Could not get jwt token after apt install

crowdsec
#1

Hello,

I tried to update my installation (v1.0.7) with the repo.
I installed it with apt and recopy my previous cred in local_api_credentials.yaml and in online_api_credentials.yaml (theses files were empty after installation).
But now if i want do a cscli decisions list i have:
“FATA[0000] Unable to list decisions : performing request: Get http://127.0.0.1:8080/v1/alerts?has_active_decision=true&include_capi=false: could not get jwt token: Post http://127.0.0.1:8080/v1/watchers/login: dial tcp 127.0.0.1:8080: connect: connection refused”

If I don’t copy my previous cred i have :
“crowdsec[15983]: time=“2021-03-30T10:45:02+02:00” level=fatal msg=“missing local API credentials for crowdsec agent, abort””

Is there a procedure / a tips in this case ?
Thanks
Seb

#2

Hello @graoully54,

Can you paste the content of the following files please:

  • /etc/crowdsec/config.yaml
  • /etc/crowdsec/local_api_credentials.yaml (only the url: part)
#3

Of course !

cat /etc/crowdsec/config.yaml

common:
daemonize: true
pid_dir: /var/run/
log_media: file
log_level: info
log_dir: /var/log/
working_dir: .
config_paths:
config_dir: /etc/crowdsec/
data_dir: /var/lib/crowdsec/data/
simulation_path: /etc/crowdsec/simulation.yaml
hub_dir: /etc/crowdsec/hub/
index_path: /etc/crowdsec/hub/.index.json
crowdsec_service:
acquisition_path: /etc/crowdsec/acquis.yaml
parser_routines: 1
cscli:
output: human
hub_branch: master
db_config:
log_level: info
type: sqlite
db_path: /var/lib/crowdsec/data/crowdsec.db
#user:
#password:
#db_name:
#host:
#port:
flush:
max_items: 5000
max_age: 7d
api:
client:
insecure_skip_verify: false
credentials_path: /etc/crowdsec/local_api_credentials.yaml
server:
log_level: info
listen_uri: 127.0.0.1:8080
profiles_path: /etc/crowdsec/profiles.yaml
online_client: # Crowdsec API credentials (to push signals and receive bad IPs)
credentials_path: /etc/crowdsec/online_api_credentials.yaml

tls:

cert_file: /etc/crowdsec/ssl/cert.pem

key_file: /etc/crowdsec/ssl/key.pem

prometheus:
enabled: true
level: full
listen_addr: 127.0.0.1
listen_port: 6060

cat /etc/crowdsec/local_api_credentials.yaml

url: http://127.0.0.1:8080/

Thanks for your help

#4

Thanks @graoully54

In your config.yaml, the crowdsec LAPI should listen on 127.0.0.1:8080 but in cscli decisions list output we can see that the connection is refused on 127.0.0.1:8080.

Is the local API running on the machine where you invoke cscli ?

#5

May be my previous install ?
But if I do a “netstat -laputen” i have no port 8080 in use and if I do a “ps aux |grep crowdsec” i get this one : " mars26 1:07 /usr/local/bin/cs-firewall-bouncer -c /etc/crowdsec/cs-firewall-bouncer//cs-firewall-bouncer.yaml"
i have to kill this instance ? and if yes what happend at reboot ?

thanks for your support

#6

Hello @graoully54 ,

It means that crowdsec agent and the local API are not running.
Can you please restart crowdsec (sudo systemctl restart crowdsec) and check what happen ?

#7

Thanks for your answer. I already tried, unfortunately I have always the same error :

sudo systemctl restart crowdsec

cscli decisions list

FATA[0000] Unable to list decisions : performing request: Get http://127.0.0.1:8080/v1/alerts?has_active_decision=true&include_capi=false: could not get jwt token: Post http://127.0.0.1:8080/v1/watchers/login: dial tcp 127.0.0.1:8080: connect: connection refused

#8

After running sudo systemctl status crowdsec, can you paste the output of :

  • sudo systemctl status crowdsec

  • /var/log/crowdsec.log

#9

Please:

sudo systemctl restart crowdsec

sudo systemctl status crowdsec

● crowdsec.service - Crowdsec agent
Loaded: loaded (/etc/systemd/system/crowdsec.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2021-04-01 21:20:44 CEST; 6s ago
Process: 25754 ExecStart=/usr/local/bin/crowdsec -c /etc/crowdsec/config.yaml (code=exited, status=1/FAILURE)
Process: 25717 ExecStartPre=/usr/local/bin/crowdsec -c /etc/crowdsec/config.yaml -t (code=exited, status=0/SUCCESS)
Main PID: 25754 (code=exited, status=1/FAILURE)

avril 01 21:20:40 WebProd005 systemd[1]: Starting Crowdsec agent…
avril 01 21:20:44 WebProd005 systemd[1]: Started Crowdsec agent.
avril 01 21:20:44 WebProd005 crowdsec[25754]: 127.0.0.1 - [Thu, 01 Apr 2021 21:20:44 CEST] "POST /v1/watchers/login HTTP/1.1 401 345.696µs “crowdsec/v1.0.7-18ff3a3a306d1eca786038fb343250e43784a900” "
avril 01 21:20:44 WebProd005 systemd[1]: crowdsec.service: Main process exited, code=exited, status=1/FAILURE
avril 01 21:20:44 WebProd005 systemd[1]: crowdsec.service: Failed with result ‘exit-code’.

And the log:

time=“01-04-2021 21:20:41” level=info msg=“Crowdsec v1.0.7-18ff3a3a306d1eca786038fb343250e43784a900”
time=“01-04-2021 21:20:41” level=info msg=“Loading prometheus collectors”
time=“01-04-2021 21:20:41” level=info msg=“Loading CAPI pusher”
time=“01-04-2021 21:20:42” level=info msg=“Loading grok library /etc/crowdsec//patterns/”
time=“01-04-2021 21:20:42” level=info msg=“Loading enrich plugins”
time=“01-04-2021 21:20:43” level=info msg=“Loading parsers 10 stages”
time=“01-04-2021 21:20:43” level=info msg=“Node in /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml has no name,author or description. Skipping.”
time=“01-04-2021 21:20:43” level=info msg=“Loaded 2 parser nodes” file=/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s01-parse/apache2-logs.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s01-parse/iptables-logs.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s01-parse/mysql-logs.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/http-logs.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 0 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/whitelists.yaml
time=“01-04-2021 21:20:43” level=info msg=“Loaded 10 nodes, 3 stages”
time=“01-04-2021 21:20:43” level=info msg=“Loading postoverflow Parsers”
time=“01-04-2021 21:20:43” level=info msg=“Loaded 0 nodes, 0 stages”
time=“01-04-2021 21:20:43” level=info msg=“Loading 12 scenario files”
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=weathered-haze file=/etc/crowdsec/scenarios/http-sensitive-files.yaml name=crowdsecurity/http-sensitive-files
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=falling-leaf file=/etc/crowdsec/scenarios/iptables-scan-multi_ports.yaml name=crowdsecurity/iptables-scan-multi_ports
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=cool-forest file=/etc/crowdsec/scenarios/http-backdoors-attempts.yaml name=crowdsecurity/http-backdoors-attempts
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=late-water file=/etc/crowdsec/scenarios/http-probing.yaml name=crowdsecurity/http-probing
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=delicate-wave file=/etc/crowdsec/scenarios/http-xss-probing.yaml name=crowdsecurity/http-xss-probbing
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=snowy-sun file=/etc/crowdsec/scenarios/mysql-bf.yaml name=crowdsecurity/mysql-bf
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=autumn-lake file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=throbbing-mountain file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf_user-enum
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=long-frost file=/etc/crowdsec/scenarios/http-bad-user-agent.yaml name=crowdsecurity/http-bad-user-agent
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=holy-violet file=/etc/crowdsec/scenarios/http-crawl-non_statics.yaml name=crowdsecurity/http-crawl-non_statics
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=lingering-smoke file=/etc/crowdsec/scenarios/http-path-traversal-probing.yaml name=crowdsecurity/http-path-traversal-probing
time=“01-04-2021 21:20:43” level=info msg=“Adding leaky bucket” cfg=bold-forest file=/etc/crowdsec/scenarios/http-sqli-probing.yaml name=crowdsecurity/http-sqli-probbing-detection
time=“01-04-2021 21:20:43” level=info msg=“Adding trigger bucket” cfg=cool-dust file=/etc/crowdsec/scenarios/http-w00tw00t.yaml name=ltsich/http-w00tw00t
time=“01-04-2021 21:20:43” level=warning msg=“Loaded 13 scenarios”
time=“01-04-2021 21:20:43” level=info msg="[file datasource] opening file ‘/var/log/apache2/error.log’"
time=“01-04-2021 21:20:43” level=info msg="[file datasource] opening file ‘/var/log/apache2/other_vhosts_access.log’"
time=“01-04-2021 21:20:43” level=info msg="[file datasource] opening file ‘/var/log/apache2/access.log’"
time=“01-04-2021 21:20:43” level=info msg="[file datasource] opening file ‘/var/log/auth.log’"
time=“01-04-2021 21:20:43” level=info msg="[file datasource] opening file ‘/var/log/mysql/error.log’"
time=“01-04-2021 21:20:43” level=info msg="[file datasource] opening file ‘/var/log/syslog’"
time=“01-04-2021 21:20:43” level=info msg="[file datasource] opening file ‘/var/log/kern.log’"
time=“01-04-2021 21:20:43” level=warning msg=“while configuring datasource : empty filename(s) and journalctl filter, malformed datasource”
time=“01-04-2021 21:20:43” level=info msg=“test done”
time=“01-04-2021 21:20:43” level=info msg=“Crowdsec v1.0.7-18ff3a3a306d1eca786038fb343250e43784a900”
time=“01-04-2021 21:20:43” level=info msg=“Loading prometheus collectors”
time=“01-04-2021 21:20:43” level=info msg=“Loading CAPI pusher”
time=“01-04-2021 21:20:43” level=info msg=“start crowdsec api pull (interval: 2h)”
time=“01-04-2021 21:20:43” level=warning msg=“scenario list is empty, will not pull yet”
time=“01-04-2021 21:20:43” level=info msg=“start crowdsec api send metrics (interval: 30m)”
time=“01-04-2021 21:20:43” level=info msg=“start crowdsec api push (interval: 30s)”
time=“01-04-2021 21:20:43” level=info msg=“Loading grok library /etc/crowdsec//patterns/”
time=“01-04-2021 21:20:44” level=info msg=“Loading enrich plugins”
time=“01-04-2021 21:20:44” level=info msg=“Loading parsers 10 stages”
time=“01-04-2021 21:20:44” level=info msg=“Node in /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml has no name,author or description. Skipping.”
time=“01-04-2021 21:20:44” level=info msg=“Loaded 2 parser nodes” file=/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s01-parse/apache2-logs.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s01-parse/iptables-logs.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s01-parse/mysql-logs.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/http-logs.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 0 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/whitelists.yaml
time=“01-04-2021 21:20:44” level=info msg=“Loaded 10 nodes, 3 stages”
time=“01-04-2021 21:20:44” level=info msg=“Loading postoverflow Parsers”
time=“01-04-2021 21:20:44” level=info msg=“Loaded 0 nodes, 0 stages”
time=“01-04-2021 21:20:44” level=info msg=“Loading 12 scenario files”
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=dry-moon file=/etc/crowdsec/scenarios/http-crawl-non_statics.yaml name=crowdsecurity/http-crawl-non_statics
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=patient-leaf file=/etc/crowdsec/scenarios/http-backdoors-attempts.yaml name=crowdsecurity/http-backdoors-attempts
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=shy-leaf file=/etc/crowdsec/scenarios/http-path-traversal-probing.yaml name=crowdsecurity/http-path-traversal-probing
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=winter-night file=/etc/crowdsec/scenarios/http-sensitive-files.yaml name=crowdsecurity/http-sensitive-files
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=nameless-voice file=/etc/crowdsec/scenarios/http-xss-probing.yaml name=crowdsecurity/http-xss-probbing
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=billowing-darkness file=/etc/crowdsec/scenarios/iptables-scan-multi_ports.yaml name=crowdsecurity/iptables-scan-multi_ports
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=billowing-voice file=/etc/crowdsec/scenarios/http-probing.yaml name=crowdsecurity/http-probing
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=little-waterfall file=/etc/crowdsec/scenarios/mysql-bf.yaml name=crowdsecurity/mysql-bf
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=ancient-fog file=/etc/crowdsec/scenarios/http-bad-user-agent.yaml name=crowdsecurity/http-bad-user-agent
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=broken-dream file=/etc/crowdsec/scenarios/http-sqli-probing.yaml name=crowdsecurity/http-sqli-probbing-detection
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=broken-night file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf
time=“01-04-2021 21:20:44” level=info msg=“Adding leaky bucket” cfg=young-firefly file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf_user-enum
time=“01-04-2021 21:20:44” level=info msg=“Adding trigger bucket” cfg=damp-violet file=/etc/crowdsec/scenarios/http-w00tw00t.yaml name=ltsich/http-w00tw00t
time=“01-04-2021 21:20:44” level=warning msg=“Loaded 13 scenarios”
time=“01-04-2021 21:20:44” level=info msg="[file datasource] opening file ‘/var/log/apache2/error.log’"
time=“01-04-2021 21:20:44” level=info msg="[file datasource] opening file ‘/var/log/apache2/other_vhosts_access.log’"
time=“01-04-2021 21:20:44” level=info msg="[file datasource] opening file ‘/var/log/apache2/access.log’"
time=“01-04-2021 21:20:44” level=info msg="[file datasource] opening file ‘/var/log/auth.log’"
time=“01-04-2021 21:20:44” level=info msg="[file datasource] opening file ‘/var/log/mysql/error.log’"
time=“01-04-2021 21:20:44” level=info msg="[file datasource] opening file ‘/var/log/syslog’"
time=“01-04-2021 21:20:44” level=info msg="[file datasource] opening file ‘/var/log/kern.log’"
time=“01-04-2021 21:20:44” level=warning msg=“while configuring datasource : empty filename(s) and journalctl filter, malformed datasource”
time=“01-04-2021 21:20:44” level=warning msg=“Starting processing data”
time=“01-04-2021 21:20:44” level=info msg="Error machine login for 6[…]7 : ent: machine not found "
time=“01-04-2021 21:20:44” level=fatal msg=“starting outputs error : authenticate watcher (6[…]7): Post http://127.0.0.1:8080/v1/watchers/login: received response status “401 Unauthorized” when fetching http://127.0.0.1:8080/v1/watchers/login

Thanks !!!

#10

Hello @graoully54

Your crowdsec agent is not registered to the local API.
Can you please run : sudo cscli machines add -a and restart crowdsec ?

1 Like
#11

Yes it’s working many thanks !