Hello,
I got some issue on installing the file notification plugin lastly 
.
So first of all i rechecked all my config:
I’m running amd64 so i downloaded the plugin with :
wget -qO- https://github.com/zbalkan/notification-file/releases/download/0.1.1/notification-file_0.1.1_linux_amd64.tar.gz | tar -xz
and i deleted the Readme ( rm README.md )
I got my rights well tuned:
I registered the plugin in my profile.yaml:
I got my configuration file:
BUT i got this error when i restart the service (BTW i’m not sure if this is the good way to restart the service) :
What am I missing ?
if you restart the container unless you are persisting that folder it will be lost. You have to build a custom container image for that to work or create a persistent storage.
why do you want to write these alerts to a file contained within an container?
Ok i see i’m just doing some test and i wanted to avoid the part where i mess around with a custom image and the helm chart 
The finality of installing the file notification plugin is to write the alerts on /dev/stdout in order to pick them with vector.
hooo that’s awsome !
I just checked if the last version of crowdsec is shipped with the new “official” plugin but i didn’t find it yet.
i found that my version is 1.6.1
And i’m guessing that th new official plugin will be out on the 1.6.2
If i’m right, do you know when this version will be out ? i’m just thrilled to check that !
Thank’s a lot for your work !!!
Yes, however, once it is merged you can point to the dev tag whilst we do the release cycle.
Hello !
First of all, thanks for your work, my setup works and I’m just coming back to share what I did (maybe it can help someone else who knows).
So I’m using the crowdsec/crowdsec helm chart in order to deploy crowdsec on kubernetes and I just needed to redirect the alerts to the standard output of the lapi pod in order to retrieve them with a log collector (vector).
Here’s the values.yaml I’m using:
image:
# -- docker image repository name
repository: crowdsecurity/crowdsec
# -- pullPolicy
pullPolicy: IfNotPresent
# -- docker image tag
tag: "dev"
container_runtime: containerd
agent:
# To specify each pod you want to process it logs (pods present in the node)
additionalAcquisition: []
# - source: kinesis
# stream_name: my-stream
# labels:
# type: mytype
# - source: syslog
# listen_addr: 127.0.0.1
# listen_port: 4242
# labels:
# type: syslog
acquisition:
# The namespace where the pod is located
- namespace: crowd-test
# The pod name
podName: ingress-crowd-test-ingress-nginx-controller-*
# as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
program: nginx
- namespace: crowd-test
# The pod name
podName: ingress-crowd-test-ingress-nginx-controller-*
# Those are ENV variables
env:
# As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
- name: DISABLE_ONLINE_API
value: "true"
# As we are running Nginx, we want to install the Nginx collection
- name: COLLECTIONS
value: "crowdsecurity/nginx"
- name: DISABLE_PARSERS
value: "crowdsecurity/whitelists"
lapi:
env:
# As it's a test, we don't want to share signals with CrowdSec, so disable the Online API.
- name: DISABLE_ONLINE_API
value: "true"
config:
config.yaml.local: |
# here I needed to run the plugin with root privilege in order to write in /proc/1/fd/1
plugin_config:
user: "root"
group: "root"
# db_config:
# type: postgresql
# user: crowdsec
# password: ${DB_PASSWORD}
# db_name: crowdsec
# host: 192.168.0.2
# port: 5432
# sslmode: require
# -- notifications configuration (https://docs.crowdsec.net/docs/next/notification_plugins/intro)
notifications:
files.yaml: |
type: file
name: file_default # this must match with the registered plugin in the profile
log_level: info # Options include: trace, debug, info, warn, error, off
# This template render all events as ndjson
format: |
{{range . -}}
{ "time": "{{.StopAt}}", "program": "crowdsec", "alert": {{. | toJson }} }
{{ end -}}
# you can't write on /dev/stdout because only the process with PID 1 will give output on k8s
log_path: "/proc/1/fd/1"
rotate:
enabled: false # Change to false if you want to handle log rotate on system basis
max_size: 500
max_files: 5
max_age: 5
compress: true
log_format:
custom_format: "%msg%" # https://github.com/t-tomalak/logrus-easy-formatter
profiles.yaml:
|
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
- file_default
on_success: break
I’m aware that it’s a bit of a messy solution but at the moment I haven’t found another way to do it, if you have any suggestions I’m open to that.
