File notification plugin on k8s

crowdsec
1

Hello,

I got some issue on installing the file notification plugin lastly :frowning: .
So first of all i rechecked all my config:

I’m running amd64 so i downloaded the plugin with :

wget -qO- https://github.com/zbalkan/notification-file/releases/download/0.1.1/notification-file_0.1.1_linux_amd64.tar.gz | tar -xz

and i deleted the Readme ( rm README.md )

I got my rights well tuned:

image
image806×227 75.9 KB

I registered the plugin in my profile.yaml:

image
image1205×358 121 KB

I got my configuration file:

image
image1063×574 178 KB

BUT i got this error when i restart the service (BTW i’m not sure if this is the good way to restart the service) :

image
image1667×269 127 KB

What am I missing ?

2

if you restart the container unless you are persisting that folder it will be lost. You have to build a custom container image for that to work or create a persistent storage.

why do you want to write these alerts to a file contained within an container?

3

Ok i see i’m just doing some test and i wanted to avoid the part where i mess around with a custom image and the helm chart :slight_smile:

The finality of installing the file notification plugin is to write the alerts on /dev/stdout in order to pick them with vector.

4

Just a quick fyi, I made an “official” file plugin feat: File notification plugin by LaurenceJJones · Pull Request #2932 · crowdsecurity/crowdsec · GitHub that should be shipped by default

5

hooo that’s awsome !

I just checked if the last version of crowdsec is shipped with the new “official” plugin but i didn’t find it yet.

i found that my version is 1.6.1
image

And i’m guessing that th new official plugin will be out on the 1.6.2

image

If i’m right, do you know when this version will be out ? i’m just thrilled to check that ! :slight_smile:

Thank’s a lot for your work !!!

6

Yes, however, once it is merged you can point to the dev tag whilst we do the release cycle.

7

Hello !

First of all, thanks for your work, my setup works and I’m just coming back to share what I did (maybe it can help someone else who knows).

So I’m using the crowdsec/crowdsec helm chart in order to deploy crowdsec on kubernetes and I just needed to redirect the alerts to the standard output of the lapi pod in order to retrieve them with a log collector (vector).

Here’s the values.yaml I’m using:

image:
  # -- docker image repository name
  repository: crowdsecurity/crowdsec
  # -- pullPolicy
  pullPolicy: IfNotPresent
  # -- docker image tag
  tag: "dev"

container_runtime: containerd
agent:
  # To specify each pod you want to process it logs (pods present in the node)
  additionalAcquisition: []
    # - source: kinesis
    #   stream_name: my-stream
    #   labels:
    #     type: mytype
    # - source: syslog
    #   listen_addr: 127.0.0.1
    #   listen_port: 4242
    #   labels:
    #     type: syslog

  acquisition:
    # The namespace where the pod is located
    - namespace: crowd-test
      # The pod name
      podName: ingress-crowd-test-ingress-nginx-controller-*
      # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
      program: nginx
    - namespace: crowd-test
      # The pod name
      podName: ingress-crowd-test-ingress-nginx-controller-*

  # Those are ENV variables
  env:
  # As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
  - name: DISABLE_ONLINE_API
    value: "true"
  # As we are running Nginx, we want to install the Nginx collection
  - name: COLLECTIONS
    value: "crowdsecurity/nginx"
  - name: DISABLE_PARSERS
    value: "crowdsecurity/whitelists"
lapi:
  env:
    # As it's a test, we don't want to share signals with CrowdSec, so disable the Online API.
    - name: DISABLE_ONLINE_API
      value: "true"
config:
  config.yaml.local: |
# here I needed to run the plugin with root privilege in order to write in /proc/1/fd/1
    plugin_config:
      user: "root"
      group: "root"
    # db_config:
    #   type:     postgresql
    #   user:     crowdsec
    #   password: ${DB_PASSWORD}
    #   db_name:  crowdsec
    #   host:     192.168.0.2
    #   port:     5432
    #   sslmode:  require

    # -- notifications configuration (https://docs.crowdsec.net/docs/next/notification_plugins/intro)
  notifications: 
    files.yaml: |
      type: file
      name: file_default # this must match with the registered plugin in the profile
      log_level: info # Options include: trace, debug, info, warn, error, off
      # This template render all events as ndjson
      format: |
        {{range . -}}
        { "time": "{{.StopAt}}", "program": "crowdsec", "alert": {{. | toJson }} }
        {{ end -}}
      # you can't write on /dev/stdout because only the process with PID 1 will give output on k8s
      log_path: "/proc/1/fd/1"
      rotate:
        enabled: false # Change to false if you want to handle log rotate on system basis
        max_size: 500
        max_files: 5
        max_age: 5
        compress: true
      log_format:
        custom_format: "%msg%" # https://github.com/t-tomalak/logrus-easy-formatter
  profiles.yaml:
     |
    name: default_ip_remediation
    #debug: true
    filters:
    - Alert.Remediation == true && Alert.GetScope() == "Ip"
    decisions:
    - type: ban
      duration: 4h
    duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
    notifications:
      - file_default
    on_success: break

I’m aware that it’s a bit of a messy solution but at the moment I haven’t found another way to do it, if you have any suggestions I’m open to that.