Collection for ProFTP will not fire

Hello

I installed the collection for ProFTP and i also reloaded the service.

As usual i expected tons of alerts as i experienced with Fail2Ban. But nothing happens.
I checked as good as possible the actual installation:

A “cscli collections list” shows the right collection “proftpd”
A “cscli scenarios list” shows me two scenarios: “proftpd-bf” and “proftpd-bf_user-enum”
A “cscli bouncers list” shows the “FirewallBouncer-1641465332”

This doens’t look really bad, i guess.

As a beginner with CrowdSec i’m not familiary how the log file “crowdsec-firewall-bouncer.log” should look after a few hours of working time. I can see a lot ot “decisions added” and “decisions deleted” entries.

What can i do for a more analysis?

Thanks

Hi @martin.schaible,

You can use cscli to list your alerts, decisions etc.

List your alerts : cscli alerts list
List your actives decisions : cscli decisions list

You can also look at crowdsec log to see when an alert is triggered, logs are located by default at /var/log/crowdsec.log. It contains all crowdsec logs not only the alerts.

Hi @he2ss

I did this already, no related alert was triggered ever on all servers.

How can i check, that the log file “\var\log\secure” is the source for the log file parser?
Maybe it’s a start to check some basic things.