Crowdsec notification emails and/or Teams for Windows Server

crowdsec
1

Hello

I’m newbie with Crowdsec. I’m trying to use Emails and Teams notifications from a Windows Server 2016. It didn’t work and I have those kind of log

For email notification

time="28-06-2022 15:16:49" level=debug msg="starting plugin" args="[C:\\ProgramData\\CrowdSec\\plugins\\notification-email.exeS]" path="C:\\ProgramData\\CrowdSec\\plugins\\notification-email.exe"
time="28-06-2022 15:16:49" level=debug msg="plugin started" path="C:\\ProgramData\\CrowdSec\\plugins\\notification-email.exe" pid=7012
time="28-06-2022 15:16:49" level=debug msg="waiting for RPC address" path="C:\\ProgramData\\CrowdSec\\plugins\\notification-email.exe"

For Teams notification

time="28-06-2022 15:24:45" level=debug msg="starting plugin" args="[C:\\ProgramData\\CrowdSec\\plugins\\notification-http.exe]" path="C:\\ProgramData\\CrowdSec\\plugins\\notification-http.exe"
time="28-06-2022 15:24:45" level=debug msg="plugin started" path="C:\\ProgramData\\CrowdSec\\plugins\\notification-http.exe" pid=5412
time="28-06-2022 15:24:45" level=debug msg="waiting for RPC address" path="C:\\ProgramData\\CrowdSec\\plugins\\notification-http.exe"

I think conf file is ok

profiles.yaml

name: default_ip_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 4h
notifications:
 - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
on_success: break

email.yaml

type: email           # Don't change
name: email_default   # Must match the registered plugin in the profile

# One of "trace", "debug", "info", "warn", "error", "off"
log_level: debug

# group_wait:         # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
# group_threshold:    # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
# max_retry:          # Number of attempts to relay messages to plugins in case of error
timeout: 20s          # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"

#-------------------------
# plugin-specific options

# The following template receives a list of models.Alert objects
# The output goes in the email message body
format: |
  {{range . -}}
    {{$alert := . -}}
    {{range .Decisions -}}
      <html><body><p><a href=https://www.whois.com/whois/{{.Value}}>{{.Value}}</a> will get <b>{{.Type}}</b> for next <b>{{.Duration}}</b> for triggering <b>{{.Scenario}}</b> on machine <b>{{$alert.MachineID}}</b>.</p> <p><a href=https://www.shodan.io/host/{{.Value}}>Shodan</a></p></body></html>
    {{end -}}
  {{end -}}

smtp_host: smtp.gmail.com           # example: smtp.gmail.com
smtp_username: <mail adress>        # Replace with your actual username
smtp_password: <password>      # Replace with your actual password
smtp_port: 587           # Common values are any of [25, 465, 587, 2525]
auth_type: login           # Valid choices are "none", "crammd5", "login", "plain"
sender_name: "CrowdSec"
sender_email: <mail address>        # example: foo@gmail.com
email_subject: "CrowdSec Notification"
receiver_emails:
- <my email address>
# - email2@gmail.com

# One of "ssltls", "none"
encryption_type: ssltls

but my first question is : is Crowdsec notifications enable with Windows Server ?

Thanks for help.

Arnaud

2

Hello,

For Teams notifications, it’s working !!

Great !