I’ve setup the email notification function.
I’ve confirmed the settings are correct as when using “cscli notifications test email_default” I receive a test email.
I’ve have seen alerts and bans happen, but no emails. I did read somewhere that I need to add the following to the “/etc/crowdsec/notifications/email.yaml” file:
triggers:
- alert
- ban
But is that correct? I’ve also restarted the crowdsec service.
No there no such thing as a triggers attribute, smells like you used an AI which is clearly documented in our docs: Introduction | CrowdSec
in short you add the name of the plugin to the profiles you wish for them to send on within the notifications property. In the example it registers the slack plugin to the profile.
so with the default email name your default profiles.yaml should be:
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
- email_default
on_success: break
---
name: default_range_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
- type: ban
duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
- email_default
on_success: break
Thanks for the help. Yes the smelly AI was really adamant about the triggers. I must say I read the doco a good 15 times before reverting to AI 
. And I did have it setup exactly as you and the doco described. The only thing I have noticed now is that I only have “-email default” enabled for “default_range_remediation”, which I assume should work without having “default_ip_remediation” enabled? 
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
# notifications:
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
# - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
# - email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
---
name: default_range_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
- type: ban
duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
# - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
- email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
That means the email will only trigger on range remediation, it best to turn it on for both ip and range remediation.
Yep that did the trick… I guess because most alerts are a single IP… thanks again for the help.