Hello
I’m newbie with Crowdsec. I’m trying to use Emails and Teams notifications from a Windows Server 2016. It didn’t work and I have those kind of log
For email notification
time="28-06-2022 15:16:49" level=debug msg="starting plugin" args="[C:\\ProgramData\\CrowdSec\\plugins\\notification-email.exeS]" path="C:\\ProgramData\\CrowdSec\\plugins\\notification-email.exe"
time="28-06-2022 15:16:49" level=debug msg="plugin started" path="C:\\ProgramData\\CrowdSec\\plugins\\notification-email.exe" pid=7012
time="28-06-2022 15:16:49" level=debug msg="waiting for RPC address" path="C:\\ProgramData\\CrowdSec\\plugins\\notification-email.exe"
For Teams notification
time="28-06-2022 15:24:45" level=debug msg="starting plugin" args="[C:\\ProgramData\\CrowdSec\\plugins\\notification-http.exe]" path="C:\\ProgramData\\CrowdSec\\plugins\\notification-http.exe"
time="28-06-2022 15:24:45" level=debug msg="plugin started" path="C:\\ProgramData\\CrowdSec\\plugins\\notification-http.exe" pid=5412
time="28-06-2022 15:24:45" level=debug msg="waiting for RPC address" path="C:\\ProgramData\\CrowdSec\\plugins\\notification-http.exe"
I think conf file is ok
profiles.yaml
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
notifications:
- email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
- http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
on_success: break
email.yaml
type: email # Don't change
name: email_default # Must match the registered plugin in the profile
# One of "trace", "debug", "info", "warn", "error", "off"
log_level: debug
# group_wait: # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
# group_threshold: # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
# max_retry: # Number of attempts to relay messages to plugins in case of error
timeout: 20s # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"
#-------------------------
# plugin-specific options
# The following template receives a list of models.Alert objects
# The output goes in the email message body
format: |
{{range . -}}
{{$alert := . -}}
{{range .Decisions -}}
<html><body><p><a href=https://www.whois.com/whois/{{.Value}}>{{.Value}}</a> will get <b>{{.Type}}</b> for next <b>{{.Duration}}</b> for triggering <b>{{.Scenario}}</b> on machine <b>{{$alert.MachineID}}</b>.</p> <p><a href=https://www.shodan.io/host/{{.Value}}>Shodan</a></p></body></html>
{{end -}}
{{end -}}
smtp_host: smtp.gmail.com # example: smtp.gmail.com
smtp_username: <mail adress> # Replace with your actual username
smtp_password: <password> # Replace with your actual password
smtp_port: 587 # Common values are any of [25, 465, 587, 2525]
auth_type: login # Valid choices are "none", "crammd5", "login", "plain"
sender_name: "CrowdSec"
sender_email: <mail address> # example: foo@gmail.com
email_subject: "CrowdSec Notification"
receiver_emails:
- <my email address>
# - email2@gmail.com
# One of "ssltls", "none"
encryption_type: ssltls
but my first question is : is Crowdsec notifications enable with Windows Server ?
Thanks for help.
Arnaud