Hello, I’ve been testing crowdsec for a while now, it’s working without problems, I just have a question about a warning log that appears only for internal traffic from 192.168.0.0/16
Since I have a lot of internal traffic, the log is quite large
The log tells me this:
time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.39.133’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.12.106’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.71.220’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.39.233’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.166.72’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
the list of parsers I have:
PARSERS
──────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name Status Version Local Path
──────────────────────────────────────────────────────────────────────────────────────────────────────────────
crowdsecurity/apache2-logs enabled 1.4 /etc/crowdsec/parsers/s01-parse/apache2-logs.yaml
crowdsecurity/dateparse-enrich enabled 0.2 /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
crowdsecurity/geoip-enrich enabled 0.3 /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
crowdsecurity/http-logs enabled 1.2 /etc/crowdsec/parsers/s02-enrich/http-logs.yaml
crowdsecurity/sshd-logs enabled 2.3 /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
crowdsecurity/syslog-logs enabled 0.8 /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
crowdsecurity/whitelists enabled 0.2 /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
──────────────────────────────────────────────────────────────────────────────────────────────────────────────
Currently not as it written to logger which doesnt know the context. if it pains you lots you can download the pending updated parser to update it locally for now.
Depending on where you run CrowdSec you can do the following
I’m on 1.6.2 on pfSense. I am now bombarded by this kind of log entries non-stop. Is there any setting to make it go away?
Sep 30 04:34:00 pfSense newsyslog[96306]: logfile turned over due to size>500K
time=“2024-09-30T04:34:01+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
Sep 30 04:34:00 pfSense newsyslog[96306]: logfile turned over due to size>500K
time=“2024-09-30T04:33:55+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:54+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:53+07:00” level=warning msg=“No range found for ip ‘fe80::b1e2:a7b3:76bf:e3ce’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:48+07:00” level=info msg=“capi metrics: sending”
time=“2024-09-30T04:33:42+07:00” level=warning msg=“No range found for ip ‘fe80::5054:ff:fee9:a767’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:29+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:24+07:00” level=warning msg=“No range found for ip ‘fe80::b1e2:a7b3:76bf:e3ce’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:23+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:21+07:00” level=warning msg=“No range found for ip ‘fe80::b25c:daff:fe74:3832’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:20+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:20+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:19+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:18+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:17+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:17+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:17+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:16+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:16+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:16+07:00” level=warning msg=“No range found for ip ‘fe80::b22a:43ff:fe8f:d892’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:16+07:00” level=warning msg=“No range found for ip ‘fe80::b22a:43ff:fe8f:d892’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:16+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:16+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:15+07:00” level=warning msg=“No range found for ip ‘fe80::b22a:43ff:fe8f:d892’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:15+07:00” level=warning msg=“No range found for ip ‘fe80::b22a:43ff:fe8f:d892’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:15+07:00” level=warning msg=“No range found for ip ‘fe80::b25c:daff:fe74:3832’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:13+07:00” level=warning msg=“No range found for ip ‘fe80::5054:ff:fee9:a767’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:05+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:55+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:53+07:00” level=warning msg=“No range found for ip ‘fe80::b1e2:a7b3:76bf:e3ce’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:52+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:51+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:42+07:00” level=warning msg=“No range found for ip ‘fe80::5054:ff:fee9:a767’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:24+07:00” level=warning msg=“No range found for ip ‘fe80::b1e2:a7b3:76bf:e3ce’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:22+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:21+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:19+07:00” level=warning msg=“No range found for ip ‘fe80::86b9:a1cd:19f6:da4a’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:19+07:00” level=warning msg=“No range found for ip ‘fe80::86b9:a1cd:19f6:da4a’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:19+07:00” level=warning msg=“No range found for ip ‘fe80::86b9:a1cd:19f6:da4a’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:19+07:00” level=warning msg=“No range found for ip ‘fe80::86b9:a1cd:19f6:da4a’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
According to information available on the internet, the prefix fe80::/10 is designated for Link-Local IPv6 Unicast Addresses.
So I manually added “IpInRange(evt.Meta.source_ip, “fe80::/10”)” into the geoip-enrich.yaml file, and it has made the warning of fe80… go away.
I’m not sure if what I did was right. If so, could it be incorporated into the default geoip-enrich.yaml file for the next release?
time="2025-07-15T20:29:53+02:00" level=error msg="Unable to enrich ip '10.0.10.2, 10.0.10.71, 10.0.10.40'" id=icy-fog method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time="2025-07-15T20:29:53+02:00" level=error msg="Unable to enrich ip '10.0.10.2, 10.0.10.71, 10.0.10.40'" id=icy-fog method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time="2025-07-15T20:29:53+02:00" level=error msg="Unable to enrich ip '10.0.10.2, 10.0.10.71'" id=icy-fog method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time="2025-07-15T20:29:53+02:00" level=error msg="Unable to enrich ip '10.0.30.141, 10.0.10.71, 10.0.10.39'" id=icy-fog method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time="2025-07-15T20:29:53+02:00" level=error msg="Unable to enrich ip '10.0.30.141, 10.0.10.71, 10.0.10.39'" id=icy-fog method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time="2025-07-15T20:29:53+02:00" level=error msg="Unable to enrich ip '10.0.30.141, 10.0.10.71, 10.0.10.39'" id=icy-fog method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time="2025-07-15T20:29:53+02:00" level=error msg="Unable to enrich ip '10.0.30.141, 10.0.10.71'" id=icy-fog method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time="2025-07-15T20:29:53+02:00" level=error msg="Unable to enrich ip '10.0.30.141, 10.0.10.71, 10.0.10.39'" id=icy-fog method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time="2025-07-15T20:29:53+02:00" level=error msg="Unable to enrich ip '10.0.30.141, 10.0.10.71'" id=icy-fog method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
I do get that RFC1918 ips can’t be resolved, but I don’t think it should be an error and spam my logs like this…
I’m using the latest docker container, am I doing something wrong here @iiAmLoz ?
Oh, so it’s a different error, thanks, I didn’t even notice there was several IP addresses.
I’m not really using another proxy, my traefik runs in docker on a bridge network, and is bound to a VIP I have setup using keepalived. My router also does port forwarding to the VIP.
Indeed in these logs 10.0.10.71 is the host running traefik with it’s own IP, the VIP is 10.0.10.70 and the IPs ending in .2 or .1 are my router.
I’m still struggling to understand where it got all those IPs…
Traefik is also using a forward auth plugin that goes out to the router and back to the VIP so maybe I understand why I’m seeing the IP of traefik itself.
Maybe it’s the authelia collection too that is parsing many IPs from the logs…