Logs crowdsec crowdsecurity/geoip-enrich

crowdsec
1

Hello, I’ve been testing crowdsec for a while now, it’s working without problems, I just have a question about a warning log that appears only for internal traffic from 192.168.0.0/16
Since I have a lot of internal traffic, the log is quite large

The log tells me this:

time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.39.133’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.12.106’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.71.220’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.39.233’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.166.72’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich

the list of parsers I have:

PARSERS
──────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name :package: Status Version Local Path
──────────────────────────────────────────────────────────────────────────────────────────────────────────────
crowdsecurity/apache2-logs :heavy_check_mark: enabled 1.4 /etc/crowdsec/parsers/s01-parse/apache2-logs.yaml
crowdsecurity/dateparse-enrich :heavy_check_mark: enabled 0.2 /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
crowdsecurity/geoip-enrich :heavy_check_mark: enabled 0.3 /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
crowdsecurity/http-logs :heavy_check_mark: enabled 1.2 /etc/crowdsec/parsers/s02-enrich/http-logs.yaml
crowdsecurity/sshd-logs :heavy_check_mark: enabled 2.3 /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
crowdsecurity/syslog-logs :heavy_check_mark: enabled 0.8 /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
crowdsecurity/whitelists :heavy_check_mark: enabled 0.2 /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
──────────────────────────────────────────────────────────────────────────────────────────────────────────────

it’s normal this log ?

2

Yes as its a private IP range the geo database doesnt have ranges for these IP’s

3

Can this warning be disabled somewhere? For context, these warnings make up 92% of my crowdsec.log.

4

Currently not as it written to logger which doesnt know the context. if it pains you lots you can download the pending updated parser to update it locally for now.

Depending on where you run CrowdSec you can do the following

curl -s https://raw.githubusercontent.com/crowdsecurity/hub/35fe453e8edc325f291fe8f6df211af3ed224d76/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml > /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml

I have written tests so it should work fine and others have tested, but please if you encounter any issue report it here :llama:

1 Like
5

I’m on 1.6.2 on pfSense. I am now bombarded by this kind of log entries non-stop. Is there any setting to make it go away?
Sep 30 04:34:00 pfSense newsyslog[96306]: logfile turned over due to size>500K
time=“2024-09-30T04:34:01+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
Sep 30 04:34:00 pfSense newsyslog[96306]: logfile turned over due to size>500K
time=“2024-09-30T04:33:55+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:54+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:53+07:00” level=warning msg=“No range found for ip ‘fe80::b1e2:a7b3:76bf:e3ce’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:48+07:00” level=info msg=“capi metrics: sending”
time=“2024-09-30T04:33:42+07:00” level=warning msg=“No range found for ip ‘fe80::5054:ff:fee9:a767’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:29+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:24+07:00” level=warning msg=“No range found for ip ‘fe80::b1e2:a7b3:76bf:e3ce’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:23+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:21+07:00” level=warning msg=“No range found for ip ‘fe80::b25c:daff:fe74:3832’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:20+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:20+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:19+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:18+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:17+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:17+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:17+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:16+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:16+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:16+07:00” level=warning msg=“No range found for ip ‘fe80::b22a:43ff:fe8f:d892’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:16+07:00” level=warning msg=“No range found for ip ‘fe80::b22a:43ff:fe8f:d892’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:16+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:16+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:15+07:00” level=warning msg=“No range found for ip ‘fe80::b22a:43ff:fe8f:d892’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:15+07:00” level=warning msg=“No range found for ip ‘fe80::b22a:43ff:fe8f:d892’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:15+07:00” level=warning msg=“No range found for ip ‘fe80::b25c:daff:fe74:3832’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:13+07:00” level=warning msg=“No range found for ip ‘fe80::5054:ff:fee9:a767’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:05+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:55+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:53+07:00” level=warning msg=“No range found for ip ‘fe80::b1e2:a7b3:76bf:e3ce’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:52+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:51+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:42+07:00” level=warning msg=“No range found for ip ‘fe80::5054:ff:fee9:a767’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:24+07:00” level=warning msg=“No range found for ip ‘fe80::b1e2:a7b3:76bf:e3ce’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:22+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:21+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:19+07:00” level=warning msg=“No range found for ip ‘fe80::86b9:a1cd:19f6:da4a’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:19+07:00” level=warning msg=“No range found for ip ‘fe80::86b9:a1cd:19f6:da4a’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:19+07:00” level=warning msg=“No range found for ip ‘fe80::86b9:a1cd:19f6:da4a’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:19+07:00” level=warning msg=“No range found for ip ‘fe80::86b9:a1cd:19f6:da4a’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich

6

According to information available on the internet, the prefix fe80::/10 is designated for Link-Local IPv6 Unicast Addresses.
So I manually added “IpInRange(evt.Meta.source_ip, “fe80::/10”)” into the geoip-enrich.yaml file, and it has made the warning of fe80… go away.

I’m not sure if what I did was right. If so, could it be incorporated into the default geoip-enrich.yaml file for the next release?

7

I’m seeing similar messages :

time="2025-07-15T20:29:53+02:00" level=error msg="Unable to enrich ip '10.0.10.2, 10.0.10.71, 10.0.10.40'" id=icy-fog method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time="2025-07-15T20:29:53+02:00" level=error msg="Unable to enrich ip '10.0.10.2, 10.0.10.71, 10.0.10.40'" id=icy-fog method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time="2025-07-15T20:29:53+02:00" level=error msg="Unable to enrich ip '10.0.10.2, 10.0.10.71'" id=icy-fog method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time="2025-07-15T20:29:53+02:00" level=error msg="Unable to enrich ip '10.0.30.141, 10.0.10.71, 10.0.10.39'" id=icy-fog method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time="2025-07-15T20:29:53+02:00" level=error msg="Unable to enrich ip '10.0.30.141, 10.0.10.71, 10.0.10.39'" id=icy-fog method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time="2025-07-15T20:29:53+02:00" level=error msg="Unable to enrich ip '10.0.30.141, 10.0.10.71, 10.0.10.39'" id=icy-fog method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time="2025-07-15T20:29:53+02:00" level=error msg="Unable to enrich ip '10.0.30.141, 10.0.10.71'" id=icy-fog method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time="2025-07-15T20:29:53+02:00" level=error msg="Unable to enrich ip '10.0.30.141, 10.0.10.71, 10.0.10.39'" id=icy-fog method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time="2025-07-15T20:29:53+02:00" level=error msg="Unable to enrich ip '10.0.30.141, 10.0.10.71'" id=icy-fog method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich

I do get that RFC1918 ips can’t be resolved, but I don’t think it should be an error and spam my logs like this…
I’m using the latest docker container, am I doing something wrong here @iiAmLoz ?

8

Yes it seems the application that is producing those isn’t setting just a single IP, we expect in logs to only have a single address.

Are you using traefik with an upstream proxy?

9

Oh, so it’s a different error, thanks, I didn’t even notice there was several IP addresses.
I’m not really using another proxy, my traefik runs in docker on a bridge network, and is bound to a VIP I have setup using keepalived. My router also does port forwarding to the VIP.
Indeed in these logs 10.0.10.71 is the host running traefik with it’s own IP, the VIP is 10.0.10.70 and the IPs ending in .2 or .1 are my router.
I’m still struggling to understand where it got all those IPs…
Traefik is also using a forward auth plugin that goes out to the router and back to the VIP so maybe I understand why I’m seeing the IP of traefik itself.
Maybe it’s the authelia collection too that is parsing many IPs from the logs…