Appsec log "XML syntax error"

I’m getting this error in crowdsec.log:

level=error msg=“Failed to process request body” band=inband chain_rule_id=xxxx error=“XML syntax error on line 1: unexpected end element </param>” name=myAppSecComponent runner_uuid=xxxxx tx_id=xxxxxx type=appsec

I’m running openresty and my appsec component has appsec_config: crowdsecurity/appsec-default and in my appsec-configs dir I have appsec-default.yaml, virtual-patching.yaml, generic-rules.yaml.

Sorry but I’m a newb on crowdsec and I don’t know how to inspect or debug the error to see which specific rule triggers it.

Can I use cscli or some other way to inspect the tx_id or chain_rule_id ?

Do you know why I’m getting this error?

Thank you

Can you provide the output of cscli appsec-rules list also the chain rule id can help, I guess you haven’t loaded any custom rules?

I got this error multiple times with different chain_rule_ids. One of them is chain_rule_id=1028131547 if it helps.

I don’t know what the chain_rule_id, runner_uuid and tx_id refer to. If you don’t think they’re sensitive information I can post all the error logs.

I don’t have any custom appsec rules.

This is the output of cscli appsec-rules list

APPSEC-RULES

---

Name Status Version Local Path

---

crowdsecurity/base-config enabled 0.1 /etc/crowdsec/appsec-rules/base-config.yaml

crowdsecurity/generic-freemarker-ssti enabled 0.3 /etc/crowdsec/appsec-rules/generic-freemarker-ssti.yaml

crowdsecurity/generic-wordpress-uploads-php enabled 0.1 /etc/crowdsec/appsec-rules/generic-wordpress-uploads-php.yaml

crowdsecurity/vpatch-connectwise-auth-bypass enabled 0.3 /etc/crowdsec/appsec-rules/vpatch-connectwise-auth-bypass.yaml

crowdsecurity/vpatch-CVE-2017-9841 enabled 0.3 /etc/crowdsec/appsec-rules/vpatch-CVE-2017-9841.yaml

crowdsecurity/vpatch-CVE-2018-1000861 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2018-1000861.yaml

crowdsecurity/vpatch-CVE-2018-10562 enabled 0.2 /etc/crowdsec/appsec-rules/vpatch-CVE-2018-10562.yaml

crowdsecurity/vpatch-CVE-2018-13379 enabled 0.2 /etc/crowdsec/appsec-rules/vpatch-CVE-2018-13379.yaml

crowdsecurity/vpatch-CVE-2018-20062 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2018-20062.yaml

crowdsecurity/vpatch-CVE-2019-1003030 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2019-1003030.yaml

crowdsecurity/vpatch-CVE-2019-12989 enabled 0.3 /etc/crowdsec/appsec-rules/vpatch-CVE-2019-12989.yaml

crowdsecurity/vpatch-CVE-2019-18935 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2019-18935.yaml

crowdsecurity/vpatch-CVE-2020-11738 enabled 0.6 /etc/crowdsec/appsec-rules/vpatch-CVE-2020-11738.yaml

crowdsecurity/vpatch-CVE-2020-17496 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2020-17496.yaml

crowdsecurity/vpatch-CVE-2020-5902 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2020-5902.yaml

crowdsecurity/vpatch-CVE-2021-22941 enabled 0.3 /etc/crowdsec/appsec-rules/vpatch-CVE-2021-22941.yaml

crowdsecurity/vpatch-CVE-2021-26086 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2021-26086.yaml

crowdsecurity/vpatch-CVE-2021-3129 enabled 0.4 /etc/crowdsec/appsec-rules/vpatch-CVE-2021-3129.yaml

crowdsecurity/vpatch-CVE-2022-22954 enabled 0.2 /etc/crowdsec/appsec-rules/vpatch-CVE-2022-22954.yaml

crowdsecurity/vpatch-CVE-2022-22965 enabled 0.2 /etc/crowdsec/appsec-rules/vpatch-CVE-2022-22965.yaml

crowdsecurity/vpatch-CVE-2022-25488 enabled 0.4 /etc/crowdsec/appsec-rules/vpatch-CVE-2022-25488.yaml

crowdsecurity/vpatch-CVE-2022-26134 enabled 0.2 /etc/crowdsec/appsec-rules/vpatch-CVE-2022-26134.yaml

crowdsecurity/vpatch-CVE-2022-27926 enabled 0.4 /etc/crowdsec/appsec-rules/vpatch-CVE-2022-27926.yaml

crowdsecurity/vpatch-CVE-2022-35914 enabled 0.5 /etc/crowdsec/appsec-rules/vpatch-CVE-2022-35914.yaml

crowdsecurity/vpatch-CVE-2022-41082 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2022-41082.yaml

crowdsecurity/vpatch-CVE-2022-44877 enabled 0.2 /etc/crowdsec/appsec-rules/vpatch-CVE-2022-44877.yaml

crowdsecurity/vpatch-CVE-2022-46169 enabled 0.5 /etc/crowdsec/appsec-rules/vpatch-CVE-2022-46169.yaml

crowdsecurity/vpatch-CVE-2023-1389 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-1389.yaml

crowdsecurity/vpatch-CVE-2023-20198 enabled 0.6 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-20198.yaml

crowdsecurity/vpatch-CVE-2023-22515 enabled 0.4 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-22515.yaml

crowdsecurity/vpatch-CVE-2023-22527 enabled 0.2 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-22527.yaml

crowdsecurity/vpatch-CVE-2023-23752 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-23752.yaml

crowdsecurity/vpatch-CVE-2023-24489 enabled 0.2 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-24489.yaml

crowdsecurity/vpatch-CVE-2023-28121 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-28121.yaml

crowdsecurity/vpatch-CVE-2023-33617 enabled 0.4 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-33617.yaml

crowdsecurity/vpatch-CVE-2023-34362 enabled 0.6 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-34362.yaml

crowdsecurity/vpatch-CVE-2023-35078 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-35078.yaml

crowdsecurity/vpatch-CVE-2023-35082 enabled 0.2 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-35082.yaml

crowdsecurity/vpatch-CVE-2023-3519 enabled 0.3 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-3519.yaml

crowdsecurity/vpatch-CVE-2023-38205 enabled 0.3 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-38205.yaml

crowdsecurity/vpatch-CVE-2023-40044 enabled 0.3 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-40044.yaml

crowdsecurity/vpatch-CVE-2023-42793 enabled 0.3 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-42793.yaml

crowdsecurity/vpatch-CVE-2023-46805 enabled 0.4 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-46805.yaml

crowdsecurity/vpatch-CVE-2023-47218 enabled 0.2 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-47218.yaml

crowdsecurity/vpatch-CVE-2023-49070 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-49070.yaml

crowdsecurity/vpatch-CVE-2023-50164 enabled 0.6 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-50164.yaml

crowdsecurity/vpatch-CVE-2023-6553 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-6553.yaml

crowdsecurity/vpatch-CVE-2023-7028 enabled 0.2 /etc/crowdsec/appsec-rules/vpatch-CVE-2023-7028.yaml

crowdsecurity/vpatch-CVE-2024-0012 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-0012.yaml

crowdsecurity/vpatch-CVE-2024-1212 enabled 0.3 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-1212.yaml

crowdsecurity/vpatch-CVE-2024-22024 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-22024.yaml

crowdsecurity/vpatch-CVE-2024-23897 enabled 0.4 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-23897.yaml

crowdsecurity/vpatch-CVE-2024-27198 enabled 0.5 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-27198.yaml

crowdsecurity/vpatch-CVE-2024-27348 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-27348.yaml

crowdsecurity/vpatch-CVE-2024-27954 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-27954.yaml

crowdsecurity/vpatch-CVE-2024-27956 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-27956.yaml

crowdsecurity/vpatch-CVE-2024-28255 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-28255.yaml

crowdsecurity/vpatch-CVE-2024-28987 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-28987.yaml

crowdsecurity/vpatch-CVE-2024-29824 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-29824.yaml

crowdsecurity/vpatch-CVE-2024-29849 enabled 0.5 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-29849.yaml

crowdsecurity/vpatch-CVE-2024-29973 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-29973.yaml

crowdsecurity/vpatch-CVE-2024-32113 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-32113.yaml

crowdsecurity/vpatch-CVE-2024-3272 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-3272.yaml

crowdsecurity/vpatch-CVE-2024-3273 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-3273.yaml

crowdsecurity/vpatch-CVE-2024-34102 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-34102.yaml

crowdsecurity/vpatch-CVE-2024-38816 enabled 0.2 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-38816.yaml

crowdsecurity/vpatch-CVE-2024-38856 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-38856.yaml

crowdsecurity/vpatch-CVE-2024-41713 enabled 0.2 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-41713.yaml

crowdsecurity/vpatch-CVE-2024-4577 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-4577.yaml

crowdsecurity/vpatch-CVE-2024-51378 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-51378.yaml

crowdsecurity/vpatch-CVE-2024-51567 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-51567.yaml

crowdsecurity/vpatch-CVE-2024-52301 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-52301.yaml

crowdsecurity/vpatch-CVE-2024-6205 enabled 0.2 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-6205.yaml

crowdsecurity/vpatch-CVE-2024-7593 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-7593.yaml

crowdsecurity/vpatch-CVE-2024-8190 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-8190.yaml

crowdsecurity/vpatch-CVE-2024-8963 enabled 0.2 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-8963.yaml

crowdsecurity/vpatch-CVE-2024-9465 enabled 0.2 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-9465.yaml

crowdsecurity/vpatch-CVE-2024-9474 enabled 0.3 /etc/crowdsec/appsec-rules/vpatch-CVE-2024-9474.yaml

crowdsecurity/vpatch-CVE-2025-29927 enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-CVE-2025-29927.yaml

crowdsecurity/vpatch-env-access enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-env-access.yaml

crowdsecurity/vpatch-git-config enabled 0.2 /etc/crowdsec/appsec-rules/vpatch-git-config.yaml

crowdsecurity/vpatch-laravel-debug-mode enabled 0.3 /etc/crowdsec/appsec-rules/vpatch-laravel-debug-mode.yaml

crowdsecurity/vpatch-symfony-profiler enabled 0.1 /etc/crowdsec/appsec-rules/vpatch-symfony-profiler.yaml

Most likely the error happens when crowdsec was trying to process the body and it was invalid or non complete XML. its nothing specific to your setup and is not an issue as it will log the error but continue processing.