Crowdsec not banning anyone

I started out with ssh and vaultwarden to secure, installed their collections and did a failed login attempts 10-15 times. When I checked status using the “cscli metrics” command it shows some lines as passed, some as unparsed but none as poured to bucket.

No matter how many attempts I’m doing, no decision seems to be made by crowdsec. Also crowdsec explain shows the file being parsed but also shows “parser failed”

Below is example of what happens to vaultwarden.
├ s01-parse
| ├ :green_circle: Dominic-Wagner/vaultwarden-logs (+11 ~2)
| ├ update evt.Stage : s01-parse → s02-enrich
| ├ create evt.Parsed.source_ip : 192.168.1.232
| ├ create evt.Parsed.year : 2022
| ├ create evt.Parsed.day : 24
| ├ create evt.Parsed.time : 11:45:48.936
| ├ create evt.Parsed.username : email@email.com
| ├ create evt.Parsed.date : 2022-04-24
| ├ create evt.Parsed.month : 04
| ├ update evt.StrTime : → 2022-04-24 11:45:48.936
| ├ create evt.Meta.source_ip : 192.168.1.232
| ├ create evt.Meta.username : email@email.com
| ├ create evt.Meta.log_type : vaultwarden_failed_auth
| ├ create evt.Meta.service : vaultwarden
| ├ :red_circle: crowdsecurity/nginx-logs
| └ :red_circle: crowdsecurity/sshd-logs
├ s02-enrich
| ├ :green_circle: crowdsecurity/dateparse-enrich (+2 ~1)
| ├ create evt.Enriched.MarshaledTime : 2022-04-24T11:45:48.936Z
| ├ update evt.MarshaledTime : → 2022-04-24T11:45:48.936Z
| ├ create evt.Meta.timestamp : 2022-04-24T11:45:48.936Z
| ├ :green_circle: crowdsecurity/geoip-enrich (+9)
| ├ create evt.Enriched.ASNumber : 0
| ├ create evt.Enriched.IsInEU : false
| ├ create evt.Enriched.IsoCode :
| ├ create evt.Enriched.Latitude : 0.000000
| ├ create evt.Enriched.Longitude : 0.000000
| ├ create evt.Enriched.ASNNumber : 0
| ├ create evt.Enriched.ASNOrg :
| ├ create evt.Meta.IsInEU : false
| ├ create evt.Meta.ASNNumber : 0
| ├ :red_circle: crowdsecurity/http-logs
| └ :green_circle: crowdsecurity/whitelists (~2 [whitelisted])
| └ update evt.Whitelisted : %!s(bool=false) → true
| └ update evt.WhitelistReason : → private ipv4/ipv6 ip/ranges
└-------- parser failure :red_circle:

Heres what happens with ssh
├ s00-raw
| ├ :red_circle: crowdsecurity/docker-logs
| └ :green_circle: crowdsecurity/syslog-logs (first_parser)
├ s01-parse
| ├ :red_circle: crowdsecurity/nginx-logs
| └ :green_circle: crowdsecurity/sshd-logs (+9 ~1)
| └ update evt.Stage : s01-parse → s02-enrich
| └ create evt.Parsed.sshd_auth_type : rxuser
| └ create evt.Parsed.sshd_client_ip : 192.168.1.232
| └ create evt.Parsed.sshd_port : 57754
| └ create evt.Parsed.sshd_protocol : ssh2
| └ create evt.Parsed.sshd_invalid_user : rxuser
| └ create evt.Meta.service : ssh
| └ create evt.Meta.source_ip : 192.168.1.232
| └ create evt.Meta.target_user : myuser
| └ create evt.Meta.log_type : ssh_failed-auth
├ s02-enrich
| ├ :green_circle: crowdsecurity/dateparse-enrich (+2 ~1)
| ├ create evt.Enriched.MarshaledTime : 2022-04-24T11:48:17Z
| ├ update evt.MarshaledTime : → 2022-04-24T11:48:17Z
| ├ create evt.Meta.timestamp : 2022-04-24T11:48:17Z
| ├ :green_circle: crowdsecurity/geoip-enrich (+9)
| ├ create evt.Enriched.Longitude : 0.000000
| ├ create evt.Enriched.ASNNumber : 0
| ├ create evt.Enriched.ASNOrg :
| ├ create evt.Enriched.ASNumber : 0
| ├ create evt.Enriched.IsInEU : false
| ├ create evt.Enriched.IsoCode :
| ├ create evt.Enriched.Latitude : 0.000000
| ├ create evt.Meta.IsInEU : false
| ├ create evt.Meta.ASNNumber : 0
| ├ :red_circle: crowdsecurity/http-logs
| └ :green_circle: crowdsecurity/whitelists (~2 [whitelisted])
| └ update evt.Whitelisted : %!s(bool=false) → true
| └ update evt.WhitelistReason : → private ipv4/ipv6 ip/ranges
└-------- parser failure :red_circle:

Hello !

From your capture, the logs are discarded because they are coming from private IPs :

You should either try with non private trafic, and/or disable the crowdsecurity/whitelists parser/whitelist :slight_smile: