 @@ Traefik DaemonSet (stdout JSON accessLog)
 | Values | `~/k8s/vector/values.yaml` |
 | CrowdSec 포트 | 8086 |
 | 인증 | `Authorization: traefik-crowdsec-log-2024` |
-| 파서 | `crowdsecurity/traefik-logs` (Hub, JSON 모드). APISIX: `custom/apisix-logs` (로컬, 서울 비표준 nginx 포맷 대응) |
+| 파서 | `crowdsecurity/nginx-logs` (Hub, 표준 nginx combined). Vector에서 모든 로그를 표준 포맷으로 변환 후 VictoriaLogs 저장 |
 
 ### APISIX → VictoriaLogs → CrowdSec (서울+오사카 통합)
 
@@ -49,7 +49,7 @@ Traefik DaemonSet (stdout JSON accessLog)
 | CrowdSec acquisition | `/etc/crowdsec/acquis.d/victorialogs-apisix.yaml` (`source: victorialogs`, `mode: tail`, `query: program:apisix log_type:access`) |
 | 서울 Vector | K3s DaemonSet (Helm `vector/vector`), `parse_apisix` transform → `vlogs` ES sink |
 | 오사카 Vector | Docker `timberio/vector:0.45.0-debian`, `/etc/vector/vector.yaml`, `docker_logs` source → `parse_apisix` → `vlogs` ES sink. `location: osaka` 필드 추가 |
-| 파서 | `custom/apisix-logs` (로컬, 서울 format: `IP - user [date] HOST "req" status bytes req_time "ref" "ua"`) |
+| 파서 | `crowdsecurity/nginx-logs` (Vector가 표준 nginx combined로 변환) |
 
 ### APISIX → log-collector → CrowdSec (sandbox-tokyo)