Logs crowdsec crowdsecurity/geoip-enrich

dieg0nob · June 6, 2024, 5:36pm

Hello, I’ve been testing crowdsec for a while now, it’s working without problems, I just have a question about a warning log that appears only for internal traffic from 192.168.0.0/16
Since I have a lot of internal traffic, the log is quite large

The log tells me this:

time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.39.133’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.12.106’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.71.220’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.39.233’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.166.72’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich

the list of parsers I have:

PARSERS
──────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name Status Version Local Path
──────────────────────────────────────────────────────────────────────────────────────────────────────────────
crowdsecurity/apache2-logs enabled 1.4 /etc/crowdsec/parsers/s01-parse/apache2-logs.yaml
crowdsecurity/dateparse-enrich enabled 0.2 /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
crowdsecurity/geoip-enrich enabled 0.3 /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
crowdsecurity/http-logs enabled 1.2 /etc/crowdsec/parsers/s02-enrich/http-logs.yaml
crowdsecurity/sshd-logs enabled 2.3 /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
crowdsecurity/syslog-logs enabled 0.8 /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
crowdsecurity/whitelists enabled 0.2 /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
──────────────────────────────────────────────────────────────────────────────────────────────────────────────

it’s normal this log ?

iiAmLoz · June 7, 2024, 8:22am

Yes as its a private IP range the geo database doesnt have ranges for these IP’s

VerticalCricket · June 14, 2024, 5:43pm

Can this warning be disabled somewhere? For context, these warnings make up 92% of my crowdsec.log.

iiAmLoz · June 14, 2024, 7:57pm

Currently not as it written to logger which doesnt know the context. if it pains you lots you can download the pending updated parser to update it locally for now.

Depending on where you run CrowdSec you can do the following

curl -s https://raw.githubusercontent.com/crowdsecurity/hub/35fe453e8edc325f291fe8f6df211af3ed224d76/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml > /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml

I have written tests so it should work fine and others have tested, but please if you encounter any issue report it here

europacafe · September 30, 2024, 3:26am

I’m on 1.6.2 on pfSense. I am now bombarded by this kind of log entries non-stop. Is there any setting to make it go away?
Sep 30 04:34:00 pfSense newsyslog[96306]: logfile turned over due to size>500K
time=“2024-09-30T04:34:01+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
Sep 30 04:34:00 pfSense newsyslog[96306]: logfile turned over due to size>500K
time=“2024-09-30T04:33:55+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:54+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:53+07:00” level=warning msg=“No range found for ip ‘fe80::b1e2:a7b3:76bf:e3ce’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:48+07:00” level=info msg=“capi metrics: sending”
time=“2024-09-30T04:33:42+07:00” level=warning msg=“No range found for ip ‘fe80::5054:ff:fee9:a767’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:29+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:24+07:00” level=warning msg=“No range found for ip ‘fe80::b1e2:a7b3:76bf:e3ce’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:23+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:21+07:00” level=warning msg=“No range found for ip ‘fe80::b25c:daff:fe74:3832’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:20+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:20+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:19+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:18+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:17+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:17+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:17+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:16+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:16+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:16+07:00” level=warning msg=“No range found for ip ‘fe80::b22a:43ff:fe8f:d892’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:16+07:00” level=warning msg=“No range found for ip ‘fe80::b22a:43ff:fe8f:d892’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:16+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:16+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:15+07:00” level=warning msg=“No range found for ip ‘fe80::b22a:43ff:fe8f:d892’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:15+07:00” level=warning msg=“No range found for ip ‘fe80::b22a:43ff:fe8f:d892’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:15+07:00” level=warning msg=“No range found for ip ‘fe80::b25c:daff:fe74:3832’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:13+07:00” level=warning msg=“No range found for ip ‘fe80::5054:ff:fee9:a767’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:05+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:55+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:53+07:00” level=warning msg=“No range found for ip ‘fe80::b1e2:a7b3:76bf:e3ce’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:52+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:51+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:42+07:00” level=warning msg=“No range found for ip ‘fe80::5054:ff:fee9:a767’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:24+07:00” level=warning msg=“No range found for ip ‘fe80::b1e2:a7b3:76bf:e3ce’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:22+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:21+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:19+07:00” level=warning msg=“No range found for ip ‘fe80::86b9:a1cd:19f6:da4a’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:19+07:00” level=warning msg=“No range found for ip ‘fe80::86b9:a1cd:19f6:da4a’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:19+07:00” level=warning msg=“No range found for ip ‘fe80::86b9:a1cd:19f6:da4a’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:32:19+07:00” level=warning msg=“No range found for ip ‘fe80::86b9:a1cd:19f6:da4a’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich

europacafe · September 30, 2024, 4:18am

europacafe:

‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
Sep 30 04:34:00 pfSense newsyslog[96306]: logfile turned over due to size>500K
time=“2024-09-30T04:33:55+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:54+07:00” level=warning msg=“No range found for ip ‘fe80::8be:1485:5f2c:f09f’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:53+07:00” level=warning msg=“No range found for ip ‘fe80::b1e2:a7b3:76bf:e3ce’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:48+07:00” level=info msg=“capi metrics: sending”
time=“2024-09-30T04:33:42+07:00” level=warning msg=“No range found for ip ‘fe80::5054:ff:fee9:a767’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:29+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:24+07:00” level=warning msg=“No range found for ip ‘fe80::b1e2:a7b3:76bf:e3ce’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:23+07:00” level=warning msg=“No range found for ip ‘fe80::1089:d2b5:4e7a:9a25’” id=cold-moon method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-09-30T04:33:21+07:00” level=warning msg=“No range found for ip ‘fe80::b25c:daff:fe74:3832’” id=cold-moon method=IpToRange name=crowdsecur

According to information available on the internet, the prefix fe80::/10 is designated for Link-Local IPv6 Unicast Addresses.
So I manually added “IpInRange(evt.Meta.source_ip, “fe80::/10”)” into the geoip-enrich.yaml file, and it has made the warning of fe80… go away.

I’m not sure if what I did was right. If so, could it be incorporated into the default geoip-enrich.yaml file for the next release?

Topic		Replies	Views
Log-Files filled with "Unable to enrich ip '-'" crowdsec	1	32	August 27, 2024
Ten thousands of log entries in crowdsec.log crowdsec	1	12	October 27, 2024
False Positive IP blocking crowdsec	1	1669	September 30, 2021
How to do a SIMPLE log read and IP ban? crowdsec	7	201	June 16, 2024
Crowdsec IP whitelist for Bunny CDN crowdsec	1	24	October 14, 2024

Logs crowdsec crowdsecurity/geoip-enrich

Related topics