Hi,
I installed the home assistant add-on, but the logs are not parsed, and it ignores failed logins or banned IP’s
Also tried to cscli explain the logs directly but this does not seem to parse
Configuration is default.
Any idea where to start?
Thanks
Kris
Found the problem. The log format has been changed, they included a Request URL.
Changing the grok pattern in the parser fixed it for the failed logons
From:
pattern: “%{TIMESTAMP:time} WARNING \(%{DATA:threadName}\) \[homeassistant.components.http.ban\] Login attempt or request with invalid authentication from %{DATA:source_rdns} \(%{IPORHOST:source_ip}\). \(%{GREEDYDATA:http_user_agent}\)”
To:
pattern: “%{TIMESTAMP:time} WARNING \(%{DATA:threadName}\) \[homeassistant.components.http.ban\] Login attempt or request with invalid authentication from %{DATA:source_rdns} \(%{IPORHOST:source_ip}\). Requested URL: %{GREEDYDATA:request_uri}\. \(%{GREEDYDATA:http_user_agent}\)”
Has this been updated or do I still need to modify the file since I grabbed those from CrowdSec Hub?
This has been fixed and available from the hub
cscli hub update
cscli hub upgrade
Hi there! I am having this exact same issue, and the cscli hub update / cscli hub upgrade isn’t solving the issue.
I have tried creating seperate yaml files for homeassistant and nginx proxy manager in the acquid.d folder to no avail. I even tried using a transformer line someone advised me to use from Reddit.
acquisition: >
source: journalctl
journalctl_filter:
- “–directory=/var/log/journal/”
labels:
type: syslog
transform: “ReplaceAll(evt.Line.Raw,
‘addon_a0d7b954_nginxproxymanager’,‘nginx-proxy-manager’)”
disable_lapi: false
remote_lapi_url: “”
agent_username: “”
agent_password: “”
collections:
- crowdsecurity/home-assistant
- crowdsecurity/nginx-proxy-manager
parsers:- crowdsecurity/nginx-proxy-manager-logs
- crowdsecurity/home-assistant-logs
scenarios:
postoverflows:
parsers_to_disable:
scenarios_to_disable:
disable_online_api: false
Even with the transform, almost nothing appears to be parsing. I’m not sure what to make of these metrics.
Ok, may have resolved it by accident? i added the same transform line
transform: “ReplaceAll(evt.Line.Raw,
‘addon_a0d7b954_nginxproxymanager’,‘nginx-proxy-manager’)”
to my additional yaml files in acquis.d. So now all three of my yaml’s
All contain virtually the same code
source: journalctl
journalctl_filter:
- “–directory=/var/log/journal/”
labels:
type: syslog
transform: “ReplaceAll(evt.Line.Raw,
‘addon_a0d7b954_nginxproxymanager’,‘nginx-proxy-manager’)”
with the exception of the TYPE label for each being “syslog’“ for the main acquis.yaml, “home-assistant” for the homeassistant.yaml and “nginx-proxy-manager” for the npm.yaml.
I just tried to do the HTTP Stack Health Check test on a whim.
curl -I https:///crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl
Every other time I tried it, I never got it to generate an Alert. Today, for the first time ever it did.
This is the most progress I’ve had in the last 7 days of trying to figure this out.
I still am not sure if I’m fully protected the way I want to be… but this is giving me hope that it’s starting to work as intended. The fact that my test registered in the app.crowdsec.net console and gave me all the green checkmarks feels good. Was sick of staring at the ‘No ALerts detected for 72 hours’.
