Logs crowdsec crowdsecurity/geoip-enrich

crowdsec
1

Hello, I’ve been testing crowdsec for a while now, it’s working without problems, I just have a question about a warning log that appears only for internal traffic from 192.168.0.0/16
Since I have a lot of internal traffic, the log is quite large

The log tells me this:

time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.39.133’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.12.106’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.71.220’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.39.233’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich
time=“2024-06-06T13:46:10-03:00” level=warning msg=“No range found for ip ‘192.168.166.72’” id=young-bush method=IpToRange name=crowdsecurity/geoip-enrich stage=s02-enrich

the list of parsers I have:

PARSERS
──────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name :package: Status Version Local Path
──────────────────────────────────────────────────────────────────────────────────────────────────────────────
crowdsecurity/apache2-logs :heavy_check_mark: enabled 1.4 /etc/crowdsec/parsers/s01-parse/apache2-logs.yaml
crowdsecurity/dateparse-enrich :heavy_check_mark: enabled 0.2 /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
crowdsecurity/geoip-enrich :heavy_check_mark: enabled 0.3 /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
crowdsecurity/http-logs :heavy_check_mark: enabled 1.2 /etc/crowdsec/parsers/s02-enrich/http-logs.yaml
crowdsecurity/sshd-logs :heavy_check_mark: enabled 2.3 /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
crowdsecurity/syslog-logs :heavy_check_mark: enabled 0.8 /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
crowdsecurity/whitelists :heavy_check_mark: enabled 0.2 /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
──────────────────────────────────────────────────────────────────────────────────────────────────────────────

it’s normal this log ?

2

Yes as its a private IP range the geo database doesnt have ranges for these IP’s

3

Can this warning be disabled somewhere? For context, these warnings make up 92% of my crowdsec.log.

4

Currently not as it written to logger which doesnt know the context. if it pains you lots you can download the pending updated parser to update it locally for now.

Depending on where you run CrowdSec you can do the following

curl -s https://raw.githubusercontent.com/crowdsecurity/hub/35fe453e8edc325f291fe8f6df211af3ed224d76/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml > /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml

I have written tests so it should work fine and others have tested, but please if you encounter any issue report it here :llama:

1 Like