Hello,
I tried to update my installation (v1.0.7) with the repo.
I installed it with apt and recopy my previous cred in local_api_credentials.yaml and in online_api_credentials.yaml (theses files were empty after installation).
But now if i want do a cscli decisions list i have:
“FATA[0000] Unable to list decisions : performing request: Get http://127.0.0.1:8080/v1/alerts?has_active_decision=true&include_capi=false: could not get jwt token: Post http://127.0.0.1:8080/v1/watchers/login: dial tcp 127.0.0.1:8080: connect: connection refused”
If I don’t copy my previous cred i have :
“crowdsec[15983]: time=“2021-03-30T10:45:02+02:00” level=fatal msg=“missing local API credentials for crowdsec agent, abort””
Is there a procedure / a tips in this case ?
Thanks
Seb
Hello @graoully54,
Can you paste the content of the following files please:
- /etc/crowdsec/config.yaml
- /etc/crowdsec/local_api_credentials.yaml (only the
url: part)
Of course !
cat /etc/crowdsec/config.yaml
common:
daemonize: true
pid_dir: /var/run/
log_media: file
log_level: info
log_dir: /var/log/
working_dir: .
config_paths:
config_dir: /etc/crowdsec/
data_dir: /var/lib/crowdsec/data/
simulation_path: /etc/crowdsec/simulation.yaml
hub_dir: /etc/crowdsec/hub/
index_path: /etc/crowdsec/hub/.index.json
crowdsec_service:
acquisition_path: /etc/crowdsec/acquis.yaml
parser_routines: 1
cscli:
output: human
hub_branch: master
db_config:
log_level: info
type: sqlite
db_path: /var/lib/crowdsec/data/crowdsec.db
#user:
#password:
#db_name:
#host:
#port:
flush:
max_items: 5000
max_age: 7d
api:
client:
insecure_skip_verify: false
credentials_path: /etc/crowdsec/local_api_credentials.yaml
server:
log_level: info
listen_uri: 127.0.0.1:8080
profiles_path: /etc/crowdsec/profiles.yaml
online_client: # Crowdsec API credentials (to push signals and receive bad IPs)
credentials_path: /etc/crowdsec/online_api_credentials.yaml
tls:
cert_file: /etc/crowdsec/ssl/cert.pem
key_file: /etc/crowdsec/ssl/key.pem
prometheus:
enabled: true
level: full
listen_addr: 127.0.0.1
listen_port: 6060
cat /etc/crowdsec/local_api_credentials.yaml
url: http://127.0.0.1:8080/
Thanks for your help
Thanks @graoully54
In your config.yaml, the crowdsec LAPI should listen on 127.0.0.1:8080 but in cscli decisions list output we can see that the connection is refused on 127.0.0.1:8080.
Is the local API running on the machine where you invoke cscli ?
May be my previous install ?
But if I do a “netstat -laputen” i have no port 8080 in use and if I do a “ps aux |grep crowdsec” i get this one : " mars26 1:07 /usr/local/bin/cs-firewall-bouncer -c /etc/crowdsec/cs-firewall-bouncer//cs-firewall-bouncer.yaml"
i have to kill this instance ? and if yes what happend at reboot ?
thanks for your support
Hello @graoully54 ,
It means that crowdsec agent and the local API are not running.
Can you please restart crowdsec (sudo systemctl restart crowdsec) and check what happen ?
Thanks for your answer. I already tried, unfortunately I have always the same error :
sudo systemctl restart crowdsec
cscli decisions list
FATA[0000] Unable to list decisions : performing request: Get http://127.0.0.1:8080/v1/alerts?has_active_decision=true&include_capi=false: could not get jwt token: Post http://127.0.0.1:8080/v1/watchers/login: dial tcp 127.0.0.1:8080: connect: connection refused
After running sudo systemctl status crowdsec, can you paste the output of :
Please:
sudo systemctl restart crowdsec
sudo systemctl status crowdsec
● crowdsec.service - Crowdsec agent
Loaded: loaded (/etc/systemd/system/crowdsec.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2021-04-01 21:20:44 CEST; 6s ago
Process: 25754 ExecStart=/usr/local/bin/crowdsec -c /etc/crowdsec/config.yaml (code=exited, status=1/FAILURE)
Process: 25717 ExecStartPre=/usr/local/bin/crowdsec -c /etc/crowdsec/config.yaml -t (code=exited, status=0/SUCCESS)
Main PID: 25754 (code=exited, status=1/FAILURE)
avril 01 21:20:40 WebProd005 systemd[1]: Starting Crowdsec agent…
avril 01 21:20:44 WebProd005 systemd[1]: Started Crowdsec agent.
avril 01 21:20:44 WebProd005 crowdsec[25754]: 127.0.0.1 - [Thu, 01 Apr 2021 21:20:44 CEST] "POST /v1/watchers/login HTTP/1.1 401 345.696µs “crowdsec/v1.0.7-18ff3a3a306d1eca786038fb343250e43784a900” "
avril 01 21:20:44 WebProd005 systemd[1]: crowdsec.service: Main process exited, code=exited, status=1/FAILURE
avril 01 21:20:44 WebProd005 systemd[1]: crowdsec.service: Failed with result ‘exit-code’.
And the log:
time=“01-04-2021 21:20:41” level=info msg=“Crowdsec v1.0.7-18ff3a3a306d1eca786038fb343250e43784a900”
time=“01-04-2021 21:20:41” level=info msg=“Loading prometheus collectors”
time=“01-04-2021 21:20:41” level=info msg=“Loading CAPI pusher”
time=“01-04-2021 21:20:42” level=info msg=“Loading grok library /etc/crowdsec//patterns/”
time=“01-04-2021 21:20:42” level=info msg=“Loading enrich plugins”
time=“01-04-2021 21:20:43” level=info msg=“Loading parsers 10 stages”
time=“01-04-2021 21:20:43” level=info msg=“Node in /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml has no name,author or description. Skipping.”
time=“01-04-2021 21:20:43” level=info msg=“Loaded 2 parser nodes” file=/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s01-parse/apache2-logs.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s01-parse/iptables-logs.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s01-parse/mysql-logs.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/http-logs.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 0 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/whitelists.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 10 nodes, 3 stages”
time=“01-04-2021 21:20:43” level=info msg=“Loading postoverflow Parsers”
time=“01-04-2021 21:20:43” level=info msg=“Loaded 0 nodes, 0 stages”
time=“01-04-2021 21:20:43” level=info msg=“Loading 12 scenario files”
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=weathered-haze file=/etc/crowdsec/scenarios/http-sensitive-files.yaml name=crowdsecurity/http-sensitive-files
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=falling-leaf file=/etc/crowdsec/scenarios/iptables-scan-multi_ports.yaml name=crowdsecurity/iptables-scan-multi_ports
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=cool-forest file=/etc/crowdsec/scenarios/http-backdoors-attempts.yaml name=crowdsecurity/http-backdoors-attempts
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=late-water file=/etc/crowdsec/scenarios/http-probing.yaml name=crowdsecurity/http-probing
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=delicate-wave file=/etc/crowdsec/scenarios/http-xss-probing.yaml name=crowdsecurity/http-xss-probbing
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=snowy-sun file=/etc/crowdsec/scenarios/mysql-bf.yaml name=crowdsecurity/mysql-bf
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=autumn-lake file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=throbbing-mountain file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf_user-enum
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=long-frost file=/etc/crowdsec/scenarios/http-bad-user-agent.yaml name=crowdsecurity/http-bad-user-agent
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=holy-violet file=/etc/crowdsec/scenarios/http-crawl-non_statics.yaml name=crowdsecurity/http-crawl-non_statics
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=lingering-smoke file=/etc/crowdsec/scenarios/http-path-traversal-probing.yaml name=crowdsecurity/http-path-traversal-probing
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=bold-forest file=/etc/crowdsec/scenarios/http-sqli-probing.yaml name=crowdsecurity/http-sqli-probbing-detection
time=“01-04-2021 21:20:43” level=info msg=“Adding trigger bucket” cfg=cool-dust file=/etc/crowdsec/scenarios/http-w00tw00t.yaml name=ltsich/http-w00tw00t
time=“01-04-2021 21:20:43” level=warning msg=“Loaded 13 scenarios”
time=“01-04-2021 21:20:43” level=info msg="[file datasource] opening file ‘/var/log/apache2/error.log’"
time=“01-04-2021 21:20:43” level=info msg="[file datasource] opening file ‘/var/log/apache2/other_vhosts_access.log’"
time=“01-04-2021 21:20:43” level=info msg="[file datasource] opening file ‘/var/log/apache2/access.log’"
time=“01-04-2021 21:20:43” level=info msg="[file datasource] opening file ‘/var/log/auth.log’"
time=“01-04-2021 21:20:43” level=info msg="[file datasource] opening file ‘/var/log/mysql/error.log’"
time=“01-04-2021 21:20:43” level=info msg="[file datasource] opening file ‘/var/log/syslog’"
time=“01-04-2021 21:20:43” level=info msg="[file datasource] opening file ‘/var/log/kern.log’"
time=“01-04-2021 21:20:43” level=warning msg=“while configuring datasource : empty filename(s) and journalctl filter, malformed datasource”
time=“01-04-2021 21:20:43” level=info msg=“test done”
time=“01-04-2021 21:20:43” level=info msg=“Crowdsec v1.0.7-18ff3a3a306d1eca786038fb343250e43784a900”
time=“01-04-2021 21:20:43” level=info msg=“Loading prometheus collectors”
time=“01-04-2021 21:20:43” level=info msg=“Loading CAPI pusher”
time=“01-04-2021 21:20:43” level=info msg=“start crowdsec api pull (interval: 2h)”
time=“01-04-2021 21:20:43” level=warning msg=“scenario list is empty, will not pull yet”
time=“01-04-2021 21:20:43” level=info msg=“start crowdsec api send metrics (interval: 30m)”
time=“01-04-2021 21:20:43” level=info msg=“start crowdsec api push (interval: 30s)”
time=“01-04-2021 21:20:43” level=info msg=“Loading grok library /etc/crowdsec//patterns/”
time=“01-04-2021 21:20:44” level=info msg=“Loading enrich plugins”
time=“01-04-2021 21:20:44” level=info msg=“Loading parsers 10 stages”
time=“01-04-2021 21:20:44” level=info msg=“Node in /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml has no name,author or description. Skipping.”
time=“01-04-2021 21:20:44” level=info msg=“Loaded 2 parser nodes” file=/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s01-parse/apache2-logs.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s01-parse/iptables-logs.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s01-parse/mysql-logs.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/http-logs.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 0 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/whitelists.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 10 nodes, 3 stages”
time=“01-04-2021 21:20:44” level=info msg=“Loading postoverflow Parsers”
time=“01-04-2021 21:20:44” level=info msg=“Loaded 0 nodes, 0 stages”
time=“01-04-2021 21:20:44” level=info msg=“Loading 12 scenario files”
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=dry-moon file=/etc/crowdsec/scenarios/http-crawl-non_statics.yaml name=crowdsecurity/http-crawl-non_statics
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=patient-leaf file=/etc/crowdsec/scenarios/http-backdoors-attempts.yaml name=crowdsecurity/http-backdoors-attempts
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=shy-leaf file=/etc/crowdsec/scenarios/http-path-traversal-probing.yaml name=crowdsecurity/http-path-traversal-probing
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=winter-night file=/etc/crowdsec/scenarios/http-sensitive-files.yaml name=crowdsecurity/http-sensitive-files
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=nameless-voice file=/etc/crowdsec/scenarios/http-xss-probing.yaml name=crowdsecurity/http-xss-probbing
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=billowing-darkness file=/etc/crowdsec/scenarios/iptables-scan-multi_ports.yaml name=crowdsecurity/iptables-scan-multi_ports
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=billowing-voice file=/etc/crowdsec/scenarios/http-probing.yaml name=crowdsecurity/http-probing
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=little-waterfall file=/etc/crowdsec/scenarios/mysql-bf.yaml name=crowdsecurity/mysql-bf
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=ancient-fog file=/etc/crowdsec/scenarios/http-bad-user-agent.yaml name=crowdsecurity/http-bad-user-agent
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=broken-dream file=/etc/crowdsec/scenarios/http-sqli-probing.yaml name=crowdsecurity/http-sqli-probbing-detection
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=broken-night file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=young-firefly file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf_user-enum
time=“01-04-2021 21:20:44” level=info msg=“Adding trigger bucket” cfg=damp-violet file=/etc/crowdsec/scenarios/http-w00tw00t.yaml name=ltsich/http-w00tw00t
time=“01-04-2021 21:20:44” level=warning msg=“Loaded 13 scenarios”
time=“01-04-2021 21:20:44” level=info msg="[file datasource] opening file ‘/var/log/apache2/error.log’"
time=“01-04-2021 21:20:44” level=info msg="[file datasource] opening file ‘/var/log/apache2/other_vhosts_access.log’"
time=“01-04-2021 21:20:44” level=info msg="[file datasource] opening file ‘/var/log/apache2/access.log’"
time=“01-04-2021 21:20:44” level=info msg="[file datasource] opening file ‘/var/log/auth.log’"
time=“01-04-2021 21:20:44” level=info msg="[file datasource] opening file ‘/var/log/mysql/error.log’"
time=“01-04-2021 21:20:44” level=info msg="[file datasource] opening file ‘/var/log/syslog’"
time=“01-04-2021 21:20:44” level=info msg="[file datasource] opening file ‘/var/log/kern.log’"
time=“01-04-2021 21:20:44” level=warning msg=“while configuring datasource : empty filename(s) and journalctl filter, malformed datasource”
time=“01-04-2021 21:20:44” level=warning msg=“Starting processing data”
time=“01-04-2021 21:20:44” level=info msg="Error machine login for 6[…]7 : ent: machine not found "
time=“01-04-2021 21:20:44” level=fatal msg=“starting outputs error : authenticate watcher (6[…]7): Post http://127.0.0.1:8080/v1/watchers/login: received response status “401 Unauthorized” when fetching http://127.0.0.1:8080/v1/watchers/login”
Thanks !!!
Hello @graoully54
Your crowdsec agent is not registered to the local API.
Can you please run : sudo cscli machines add -a and restart crowdsec ?
1 Like
Yes it’s working many thanks !
hi , i have similar error . Could you help me?
i use this command “sudo cscli decisions list”
this foto after using command “sudo systemcti status crowdsec”
Most likely crowdsec is trying to use port 8080 and you already have another application using that port?
