Can't make postoverflow whitelist to work

Hi there!

Trying Creating whitelist | CrowdSec here, can’t figure out why it’s not working :frowning:

Just changed the domain part from the example file, gives me a /etc/crowdsec/postoverflows/s01-whitelists/Wanadoo.yml:

name: me/Wanadoo
description: lets whitelist our own reverse dns
whitelist:
  reason: dont ban my ISP
  expression:
  #this is the reverse of my ip, you can get it by performing a "host" command on your public IP for example
    - evt.Enriched.reverse_dns endsWith '.abo.wanadoo.fr.'

A cscli postoverflows list gives:

INFO[19-06-2022 06:51:34 AM] Ignoring file /etc/crowdsec/hub/parsers/s01-parse/crowdsecurity/bucket-dump.yaml of type parsers
INFO[19-06-2022 06:51:34 AM] Ignoring file /etc/crowdsec/hub/parsers/s01-parse/crowdsecurity/bucketpour-dump.yaml of type parsers
INFO[19-06-2022 06:51:34 AM] Ignoring file /etc/crowdsec/hub/parsers/s01-parse/crowdsecurity/parser-dump.yaml of type parsers
POSTOVERFLOWS
--------------------------------------------------------------------------------------------------------
 NAME                πŸ“¦ STATUS          VERSION  LOCAL PATH
--------------------------------------------------------------------------------------------------------
 Wanadoo.yml         🏠  enabled,local           /etc/crowdsec/postoverflows/s01-whitelists/Wanadoo.yml
 crowdsecurity/rdns  βœ”οΈ  enabled         0.2      /etc/crowdsec/postoverflows/s00-enrich/rdns.yaml
--------------------------------------------------------------------------------------------------------

A cscli postoverflow inspect Wanadoo.yml gives an error at the end, I think it’s OK as it’s never used:

INFO[19-06-2022 06:53:00 AM] Ignoring file /etc/crowdsec/hub/parsers/s01-parse/crowdsecurity/bucket-dump.yaml of type parsers
INFO[19-06-2022 06:53:00 AM] Ignoring file /etc/crowdsec/hub/parsers/s01-parse/crowdsecurity/bucketpour-dump.yaml of type parsers
INFO[19-06-2022 06:53:00 AM] Ignoring file /etc/crowdsec/hub/parsers/s01-parse/crowdsecurity/parser-dump.yaml of type parsers
type: postoverflows
stage: s01-whitelists
name: Wanadoo.yml
filename: Wanadoo.yml
author: ""
version: ""
local_path: /etc/crowdsec/postoverflows/s01-whitelists/Wanadoo.yml
localversion: ""
localhash: ""
installed: true
downloaded: false
uptodate: true
tainted: false
local: true

Current metrics :

ERRO[19-06-2022 06:53:00 AM] item of type 'postoverflows' is unknown

Thanks to Nextcloud and some spurious app, my IP get easily banned (http-probing).
In decisions and alerts lists, AS and country are OK.
Performing a reverse DNS query with host gives an RDNS record ending with abo.wanadoo.fr.
Nothing about postoverflow in crowdsec log (of course it was restarted after adding my whitelist).

Any idea or help welcome ! :pray:

Hello,

First, be careful, you might have run the cscli explain command inside /etc/crowdsec/hub/parsers/s01-parse/crowdsecurity/ and you have garbage files left (you can remove them).

Can you share crowdsec logs when an alerts is triggered please ? maybe we can see some useful informations to check why the post overflows doesn’t work.

Can you also share the output of cscli metrics please?

If you have also an output of a cscli explain --verbose --file <path_to_log_file> --type <log_type> to check what parsers/postoverflows are working or not. Please put only 1 or 2 lines in the file, and the type should be same as mentionned in your acquis.yaml file.

Hi,

Thanks for your reply!

I cleaned up my garbage, thank you for the warning :slight_smile:

Here is the log for the last time it happened (only β€œcapi metrics” before & after):

time="18-06-2022 15:02:59" level=info msg="Ip 2.8.x.x performed 'crowdsecurity/http-probing' (11 events over 4.331772511s) at 2022-06-18 13:02:59.145650565 +0000 UTC"
time="18-06-2022 15:03:00" level=info msg="(4c4a8f75b33b4bfc93a37001820c6fd336VkIz2OUv4oXnWW/crowdsec) crowdsecurity/http-probing by ip 2.8.x.x (FR/3215) : 596h ban on Ip 2.8.x.x"
time="18-06-2022 15:03:25" level=info msg="Signal push: 1 signals to push"

My metrics:


INFO[21-06-2022 07:42:04 AM] Buckets Metrics:
+-----------------------------------------+---------------+-----------+--------------+--------+---------+
|                 BUCKET                  | CURRENT COUNT | OVERFLOWS | INSTANTIATED | POURED | EXPIRED |
+-----------------------------------------+---------------+-----------+--------------+--------+---------+
| crowdsecurity/dovecot-spam              | -             | -         | 2            | 2      | 2       |
| crowdsecurity/http-backdoors-attempts   | -             | 3         | 3            | 6      | -       |
| crowdsecurity/http-bad-user-agent       | -             | 10        | 25           | 35     | 15      |
| crowdsecurity/http-crawl-non_statics    | -             | -         | 10.71k       | 14.25k | 10.71k  |
| crowdsecurity/http-open-proxy           | -             | 8         | 8            | -      | -       |
| crowdsecurity/http-probing              | -             | 5         | 1.01k        | 2.48k  | 1.00k   |
| crowdsecurity/http-sensitive-files      | -             | -         | 75           | 80     | 75      |
| crowdsecurity/iptables-scan-multi_ports | 9             | 193       | 61.47k       | 70.38k | 61.27k  |
| crowdsecurity/postfix-spam              | -             | 10        | 2.56k        | 2.77k  | 2.55k   |
| crowdsecurity/thinkphp-cve-2018-20062   | -             | 2         | 2            | -      | -       |
+-----------------------------------------+---------------+-----------+--------------+--------+---------+
INFO[21-06-2022 07:42:04 AM] Acquisition Metrics:
+------------------------+------------+--------------+----------------+------------------------+
|         SOURCE         | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+------------------------+------------+--------------+----------------+------------------------+
| docker:mailserver      | 72.14k     | 11.79k       | 60.34k         | 2.77k                  |
| docker:nextcloud       | 32.71k     | -            | 32.71k         | -                      |
| docker:nginx           | 35.86k     | 35.23k       | 632            | 16.78k                 |
| docker:postfixadmin    | 54         | 48           | 6              | -                      |
| docker:welcome         | 284        | 278          | 6              | 77                     |
| file:/var/log/auth.log | 10.03k     | -            | 10.03k         | -                      |
| file:/var/log/kern.log | 22.27k     | 22.24k       | 27             | 10.14k                 |
| file:/var/log/syslog   | 29.44k     | 22.24k       | 7.20k          | 9.45k                  |
| file:/var/log/ufw.log  | 51.92k     | 51.86k       | 53             | 50.80k                 |
+------------------------+------------+--------------+----------------+------------------------+
INFO[21-06-2022 07:42:04 AM] Parser Metrics:
+------------------------------------+---------+---------+----------+
|              PARSERS               |  HITS   | PARSED  | UNPARSED |
+------------------------------------+---------+---------+----------+
| child-crowdsecurity/dovecot-logs   | 21.61k  | 9.02k   | 12.59k   |
| child-crowdsecurity/http-logs      | 106.67k | 77.61k  | 29.06k   |
| child-crowdsecurity/nextcloud-logs | 65.42k  | -       | 65.42k   |
| child-crowdsecurity/nginx-logs     | 36.88k  | 35.56k  | 1.32k    |
| child-crowdsecurity/postfix-logs   | 74.15k  | 2.77k   | 71.38k   |
| child-crowdsecurity/sshd-logs      | 500     | -       | 500      |
| child-crowdsecurity/syslog-logs    | 185.78k | 185.78k | -        |
| crowdsecurity/dateparse-enrich     | 143.69k | 143.69k | -        |
| crowdsecurity/dovecot-logs         | 13.22k  | 9.02k   | 4.20k    |
| crowdsecurity/geoip-enrich         | 143.69k | 143.69k | -        |
| crowdsecurity/http-logs            | 35.56k  | 34.65k  | 909      |
| crowdsecurity/iptables-logs        | 96.40k  | 96.34k  | 57       |
| crowdsecurity/nextcloud-logs       | 32.71k  | -       | 32.71k   |
| crowdsecurity/nginx-logs           | 36.20k  | 35.56k  | 644      |
| crowdsecurity/non-syslog           | 68.91k  | 68.91k  | -        |
| crowdsecurity/postfix-logs         | 25.76k  | 2.77k   | 22.99k   |
| crowdsecurity/rdns                 | 37      | 37      | -        |
| crowdsecurity/sshd-logs            | 50      | -       | 50       |
| crowdsecurity/syslog-logs          | 185.78k | 185.78k | -        |
| crowdsecurity/whitelists           | 143.69k | 143.69k | -        |
+------------------------------------+---------+---------+----------+
INFO[21-06-2022 07:42:04 AM] Local Api Metrics:
+----------------------+--------+--------+
|        ROUTE         | METHOD |  HITS  |
+----------------------+--------+--------+
| /v1/alerts           | GET    | 4      |
| /v1/alerts           | POST   | 37     |
| /v1/alerts/1516      | GET    | 3      |
| /v1/decisions        | DELETE | 1      |
| /v1/decisions/1516   | DELETE | 1      |
| /v1/decisions/stream | GET    | 103813 |
| /v1/watchers/login   | POST   | 40     |
+----------------------+--------+--------+
INFO[21-06-2022 07:42:04 AM] Local Api Machines Metrics:
+--------------------------------------------------+--------------------+--------+------+
|                     MACHINE                      |       ROUTE        | METHOD | HITS |
+--------------------------------------------------+--------------------+--------+------+
| 4c4a8f75b33b4bfc93a37001820c6fd336VkIz2OUv4oXnWW | /v1/decisions      | DELETE | 1    |
| 4c4a8f75b33b4bfc93a37001820c6fd336VkIz2OUv4oXnWW | /v1/decisions/1516 | DELETE | 1    |
| 4c4a8f75b33b4bfc93a37001820c6fd336VkIz2OUv4oXnWW | /v1/alerts         | GET    | 4    |
| 4c4a8f75b33b4bfc93a37001820c6fd336VkIz2OUv4oXnWW | /v1/alerts         | POST   | 37   |
| 4c4a8f75b33b4bfc93a37001820c6fd336VkIz2OUv4oXnWW | /v1/alerts/1516    | GET    | 3    |
+--------------------------------------------------+--------------------+--------+------+
INFO[21-06-2022 07:42:04 AM] Local Api Bouncers Metrics:
+----------------------------+----------------------+--------+--------+
|          BOUNCER           |        ROUTE         | METHOD |  HITS  |
+----------------------------+----------------------+--------+--------+
| FirewallBouncer-1648654646 | /v1/decisions/stream | GET    | 103813 |
+----------------------------+----------------------+--------+--------+

As I use Docker DSN, I had to copy/paste 2 lines of docker-compose logs in a file …

line: nginx           | 2.8.x.x - me@mydomain.net [18/Jun/2022:13:02:56 +0000] "PROPFIND /remote.php/webdav/Photos/usbcamera/ HTTP/1.1" 404 255 "-" "" "-"
        β”œ s00-raw
        |       β”œ 🟒 crowdsecurity/non-syslog (first_parser)
        |       β”” πŸ”΄ crowdsecurity/syslog-logs
        β”œ s01-parse
        |       β”œ πŸ”΄ crowdsecurity/apache2-logs
        |       β”œ πŸ”΄ crowdsecurity/dovecot-logs
        |       β”œ πŸ”΄ crowdsecurity/iptables-logs
        |       β”œ πŸ”΄ crowdsecurity/mysql-logs
        |       β”œ πŸ”΄ crowdsecurity/nextcloud-logs
        |       β”” 🟒 crowdsecurity/nginx-logs (+21 ~2)
        |               β”” update evt.Stage : s01-parse -> s02-enrich
        |               β”” create evt.Parsed.proxy_alternative_upstream_name :
        |               β”” create evt.Parsed.target_fqdn :
        |               β”” create evt.Parsed.body_bytes_sent : 255
        |               β”” create evt.Parsed.proxy_upstream_name :
        |               β”” create evt.Parsed.request_length :
        |               β”” create evt.Parsed.time_local : 18/Jun/2022:13:02:56 +0000
        |               β”” create evt.Parsed.http_referer : -
        |               β”” create evt.Parsed.http_user_agent :
        |               β”” create evt.Parsed.remote_user : me@mydomain.net
        |               β”” create evt.Parsed.request : /remote.php/webdav/Photos/usbcamera/
        |               β”” create evt.Parsed.request_time :
        |               β”” create evt.Parsed.status : 404
        |               β”” create evt.Parsed.verb : PROPFIND
        |               β”” create evt.Parsed.http_version : 1.1
        |               β”” create evt.Parsed.remote_addr : 2.8.x.x
        |               β”” update evt.StrTime :  -> 18/Jun/2022:13:02:56 +0000
        |               β”” create evt.Meta.http_path : /remote.php/webdav/Photos/usbcamera/
        |               β”” create evt.Meta.http_status : 404
        |               β”” create evt.Meta.http_verb : PROPFIND
        |               β”” create evt.Meta.log_type : http_access-log
        |               β”” create evt.Meta.service : http
        |               β”” create evt.Meta.source_ip : 2.8.x.x
        β”œ s02-enrich
        |       β”œ 🟒 crowdsecurity/dateparse-enrich (+2 ~1)
        |               β”œ create evt.Enriched.MarshaledTime : 2022-06-18T13:02:56Z
        |               β”œ update evt.MarshaledTime :  -> 2022-06-18T13:02:56Z
        |               β”œ create evt.Meta.timestamp : 2022-06-18T13:02:56Z
        |       β”œ 🟒 crowdsecurity/geoip-enrich (+13)
        |               β”œ create evt.Enriched.ASNOrg : Orange
        |               β”œ create evt.Enriched.Longitude : x
        |               β”œ create evt.Enriched.SourceRange : 2.0.0.0/12
        |               β”œ create evt.Enriched.ASNNumber : 3215
        |               β”œ create evt.Enriched.ASNumber : 3215
        |               β”œ create evt.Enriched.IsInEU : true
        |               β”œ create evt.Enriched.IsoCode : FR
        |               β”œ create evt.Enriched.Latitude : x
        |               β”œ create evt.Meta.ASNNumber : 3215
        |               β”œ create evt.Meta.ASNOrg : Orange
        |               β”œ create evt.Meta.IsInEU : true
        |               β”œ create evt.Meta.IsoCode : FR
        |               β”œ create evt.Meta.SourceRange : 2.0.0.0/12
        |       β”œ 🟒 crowdsecurity/http-logs (+7)
        |               β”œ create evt.Parsed.file_name : usbcamera/
        |               β”œ create evt.Parsed.impact_completion : false
        |               β”œ create evt.Parsed.static_ressource : false
        |               β”œ create evt.Parsed.file_frag : usbcamera/
        |               β”œ create evt.Parsed.file_dir : /remote.php/webdav/Photos/
        |               β”œ create evt.Parsed.file_ext :
        |               β”œ create evt.Meta.http_args_len : 0
        |       β”” 🟒 crowdsecurity/whitelists (unchanged)
        β”œ-------- parser success 🟒
        β”œ Scenarios
                β”” 🟒 crowdsecurity/http-probing

line: nginx           | 2.8.x.x - me@mydomain.net [18/Jun/2022:13:02:57 +0000] "PROPFIND /remote.php/webdav/Photos/SnakeCamera/ HTTP/1.1" 404 257 "-" "" "-"
        β”œ s00-raw
        |       β”œ 🟒 crowdsecurity/non-syslog (first_parser)
        |       β”” πŸ”΄ crowdsecurity/syslog-logs
        β”œ s01-parse
        |       β”œ πŸ”΄ crowdsecurity/apache2-logs
        |       β”œ πŸ”΄ crowdsecurity/dovecot-logs
        |       β”œ πŸ”΄ crowdsecurity/iptables-logs
        |       β”œ πŸ”΄ crowdsecurity/mysql-logs
        |       β”œ πŸ”΄ crowdsecurity/nextcloud-logs
        |       β”” 🟒 crowdsecurity/nginx-logs (+21 ~2)
        |               β”” update evt.Stage : s01-parse -> s02-enrich
        |               β”” create evt.Parsed.proxy_alternative_upstream_name :
        |               β”” create evt.Parsed.proxy_upstream_name :
        |               β”” create evt.Parsed.request_length :
        |               β”” create evt.Parsed.request_time :
        |               β”” create evt.Parsed.body_bytes_sent : 257
        |               β”” create evt.Parsed.verb : PROPFIND
        |               β”” create evt.Parsed.http_referer : -
        |               β”” create evt.Parsed.remote_addr : 2.8.x.x
        |               β”” create evt.Parsed.remote_user : me@mydomain.net
        |               β”” create evt.Parsed.request : /remote.php/webdav/Photos/SnakeCamera/
        |               β”” create evt.Parsed.status : 404
        |               β”” create evt.Parsed.target_fqdn :
        |               β”” create evt.Parsed.http_user_agent :
        |               β”” create evt.Parsed.http_version : 1.1
        |               β”” create evt.Parsed.time_local : 18/Jun/2022:13:02:57 +0000
        |               β”” update evt.StrTime :  -> 18/Jun/2022:13:02:57 +0000
        |               β”” create evt.Meta.http_path : /remote.php/webdav/Photos/SnakeCamera/
        |               β”” create evt.Meta.http_status : 404
        |               β”” create evt.Meta.http_verb : PROPFIND
        |               β”” create evt.Meta.log_type : http_access-log
        |               β”” create evt.Meta.service : http
        |               β”” create evt.Meta.source_ip : 2.8.x.x
        β”œ s02-enrich
        |       β”œ 🟒 crowdsecurity/dateparse-enrich (+2 ~1)
        |               β”œ create evt.Enriched.MarshaledTime : 2022-06-18T13:02:57Z
        |               β”œ update evt.MarshaledTime :  -> 2022-06-18T13:02:57Z
        |               β”œ create evt.Meta.timestamp : 2022-06-18T13:02:57Z
        |       β”œ 🟒 crowdsecurity/geoip-enrich (+13)
        |               β”œ create evt.Enriched.Latitude : x
        |               β”œ create evt.Enriched.Longitude : x
        |               β”œ create evt.Enriched.SourceRange : 2.0.0.0/12
        |               β”œ create evt.Enriched.ASNNumber : 3215
        |               β”œ create evt.Enriched.ASNOrg : Orange
        |               β”œ create evt.Enriched.IsInEU : true
        |               β”œ create evt.Enriched.IsoCode : FR
        |               β”œ create evt.Enriched.ASNumber : 3215
        |               β”œ create evt.Meta.IsInEU : true
        |               β”œ create evt.Meta.SourceRange : 2.0.0.0/12
        |               β”œ create evt.Meta.ASNOrg : Orange
        |               β”œ create evt.Meta.ASNNumber : 3215
        |               β”œ create evt.Meta.IsoCode : FR
        |       β”œ 🟒 crowdsecurity/http-logs (+7)
        |               β”œ create evt.Parsed.file_ext :
        |               β”œ create evt.Parsed.file_frag : SnakeCamera/
        |               β”œ create evt.Parsed.file_name : SnakeCamera/
        |               β”œ create evt.Parsed.file_dir : /remote.php/webdav/Photos/
        |               β”œ create evt.Parsed.impact_completion : false
        |               β”œ create evt.Parsed.static_ressource : false
        |               β”œ create evt.Meta.http_args_len : 0
        |       β”” 🟒 crowdsecurity/whitelists (unchanged)
        β”œ-------- parser success 🟒
        β”œ Scenarios
                β”” 🟒 crowdsecurity/http-probing

Hope this contains something of interest ?

It happened again today, here is the explain:

root@vcs1:~# cscli explain -v  -f ./bug.txt -t nginx
line: nginx           | 2022-06-22T07:32:24.874752782Z 2.8.x.x - - [22/Jun/2022:07:32:24 +0000] "GET /apps/bookmarks/folder/28/publictoken HTTP/2.0" 404 49 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.160 YaBrowser/22.5.2.615 Yowser/2.5 Safari/537.36" "-"
        β”œ s00-raw
        |       β”œ 🟒 crowdsecurity/non-syslog (first_parser)
        |       β”” πŸ”΄ crowdsecurity/syslog-logs
        β”œ s01-parse
        |       β”œ πŸ”΄ crowdsecurity/apache2-logs
        |       β”œ πŸ”΄ crowdsecurity/dovecot-logs
        |       β”œ πŸ”΄ crowdsecurity/iptables-logs
        |       β”œ πŸ”΄ crowdsecurity/mysql-logs
        |       β”œ πŸ”΄ crowdsecurity/nextcloud-logs
        |       β”” 🟒 crowdsecurity/nginx-logs (+23 ~2)
        |               β”” update evt.Stage : s01-parse -> s02-enrich
        |               β”” create evt.Parsed.proxy_upstream_name :
        |               β”” create evt.Parsed.request : /apps/bookmarks/folder/28/publictoken
        |               β”” create evt.Parsed.request_length :
        |               β”” create evt.Parsed.status : 404
        |               β”” create evt.Parsed.target_fqdn : 24.874752782Z
        |               β”” create evt.Parsed.verb : GET
        |               β”” create evt.Parsed.proxy_alternative_upstream_name :
        |               β”” create evt.Parsed.http_user_agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.160 YaBrowser/22.5.2.615 Yowser/2.5 Safari/537.36
        |               β”” create evt.Parsed.request_time :
        |               β”” create evt.Parsed.remote_user : -
        |               β”” create evt.Parsed.time_local : 22/Jun/2022:07:32:24 +0000
        |               β”” create evt.Parsed.http_version : 2.0
        |               β”” create evt.Parsed.remote_addr : 2.8.x.x
        |               β”” create evt.Parsed.body_bytes_sent : 49
        |               β”” create evt.Parsed.http_referer : -
        |               β”” update evt.StrTime :  -> 22/Jun/2022:07:32:24 +0000
        |               β”” create evt.Meta.source_ip : 2.8.x.x
        |               β”” create evt.Meta.http_status : 404
        |               β”” create evt.Meta.http_user_agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.160 YaBrowser/22.5.2.615 Yowser/2.5 Safari/537.36
        |               β”” create evt.Meta.http_verb : GET
        |               β”” create evt.Meta.log_type : http_access-log
        |               β”” create evt.Meta.service : http
        |               β”” create evt.Meta.http_path : /apps/bookmarks/folder/28/publictoken
        |               β”” create evt.Meta.target_fqdn : 24.874752782Z
        β”œ s02-enrich
        |       β”œ 🟒 crowdsecurity/dateparse-enrich (+2 ~1)
        |               β”œ create evt.Enriched.MarshaledTime : 2022-06-22T07:32:24Z
        |               β”œ update evt.MarshaledTime :  -> 2022-06-22T07:32:24Z
        |               β”œ create evt.Meta.timestamp : 2022-06-22T07:32:24Z
        |       β”œ 🟒 crowdsecurity/geoip-enrich (+13)
        |               β”œ create evt.Enriched.ASNNumber : 3215
        |               β”œ create evt.Enriched.IsInEU : true
        |               β”œ create evt.Enriched.Latitude : x
        |               β”œ create evt.Enriched.SourceRange : 2.0.0.0/12
        |               β”œ create evt.Enriched.ASNOrg : Orange
        |               β”œ create evt.Enriched.ASNumber : 3215
        |               β”œ create evt.Enriched.IsoCode : FR
        |               β”œ create evt.Enriched.Longitude : x
        |               β”œ create evt.Meta.IsInEU : true
        |               β”œ create evt.Meta.IsoCode : FR
        |               β”œ create evt.Meta.SourceRange : 2.0.0.0/12
        |               β”œ create evt.Meta.ASNNumber : 3215
        |               β”œ create evt.Meta.ASNOrg : Orange
        |       β”œ 🟒 crowdsecurity/http-logs (+7)
        |               β”œ create evt.Parsed.file_ext :
        |               β”œ create evt.Parsed.file_frag : publictoken
        |               β”œ create evt.Parsed.file_dir : /apps/bookmarks/folder/28/
        |               β”œ create evt.Parsed.impact_completion : false
        |               β”œ create evt.Parsed.file_name : publictoken
        |               β”œ create evt.Parsed.static_ressource : false
        |               β”œ create evt.Meta.http_args_len : 0
        |       β”” 🟒 crowdsecurity/whitelists (unchanged)
        β”œ-------- parser success 🟒
        β”œ Scenarios
                β”œ 🟒 crowdsecurity/http-crawl-non_statics
                β”” 🟒 crowdsecurity/http-probing

Hello,

Sadly, cscli explain doesn’t work with postoverflows :confused: . Can you put your postoverflows in debug mode so we can see what happen in crowdsec’s log ?

We are also available on discord if you want to join, it is easier for debugging

1 Like

I feel very, very dumb :frowning:

Looking at Crowdsec logs after restarting, I found:
time="22-06-2022 11:54:11" level=warning msg="skip non yaml : /etc/crowdsec/postoverflows/s01-whitelists/Wanadoo.yml"

After renaming the file to Wanadoo.yaml:

time="22-06-2022 12:09:55" level=info msg="me/Wanadoo has debug enabled" id=little-bird
time="22-06-2022 12:09:55" level=debug msg="adding expression evt.Enriched.reverse_dns endsWith '.abo.wanadoo.fr.' to whitelists" id=little-bird name=me/Wanadoo stage=s01-whitelists
time="22-06-2022 12:09:55" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/postoverflows/s01-whitelists/Wanadoo.yaml
time="22-06-2022 12:09:56" level=info msg="me/Wanadoo has debug enabled" id=holy-cloud
time="22-06-2022 12:09:56" level=debug msg="adding expression evt.Enriched.reverse_dns endsWith '.abo.wanadoo.fr.' to whitelists" id=holy-cloud name=me/Wanadoo stage=s01-whitelists
time="22-06-2022 12:09:56" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/postoverflows/s01-whitelists/Wanadoo.yaml
time="22-06-2022 14:07:07" level=debug msg="eval(evt.Enriched.reverse_dns endsWith '.abo.wanadoo.fr.') = TRUE" id=holy-cloud name=me/Wanadoo stage=s01-whitelists
time="22-06-2022 14:07:07" level=debug msg="eval variables:" id=holy-cloud name=me/Wanadoo stage=s01-whitelists
time="22-06-2022 14:07:07" level=debug msg="       evt.Enriched.reverse_dns = 'xxxxxxxx50.abo.wanadoo.fr.'" id=holy-cloud name=me/Wanadoo stage=s01-whitelists
time="22-06-2022 14:07:07" level=debug msg="Event is whitelisted by expr, reason [dont ban my ISP]" id=holy-cloud name=me/Wanadoo stage=s01-whitelists
time="22-06-2022 14:07:07" level=info msg="Ban for x.x.x.x whitelisted, reason [dont ban my ISP]" id=holy-cloud name=me/Wanadoo stage=s01-whitelists
time="22-06-2022 14:07:07" level=debug msg="Event leaving node : ok" id=holy-cloud name=me/Wanadoo stage=s01-whitelists
~

Very, very sorry, my bad :confounded: :crying_cat_face:

This is not your fault but rather a bug from our side. We will fix this in the next release to support .yml file.

1 Like

Thanks :smiley_cat:

At least there is a message in the log, even if it’s difficult to find in all the startup messages :wink: