Crowdsec Gotify Parser not Work

Hello,
I installed Crowdsec and installed the baudneo/gotify collection. I have adjusted the path from the log in the acquis.yaml:

filenames:
  - /var/log/gotify/gotify.log
labels:
  type: gotify
---
journalctl_filter:
 - _SYSTEMD_UNIT=ssh.service
labels:
  type: syslog
---

If I log in incorrectly on Gotify WEBUI, it will also be in the Gotify log:

2023-12-27T20:32:28Z | 401 |     757.293  s |  xxx.xxx.xxx.xxx | POST     "/client"
Error #01: you need to provide a valid access token or user credentials to access this api

But Crowdsec won’t recognize it. Does anyone know where the error is, how can I test it? With SSH, crowdsec detects if I log in incorrectly and then blocks me local. (I have delete the Whitlist).

Here ist Information about Crowdsec:

Screenshot (3)1267×670 33.9 KB

Screenshot (2)757×587 11.2 KB

Screenshot (1)1330×532 11.6 KB

Gotify used to use Gin default log format, however, recently they have updated the format and it no longer matches ours.

Edit: just created a PR to update this Gotify update by LaurenceJJones · Pull Request #899 · crowdsecurity/hub · GitHub

Here is your log line parsed with the new parser

$ cscli explain --log '2023-12-27T20:32:28Z | 401 |     757.293s |  1.2.3.4 | POST     "/client"' --type gotify -v
line: 2023-12-27T20:32:28Z | 401 |     757.293s |  1.2.3.4 | POST     "/client"
	├ s00-raw
	|	├ 🟢 crowdsecurity/non-syslog (+5 ~8)
	|		├ update evt.ExpectMode : %!s(int=0) -> 1
	|		├ update evt.Stage :  -> s01-parse
	|		├ update evt.Line.Raw :  -> 2023-12-27T20:32:28Z | 401 |     757.293s |  1.2.3.4 | POST     "/client"
	|		├ update evt.Line.Src :  -> /tmp/cscli_explain1952543944/cscli_test_tmp.log
	|		├ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-12-28 09:41:49.126497829 +0000 UTC
	|		├ create evt.Line.Labels.type : gotify
	|		├ update evt.Line.Process : %!s(bool=false) -> true
	|		├ update evt.Line.Module :  -> file
	|		├ create evt.Parsed.program : gotify
	|		├ create evt.Parsed.message : 2023-12-27T20:32:28Z | 401 |     757.293s |  1.2.3.4 | POST     "/client"
	|		├ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-12-28 09:41:49.12651933 +0000 UTC
	|		├ create evt.Meta.datasource_path : /tmp/cscli_explain1952543944/cscli_test_tmp.log
	|		├ create evt.Meta.datasource_type : file
	├ s01-parse
	|	├ 🟢 baudneo/gotify-logs (+7 ~2)
	|		├ update evt.Stage : s01-parse -> s02-enrich
	|		├ create evt.Parsed.request_time_took : 757.293s
	|		├ create evt.Parsed.request_type : POST
	|		├ create evt.Parsed.source_ip : 1.2.3.4
	|		├ create evt.Parsed.timestamp : 2023-12-27T20:32:28Z
	|		├ create evt.Parsed.endpoint : /client
	|		├ update evt.StrTime :  -> 2023-12-27T20:32:28Z
	|		├ create evt.Meta.log_type : gotify_failed_auth
	|		├ create evt.Meta.source_ip : 1.2.3.4
	├ s02-enrich
	|	├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2)
	|		├ create evt.Enriched.MarshaledTime : 2023-12-27T20:32:28Z
	|		├ update evt.Time : 2023-12-28 09:41:49.12651933 +0000 UTC -> 2023-12-27 20:32:28 +0000 UTC
	|		├ update evt.MarshaledTime :  -> 2023-12-27T20:32:28Z
	|		├ create evt.Meta.timestamp : 2023-12-27T20:32:28Z
	|	├ 🟢 crowdsecurity/geoip-enrich (+10)
	|		├ create evt.Enriched.IsoCode : AU
	|		├ create evt.Enriched.Latitude : -33.494000
	|		├ create evt.Enriched.Longitude : 143.210400
	|		├ create evt.Enriched.ASNNumber : 0
	|		├ create evt.Enriched.ASNOrg : 
	|		├ create evt.Enriched.ASNumber : 0
	|		├ create evt.Enriched.IsInEU : false
	|		├ create evt.Meta.ASNNumber : 0
	|		├ create evt.Meta.IsInEU : false
	|		├ create evt.Meta.IsoCode : AU
	├-------- parser success 🟢
	├ Scenarios
		└ 🟢 baudneo/gotify-bf

Hello, thank you very much for your help!!

I’m new to Crowdsec and don’t really know how to get started. Can you tell me how I should proceed?

Thank you!

The PR has been merged now so if you run these it should update

cscli hub update
cscli hub upgrade
systemctl restart crowdsec

Then it “should” start parsing

Hi,
wow works perfectly ! Thank you very much!

Hello,
I still have a small problem: if I log in incorrectly locally to gotify, I will be recognized by CrowdSec and banned. If I log in via the Internet (subdomain), Crowdsec also recognizes my public IP address and also bans me, but I still have access to Gotify.
Maybe brief information about my config.
I have Proxmox 3 Server running:
Gotify, Bitwarden, Nextcloud and Nginx Proxy Manager.

The servers are passed on to the domain through the proxy manager.

I have already installed the proxy manager according to the installation instructions.

Strangely enough, CrowdSec recognized me on the Nginx Proxy Manager (LePresidente/http-generic-401-bf) and started a captcha request, but I didn’t receive one and was still able to log in.

Maybe I’m approaching it the wrong way and should only install CrowdSec on the Nginx Proxy Manager and then query the other servers via Syslog?

Many thanks for the help!

Which remediation components are you using? are they connected and working if you run cscli bouncers list

Hello,
I have Gotify running as an lxc container on Proxmox (Own IP):

gotify1325×327 8.13 KB

and Nginx Proxy Manager as lxc container on Proxmox (Own IP):

proxy manager1340×377 9.61 KB

Here is a Log of Gotify. In Local Network it Works but not over Proxy Manager:

Help1581×613 75.7 KB

OK,
i think i found the Problem. I Need to Setup the local API beween Gotify an Nginx Proxy Manager. (Client to Host). Is there anybody to Help me Seting up this ?
I found this:

From the images you took, it seems the npm-proxy bouncer is not connect or having issues connecting. I would make sure it is working and check the error logs.