Nginx-proxy-manager+crowdsec (Docker) ban only local

Random-Human · February 4, 2024, 9:07am

Hi. I need your help please.
My nginx-proxy-manager+crowdsec (Docker) ban only local connections (when i block manuel a ip like: 192.168.178.20). Crowdsec ban no ip when it comes from internet.

Here a login test with my smartphone and a lot of wrong passwords:

time="2024-02-04T08:45:47Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:45:47 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 54.363734ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:45:47Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:45:47 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 59.183465ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:45:47Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:45:47 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 60.202711ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:45:49Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:45:49 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 32.993893ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:45:58Z" level=info msg="127.0.0.1 - [Sun, 04 Feb 2024 08:45:58 UTC] \"GET /v1/heartbeat HTTP/1.1 200 2.098718ms \"crowdsec/v1.6.0-4b8e6cd7\" \""
time="2024-02-04T08:46:06Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:06 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 52.555757ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:06Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:06 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 39.544257ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:08Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:08 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 56.582049ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:16Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:16 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 27.155027ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:18Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:18 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 42.318818ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:21Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:21 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 49.456838ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:22Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:22 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 52.267765ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:24Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:24 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 47.276888ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:26Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:26 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 53.288275ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:28Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:28 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 55.292855ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:30Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:30 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 55.332625ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:31Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:31 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 54.059039ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:33Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:33 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 21.539795ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:36Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:36 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 51.704535ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:34Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:34 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 51.834066ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:37Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:37 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 55.739795ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:38Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:38 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 54.74405ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:40Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:40 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 22.253172ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:41Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:41 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 51.762581ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:43Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:43 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 51.709945ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:44Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:44 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 53.947656ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:46Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:46 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 47.627872ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:47Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:47 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 53.47808ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:48Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:48 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 52.407048ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:49Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:49 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 54.610498ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:51Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:51 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 52.962853ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:52Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:52 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 44.682386ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:53Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:53 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 54.819492ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:55Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:55 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 56.011935ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:54Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:54 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 54.243677ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:57Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:57 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 28.864571ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:58Z" level=info msg="127.0.0.1 - [Sun, 04 Feb 2024 08:46:58 UTC] \"GET /v1/heartbeat HTTP/1.1 200 2.631737ms \"crowdsec/v1.6.0-4b8e6cd7\" \""
time="2024-02-04T08:46:58Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:58 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 52.286686ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:46:59Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:46:59 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 53.742004ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:47:00Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:47:00 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 24.334815ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:47:16Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:47:16 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 51.114981ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:47:15Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:47:15 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 51.090949ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:47:12Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:47:12 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 53.7912ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:47:13Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:47:13 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 50.806746ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:47:10Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:47:10 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 53.14591ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:47:08Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:47:08 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 41.594396ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:47:09Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:47:09 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 47.459661ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:47:07Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:47:07 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 37.902577ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:47:04Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:47:04 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 35.343402ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:47:06Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:47:06 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 22.393502ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:47:03Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:47:03 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 22.540596ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-04T08:47:02Z" level=info msg="172.10.0.4 - [Sun, 04 Feb 2024 08:47:02 UTC] \"GET /v1/decisions?ip=176.6.181.160 HTTP/1.1 200 22.586777ms \"crowdsec-openresty-bouncer/v1.0.1\" \""

Here my docker-compose.yml:

version: "3.8"
services:
  nginx-proxy-manager:
    image: 'lepresidente/nginx-proxy-manager:latest'
    restart: always
    ports:
      - "8080:8080"
      - "8181:8181"
      - "4443:4443"
    environment:
      TZ: "Europe/Berlin"
      DISABLE_IPV6: "1"
    volumes:
      - "/npm/data/nginx-proxy-manager:/config:rw"
      - "/npm/data/nginx-proxy-manager/crowdsec/templates:/templates:ro"
    networks:
      crowdsec_proxy:
        ipv4_address: 172.10.0.4


  crowdsec:
    image: "crowdsecurity/crowdsec:latest"
    container_name: crowdsec
    expose:
      - 8080
    environment:
      PGID: "1000"
    volumes:
      - "/npm/crowdsec/data:/var/lib/crowdsec/data"
      - "/npm/crowdsec/config:/etc/crowdsec"
      - "/var/log/auth.log:/var/log/auth.log:ro"
      - "/data/logs:/var/log/nginx:ro"
    restart: unless-stopped
    networks:
      crowdsec_proxy:
        ipv4_address: 172.10.0.6

networks:
  crowdsec_proxy:
    ipam:
      driver: default
      config:
        - subnet: 172.10.0.0/24

Here my config.yaml:

common:
  daemonize: false
  log_media: stdout
  log_level: info
  log_dir: /var/log/
config_paths:
  config_dir: /etc/crowdsec/
  data_dir: /var/lib/crowdsec/data/
  simulation_path: /etc/crowdsec/simulation.yaml
  hub_dir: /etc/crowdsec/hub/
  index_path: /etc/crowdsec/hub/.index.json
  notification_dir: /etc/crowdsec/notifications/
  plugin_dir: /usr/local/lib/crowdsec/plugins/
crowdsec_service:
  acquisition_path: /etc/crowdsec/acquis.yaml
  acquisition_dir: /etc/crowdsec/acquis.d
  parser_routines: 1
plugin_config:
  user: nobody
  group: nobody
cscli:
  output: human
db_config:
  log_level: info
  type: sqlite
  db_path: /var/lib/crowdsec/data/crowdsec.db
  flush:
    max_items: 5000
    max_age: 7d
  use_wal: true
api:
  client:
    insecure_skip_verify: false
    credentials_path: /etc/crowdsec/local_api_credentials.yaml
  server:
    log_level: info
    listen_uri: 0.0.0.0:8080
    profiles_path: /etc/crowdsec/profiles.yaml
    trusted_ips: # IP ranges, or IPs which can have admin API access
      - 127.0.0.1
      - ::1
    online_client: # Central API credentials (to push signals and receive bad IPs)
      credentials_path: /etc/crowdsec//online_api_credentials.yaml
    enable: true
prometheus:
  enabled: true
  level: full
  listen_addr: 0.0.0.0
  listen_port: 6060

Here my acquis.yml:

filenames:
  - /var/log/nginx/*.log
  - ./tests/nginx/nginx.log
#this is not a syslog log, indicate which kind of logs it is
labels:
  type: nginx
---
filenames:
 - /var/log/auth.log
 - /var/log/syslog
labels:
  type: syslog
---
filename: /var/log/apache2/*.log
labels:
  type: apache2

Here my user.yml:

common:
  daemonize: false
  log_media: stdout
  log_level: info
  log_dir: /var/log/
config_paths:
  config_dir: /etc/crowdsec/
  data_dir: /var/lib/crowdsec/data
  #simulation_path: /etc/crowdsec/config/simulation.yaml
  #hub_dir: /etc/crowdsec/hub/
  #index_path: ./config/hub/.index.json
crowdsec_service:
  #acquisition_path: ./config/acquis.yaml
  parser_routines: 1
cscli:
  output: human
db_config:
  type: sqlite
  db_path: /var/lib/crowdsec/data/crowdsec.db
  user: crowdsec
  #log_level: info
  password: crowdsec
  db_name: crowdsec
  host: "127.0.0.1"
  port: 3306
api:
  client:
    insecure_skip_verify: false # default true
    credentials_path: /etc/crowdsec/local_api_credentials.yaml
  server:
    #log_level: info
    listen_uri: 127.0.0.1:8080
    profiles_path: /etc/crowdsec/profiles.yaml
    online_client: # Central API
      credentials_path: /etc/crowdsec/online_api_credentials.yaml
prometheus:
  enabled: true
  level: full

Here is the cscli bouncers list:

────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name          IP Address   Valid   Last API pull          Type                         Version   Auth Type 
────────────────────────────────────────────────────────────────────────────────────────────────────────────
 nginx-proxy   172.10.0.4   ✔️       2024-02-04T10:48:51Z   crowdsec-openresty-bouncer   v1.0.1    api-key   
────────────────────────────────────────────────────────────────────────────────────────────────────────────

iiAmLoz · February 5, 2024, 8:15am

Your configured subnet is NOT a private IP range you must rectify this firstly.

Random-Human · February 5, 2024, 10:30am

Thx for your help
I have changed the subnet ip to 172.16.0.0/24 and all other ip´s in the docker-compose.yml and crowdsec-openresty-bouncer.conf. Then i logged in with a lot of wrong Passwords from local network and smartphone (not connectet to my network). I can see both in the crowdsec logs, but it will not be banned automatically . I can ban it by myself, this is working. But it will not be banned automatically by crowdsec. What is wrong with my configs? Here are the changed docker-compose.yml and crowdsec-openresty-bouncer.conf (without my api-key).

docker-compose.yml:

version: "3.8"
services:
  nginx-proxy-manager:
    image: 'lepresidente/nginx-proxy-manager:latest'
    restart: always
    ports:
      - "8080:8080"
      - "8181:8181"
      - "4443:4443"
    environment:
      TZ: "Europe/Berlin"
      DISABLE_IPV6: "1"
    volumes:
      - "/npm/data/nginx-proxy-manager:/config:rw"
      - "/npm/data/nginx-proxy-manager/crowdsec/templates:/templates:ro"
    networks:
      crowdsec_proxy:
        ipv4_address: 172.16.0.4


  crowdsec:
    image: "crowdsecurity/crowdsec:latest"
    container_name: crowdsec
    expose:
      - 8080
    environment:
      PGID: "1000"
    volumes:
      - "/npm/crowdsec/data:/var/lib/crowdsec/data"
      - "/npm/crowdsec/config:/etc/crowdsec"
      - "/var/log/auth.log:/var/log/auth.log:ro"
      - "/data/logs:/var/log/nginx:ro"
    restart: unless-stopped
    networks:
      crowdsec_proxy:
        ipv4_address: 172.16.0.6

networks:
  crowdsec_proxy:
    ipam:
      driver: default
      config:
        - subnet: 172.16.0.0/24

crowdsec-openresty-bouncer.conf:

ENABLED=true
API_URL=http://172.16.0.6:8080
API_KEY=myapikey
CACHE_EXPIRATION=1
# bounce for all type of remediation that the bouncer can receive from the local API
BOUNCING_ON_TYPE=all
FALLBACK_REMEDIATION=ban
REQUEST_TIMEOUT=3000
UPDATE_FREQUENCY=10
# live or stream
MODE=live
# exclude the bouncing on those location
EXCLUDE_LOCATION=
#those apply for "ban" action
# /!\ REDIRECT_LOCATION and RET_CODE can't be used together. REDIRECT_LOCATION take priority over RET_CODE
BAN_TEMPLATE_PATH=/tmp/crowdsec-openresty-bouncer-install/config/crowdsec//templates/ban.html
REDIRECT_LOCATION=
RET_CODE=
#those apply for "captcha" action
#valid providers are recaptcha, hcaptcha, turnstile
CAPTCHA_PROVIDER=
# Captcha Secret Key
SECRET_KEY=
# Captcha Site key
SITE_KEY=
CAPTCHA_TEMPLATE_PATH=/tmp/crowdsec-openresty-bouncer-install/config/crowdsec//templates/captcha.html
CAPTCHA_EXPIRATION=3600

Here the crowdsec container logs. The ip: 176.6.188.72 is my smartphone via internet. The ip: 192.168.178.20 is my local computer. Both can i ban manuell, but not automatically.

time="2024-02-05T10:04:25Z" level=info msg="127.0.0.1 - [Mon, 05 Feb 2024 10:04:25 UTC] \"POST /v1/watchers/login HTTP/1.1 200 196.529822ms \"crowdsec/v1.6.0-4b8e6cd7\" \""
time="2024-02-05T10:05:25Z" level=info msg="127.0.0.1 - [Mon, 05 Feb 2024 10:05:25 UTC] \"GET /v1/heartbeat HTTP/1.1 200 643.979µs \"crowdsec/v1.6.0-4b8e6cd7\" \""
time="2024-02-05T10:05:34Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:05:34 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 85.156557ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:05:41Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:05:41 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 42.361088ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:05:48Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:05:48 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 38.098479ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:05:50Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:05:50 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 60.681505ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:05:51Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:05:51 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 60.507054ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:05:52Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:05:52 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 59.197276ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:05:54Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:05:54 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 53.518421ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:05:56Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:05:56 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 57.47447ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:05:57Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:05:57 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 58.389478ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:05:58Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:05:58 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 27.975276ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:00Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:00 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 32.84878ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:01Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:01 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 28.136435ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:03Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:03 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 26.190019ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:04Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:04 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 26.150629ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:05Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:05 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 25.254892ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:07Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:07 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 55.667171ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:08Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:08 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 28.024757ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:10Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:10 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 26.333382ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:11Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:11 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 57.783817ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:12Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:12 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 57.326107ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:13Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:13 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 57.379354ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:14Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:14 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 60.279137ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:16Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:16 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 57.545954ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:18Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:18 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 26.00599ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:25Z" level=info msg="127.0.0.1 - [Mon, 05 Feb 2024 10:06:25 UTC] \"GET /v1/heartbeat HTTP/1.1 200 956.01µs \"crowdsec/v1.6.0-4b8e6cd7\" \""
time="2024-02-05T10:06:33Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:33 UTC] \"GET /v1/decisions?ip=192.168.178.20 HTTP/1.1 200 54.950148ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:39Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:39 UTC] \"GET /v1/decisions?ip=192.168.178.20 HTTP/1.1 200 56.47205ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:40Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:40 UTC] \"GET /v1/decisions?ip=192.168.178.20 HTTP/1.1 200 58.351966ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:41Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:41 UTC] \"GET /v1/decisions?ip=192.168.178.20 HTTP/1.1 200 58.167409ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:42Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:42 UTC] \"GET /v1/decisions?ip=192.168.178.20 HTTP/1.1 200 26.180922ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:53Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:53 UTC] \"GET /v1/decisions?ip=192.168.178.20 HTTP/1.1 200 57.324102ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:54Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:54 UTC] \"GET /v1/decisions?ip=192.168.178.20 HTTP/1.1 200 58.722972ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:56Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:56 UTC] \"GET /v1/decisions?ip=192.168.178.20 HTTP/1.1 200 61.127486ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:06:58Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:06:58 UTC] \"GET /v1/decisions?ip=192.168.178.20 HTTP/1.1 200 61.661332ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:07:00Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:07:00 UTC] \"GET /v1/decisions?ip=192.168.178.20 HTTP/1.1 200 27.246456ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:07:01Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:07:01 UTC] \"GET /v1/decisions?ip=192.168.178.20 HTTP/1.1 200 26.084673ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:07:03Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:07:03 UTC] \"GET /v1/decisions?ip=192.168.178.20 HTTP/1.1 200 26.471876ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:07:05Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:07:05 UTC] \"GET /v1/decisions?ip=192.168.178.20 HTTP/1.1 200 55.264363ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:07:07Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:07:07 UTC] \"GET /v1/decisions?ip=192.168.178.20 HTTP/1.1 200 58.727164ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:07:08Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:07:08 UTC] \"GET /v1/decisions?ip=192.168.178.20 HTTP/1.1 200 59.323166ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T10:07:10Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 10:07:10 UTC] \"GET /v1/decisions?ip=192.168.178.20 HTTP/1.1 200 49.778635ms \"crowdsec-openresty-bouncer/v1.0.1\" \""

The cscli bouncers list is updated with new ip:

────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name          IP Address   Valid   Last API pull          Type                         Version   Auth Type 
────────────────────────────────────────────────────────────────────────────────────────────────────────────
 nginx-proxy   172.16.0.4   ✔️       2024-02-05T10:30:17Z   crowdsec-openresty-bouncer   v1.0.1    api-key   
────────────────────────────────────────────────────────────────────────────────────────────────────────────

iiAmLoz · February 5, 2024, 10:43am

Can you provide the output of cscli metrics? Most likely local detection isn’t happening because you have the default whitelist installed, however, for the remote one we will need to look at the metrics.

Random-Human · February 5, 2024, 10:47am

:/# cscli metrics

Acquisition Metrics:
╭────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮
│         Source         │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │
├────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤
│ file:/var/log/auth.log │ 6          │ -            │ 6              │ -                      │
╰────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯

Parser Metrics:
╭─────────────────────────────────┬──────┬────────┬──────────╮
│             Parsers             │ Hits │ Parsed │ Unparsed │
├─────────────────────────────────┼──────┼────────┼──────────┤
│ child-crowdsecurity/sshd-logs   │ 22   │ -      │ 22       │
│ child-crowdsecurity/syslog-logs │ 6    │ 6      │ -        │
│ crowdsecurity/sshd-logs         │ 2    │ -      │ 2        │
│ crowdsecurity/syslog-logs       │ 6    │ 6      │ -        │
╰─────────────────────────────────┴──────┴────────┴──────────╯

Local API Metrics:
╭────────────────────┬────────┬──────╮
│       Route        │ Method │ Hits │
├────────────────────┼────────┼──────┤
│ /v1/decisions      │ GET    │ 5    │
│ /v1/heartbeat      │ GET    │ 12   │
│ /v1/watchers/login │ POST   │ 1    │
╰────────────────────┴────────┴──────╯

Local API Machines Metrics:
╭───────────┬───────────────┬────────┬──────╮
│  Machine  │     Route     │ Method │ Hits │
├───────────┼───────────────┼────────┼──────┤
│ localhost │ /v1/heartbeat │ GET    │ 12   │
╰───────────┴───────────────┴────────┴──────╯

Local API Bouncers Metrics:
╭─────────────┬───────────────┬────────┬──────╮
│   Bouncer   │     Route     │ Method │ Hits │
├─────────────┼───────────────┼────────┼──────┤
│ nginx-proxy │ /v1/decisions │ GET    │ 5    │
╰─────────────┴───────────────┴────────┴──────╯

Local API Bouncers Decisions:
╭─────────────┬───────────────┬───────────────────╮
│   Bouncer   │ Empty answers │ Non-empty answers │
├─────────────┼───────────────┼───────────────────┤
│ nginx-proxy │ 5             │ 0                 │
╰─────────────┴───────────────┴───────────────────╯

Local API Alerts:
╭───────────────────────────────┬───────╮
│            Reason             │ Count │
├───────────────────────────────┼───────┤
│ manual 'ban' from 'localhost' │ 4     │
╰───────────────────────────────┴───────╯

iiAmLoz · February 5, 2024, 12:53pm

Okay, and for CrowdSec you are mounting - "/data/logs:/var/log/nginx:ro" , however, I dont see that mount for NPM so the log files are not there.

Random-Human · February 5, 2024, 3:17pm

The logs for my NPM (on host) are at: /npm/data/nginx-proxy-manager/log.
I changed now the (empty) “/data/logs:/var/log/nginx:ro” folder to “/npm/data/nginx-proxy-manager/log:/var/log/nginx:ro”.

My external smartphone-ip is still not banned.

Here the crowdsec-docker-log:

time="2024-02-05T15:00:33Z" level=info msg="Crowdsec v1.6.0-4192af30"
time="2024-02-05T15:00:33Z" level=info msg="Loading prometheus collectors"
time="2024-02-05T15:00:33Z" level=info msg="Loading CAPI manager"
time="2024-02-05T15:00:34Z" level=info msg="CAPI manager configured successfully"
time="2024-02-05T15:00:34Z" level=warning msg="Machine is not allowed to synchronize decisions, you can enable it with `cscli console enable console_management`"
time="2024-02-05T15:00:34Z" level=info msg="CrowdSec Local API listening on [::]:8080"
time="2024-02-05T15:00:34Z" level=info msg="Start push to CrowdSec Central API (interval: 5s once, then 10s)"
time="2024-02-05T15:00:34Z" level=info msg="Start sending metrics to CrowdSec Central API (interval: 34m24s once, then 30m0s)"
time="2024-02-05T15:00:34Z" level=info msg="capi metrics: sending"
time="2024-02-05T15:00:34Z" level=info msg="Loading grok library /etc/crowdsec/patterns"
time="2024-02-05T15:00:34Z" level=info msg="last CAPI pull is newer than 1h30, skip."
time="2024-02-05T15:00:34Z" level=info msg="Start pull from CrowdSec Central API (interval: 2h2m25s once, then 2h0m0s)"
time="2024-02-05T15:00:36Z" level=info msg="Loading enrich plugins"
time="2024-02-05T15:00:36Z" level=info msg="Successfully registered enricher 'GeoIpCity'"
time="2024-02-05T15:00:36Z" level=info msg="Successfully registered enricher 'GeoIpASN'"
time="2024-02-05T15:00:36Z" level=info msg="Successfully registered enricher 'IpToRange'"
time="2024-02-05T15:00:36Z" level=info msg="Successfully registered enricher 'reverse_dns'"
time="2024-02-05T15:00:36Z" level=info msg="Successfully registered enricher 'ParseDate'"
time="2024-02-05T15:00:36Z" level=info msg="Successfully registered enricher 'UnmarshalJSON'"
time="2024-02-05T15:00:36Z" level=info msg="Loading parsers from 7 files"
time="2024-02-05T15:00:36Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s00-raw/cri-logs.yaml stage=s00-raw
time="2024-02-05T15:00:36Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s00-raw/docker-logs.yaml stage=s00-raw
time="2024-02-05T15:00:36Z" level=info msg="Loaded 2 parser nodes" file=/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml stage=s00-raw
time="2024-02-05T15:00:36Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml stage=s01-parse
time="2024-02-05T15:00:36Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml stage=s02-enrich
time="2024-02-05T15:00:36Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml stage=s02-enrich
time="2024-02-05T15:00:36Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/whitelists.yaml stage=s02-enrich
time="2024-02-05T15:00:36Z" level=info msg="Loaded 8 nodes from 3 stages"
time="2024-02-05T15:00:36Z" level=info msg="No postoverflow parsers to load"
time="2024-02-05T15:00:36Z" level=info msg="Loading 2 scenario files"
time="2024-02-05T15:00:36Z" level=info msg="Adding leaky bucket" cfg=lingering-snow name=crowdsecurity/ssh-slow-bf
time="2024-02-05T15:00:36Z" level=info msg="Adding leaky bucket" cfg=rough-night name=crowdsecurity/ssh-slow-bf_user-enum
time="2024-02-05T15:00:36Z" level=info msg="Adding leaky bucket" cfg=still-firefly name=crowdsecurity/ssh-bf
time="2024-02-05T15:00:36Z" level=info msg="Adding leaky bucket" cfg=white-snowflake name=crowdsecurity/ssh-bf_user-enum
time="2024-02-05T15:00:36Z" level=info msg="Loaded 4 scenarios"
time="2024-02-05T15:00:36Z" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml"
time="2024-02-05T15:00:36Z" level=info msg="Adding file /var/log/nginx/error.log to datasources" type=file
time="2024-02-05T15:00:36Z" level=info msg="Adding file /var/log/nginx/fallback_access.log to datasources" type=file
time="2024-02-05T15:00:36Z" level=info msg="Adding file /var/log/nginx/fallback_error.log to datasources" type=file
time="2024-02-05T15:00:36Z" level=info msg="Adding file /var/log/nginx/proxy-host-1_access.log to datasources" type=file
time="2024-02-05T15:00:36Z" level=info msg="Adding file /var/log/nginx/proxy-host-1_error.log to datasources" type=file
time="2024-02-05T15:00:36Z" level=info msg="Adding file /var/log/nginx/proxy-host-2_access.log to datasources" type=file
time="2024-02-05T15:00:36Z" level=info msg="Adding file /var/log/nginx/proxy-host-2_error.log to datasources" type=file
time="2024-02-05T15:00:36Z" level=info msg="Adding file /var/log/nginx/proxy-host-3_access.log to datasources" type=file
time="2024-02-05T15:00:36Z" level=info msg="Adding file /var/log/nginx/proxy-host-3_error.log to datasources" type=file
time="2024-02-05T15:00:36Z" level=warning msg="No matching files for pattern ./tests/nginx/nginx.log" type=file
time="2024-02-05T15:00:36Z" level=info msg="Adding file /var/log/auth.log to datasources" type=file
time="2024-02-05T15:00:36Z" level=warning msg="No matching files for pattern /var/log/syslog" type=file
time="2024-02-05T15:00:36Z" level=warning msg="No matching files for pattern /var/log/apache2/*.log" type=file
time="2024-02-05T15:00:36Z" level=info msg="Starting processing data"
time="2024-02-05T15:00:36Z" level=info msg="127.0.0.1 - [Mon, 05 Feb 2024 15:00:36 UTC] \"POST /v1/watchers/login HTTP/1.1 200 95.684191ms \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-05T15:01:36Z" level=info msg="127.0.0.1 - [Mon, 05 Feb 2024 15:01:36 UTC] \"GET /v1/heartbeat HTTP/1.1 200 803.407µs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-05T15:02:28Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:02:28 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 47.865074ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:02:28Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:02:28 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 57.655595ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:02:28Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:02:28 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 64.847539ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:02:30Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:02:30 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 51.403165ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:02:36Z" level=info msg="127.0.0.1 - [Mon, 05 Feb 2024 15:02:36 UTC] \"GET /v1/heartbeat HTTP/1.1 200 829.785µs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-05T15:02:44Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:02:44 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 43.704528ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:02:50Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:02:50 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 45.730735ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:02:52Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:02:52 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 29.639793ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:02:53Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:02:53 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 47.442168ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:02:55Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:02:55 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 42.781697ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:02:56Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:02:56 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 45.223032ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:02:57Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:02:57 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 46.232571ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:02:59Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:02:59 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 45.760176ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:00Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:00 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 21.26366ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:02Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:02 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 19.099911ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:03Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:03 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 18.868979ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:06Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:06 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 45.572954ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:07Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:07 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 42.835173ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:09Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:09 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 46.644573ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:10Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:10 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 19.028339ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:12Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:12 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 44.336873ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:13Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:13 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 46.408296ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:14Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:14 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 40.348365ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:15Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:15 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 49.970286ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:17Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:17 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 27.859797ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:18Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:18 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 43.044028ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:19Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:19 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 48.979721ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:20Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:20 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 46.494412ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:21Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:21 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 46.279082ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:22Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:22 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 33.272439ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:24Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:24 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 45.463999ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:25Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:25 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 21.637336ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:27Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:27 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 46.67111ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:28Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:28 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 45.959791ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:30Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:30 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 35.487359ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:31Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:31 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 39.749499ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:32Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:32 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 43.666301ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:34Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:34 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 49.21396ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:35Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:35 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 19.063357ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:36Z" level=info msg="127.0.0.1 - [Mon, 05 Feb 2024 15:03:36 UTC] \"GET /v1/heartbeat HTTP/1.1 200 1.777651ms \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-05T15:03:36Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:36 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 45.591944ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:37Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:37 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 51.15302ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:42Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:42 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 31.177458ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:43Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:43 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 31.668058ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:44Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:44 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 45.221703ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:45Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:45 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 36.13669ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:47Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:47 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 49.1564ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T15:03:49Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 15:03:49 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 44.3503ms \"crowdsec-openresty-bouncer/v1.0.1\" \""

iiAmLoz · February 5, 2024, 3:24pm

Okay, and what does cscli metrics say?

Random-Human · February 5, 2024, 3:36pm

:/# cscli metrics

Acquisition Metrics:
╭─────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮
│                   Source                    │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │
├─────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤
│ file:/var/log/auth.log                      │ 11         │ -            │ 11             │ -                      │
│ file:/var/log/nginx/error.log               │ 1          │ -            │ 1              │ -                      │
│ file:/var/log/nginx/fallback_error.log      │ 3          │ -            │ 3              │ -                      │
│ file:/var/log/nginx/proxy-host-3_access.log │ 83         │ -            │ 83             │ -                      │
╰─────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯

Parser Metrics:
╭─────────────────────────────────┬──────┬────────┬──────────╮
│             Parsers             │ Hits │ Parsed │ Unparsed │
├─────────────────────────────────┼──────┼────────┼──────────┤
│ child-crowdsecurity/sshd-logs   │ 11   │ -      │ 11       │
│ child-crowdsecurity/syslog-logs │ 11   │ 11     │ -        │
│ crowdsecurity/non-syslog        │ 87   │ 87     │ -        │
│ crowdsecurity/sshd-logs         │ 1    │ -      │ 1        │
│ crowdsecurity/syslog-logs       │ 11   │ 11     │ -        │
╰─────────────────────────────────┴──────┴────────┴──────────╯

Local API Metrics:
╭────────────────────┬────────┬──────╮
│       Route        │ Method │ Hits │
├────────────────────┼────────┼──────┤
│ /v1/decisions      │ GET    │ 46   │
│ /v1/heartbeat      │ GET    │ 34   │
│ /v1/watchers/login │ POST   │ 1    │
╰────────────────────┴────────┴──────╯

Local API Machines Metrics:
╭───────────┬───────────────┬────────┬──────╮
│  Machine  │     Route     │ Method │ Hits │
├───────────┼───────────────┼────────┼──────┤
│ localhost │ /v1/heartbeat │ GET    │ 34   │
╰───────────┴───────────────┴────────┴──────╯

Local API Bouncers Metrics:
╭─────────────┬───────────────┬────────┬──────╮
│   Bouncer   │     Route     │ Method │ Hits │
├─────────────┼───────────────┼────────┼──────┤
│ nginx-proxy │ /v1/decisions │ GET    │ 46   │
╰─────────────┴───────────────┴────────┴──────╯

Local API Bouncers Decisions:
╭─────────────┬───────────────┬───────────────────╮
│   Bouncer   │ Empty answers │ Non-empty answers │
├─────────────┼───────────────┼───────────────────┤
│ nginx-proxy │ 46            │ 0                 │
╰─────────────┴───────────────┴───────────────────╯

Local API Decisions:
╭────────────────────────────┬────────┬────────┬───────╮
│           Reason           │ Origin │ Action │ Count │
├────────────────────────────┼────────┼────────┼───────┤
│ crowdsecurity/ssh-slow-bf  │ CAPI   │ ban    │ 45    │
│ firehol_cruzit_web_attacks │ lists  │ ban    │ 13252 │
│ firehol_cybercrime         │ lists  │ ban    │ 834   │
│ otx-webscanners            │ lists  │ ban    │ 8120  │
│ crowdsecurity/ssh-bf       │ CAPI   │ ban    │ 15208 │
╰────────────────────────────┴────────┴────────┴───────╯

Local API Alerts:
╭───────────────────────────────┬───────╮
│            Reason             │ Count │
├───────────────────────────────┼───────┤
│ manual 'ban' from 'localhost' │ 3     │
╰───────────────────────────────┴───────╯

iiAmLoz · February 5, 2024, 3:55pm

So it failing to parse them most likely because your acquisition is set to nginx

Where you need to nginx-proxy-manager parser CrowdSec Console

Random-Human · February 5, 2024, 4:50pm

Still not banned. Here the logs:

Docker-logs:

time="2024-02-05T16:41:56Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s00-raw/cri-logs.yaml stage=s00-raw
time="2024-02-05T16:41:56Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s00-raw/docker-logs.yaml stage=s00-raw
time="2024-02-05T16:41:56Z" level=info msg="Loaded 2 parser nodes" file=/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml stage=s00-raw
time="2024-02-05T16:41:56Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/nginx-proxy-manager-logs.yaml stage=s01-parse
time="2024-02-05T16:41:56Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml stage=s01-parse
time="2024-02-05T16:41:56Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml stage=s02-enrich
time="2024-02-05T16:41:56Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml stage=s02-enrich
time="2024-02-05T16:41:56Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/http-logs.yaml stage=s02-enrich
time="2024-02-05T16:41:56Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/whitelists.yaml stage=s02-enrich
time="2024-02-05T16:41:56Z" level=info msg="Loaded 10 nodes from 3 stages"
time="2024-02-05T16:41:56Z" level=info msg="No postoverflow parsers to load"
time="2024-02-05T16:41:56Z" level=info msg="Loading 40 scenario files"
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=twilight-water name=crowdsecurity/CVE-2022-35914
time="2024-02-05T16:41:56Z" level=info msg="Adding leaky bucket" cfg=withered-sky name=crowdsecurity/http-backdoors-attempts
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=green-sun name=crowdsecurity/apache_log4j2_cve-2021-44228
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=dark-water name=crowdsecurity/CVE-2022-26134
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=bitter-butterfly name=crowdsecurity/vmware-vcenter-vmsa-2021-0027
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=restless-field name=crowdsecurity/netgear_rce
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=summer-cherry name=crowdsecurity/CVE-2019-18935
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=patient-water name=crowdsecurity/http-cve-2021-42013
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=lively-firefly name=crowdsecurity/vmware-cve-2022-22954
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=proud-moon name=crowdsecurity/spring4shell_cve-2022-22965
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=rough-wildflower name=crowdsecurity/CVE-2023-49103
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=bold-grass name=crowdsecurity/fortinet-cve-2022-40684
time="2024-02-05T16:41:56Z" level=info msg="Adding leaky bucket" cfg=snowy-smoke name=crowdsecurity/http-probing
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=bold-bush name=crowdsecurity/f5-big-ip-cve-2020-5902
time="2024-02-05T16:41:56Z" level=info msg="Adding leaky bucket" cfg=lingering-haze name=crowdsecurity/http-sensitive-files
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=cool-fire name=crowdsecurity/thinkphp-cve-2018-20062
time="2024-02-05T16:41:56Z" level=info msg="Adding leaky bucket" cfg=bold-wave name=crowdsecurity/http-path-traversal-probing
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=quiet-butterfly name=crowdsecurity/CVE-2022-44877
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=wandering-mountain name=crowdsecurity/fortinet-cve-2018-13379
time="2024-02-05T16:41:56Z" level=info msg="Adding leaky bucket" cfg=spring-glade name=crowdsecurity/http-crawl-non_statics
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=spring-grass name=crowdsecurity/pulse-secure-sslvpn-cve-2019-11510
time="2024-02-05T16:41:56Z" level=info msg="Adding leaky bucket" cfg=young-water name=crowdsecurity/http-generic-bf
time="2024-02-05T16:41:56Z" level=info msg="Adding leaky bucket" cfg=shy-frost name=LePresidente/http-generic-401-bf
time="2024-02-05T16:41:56Z" level=info msg="Adding leaky bucket" cfg=purple-rain name=LePresidente/http-generic-403-bf
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=sparkling-dew name=crowdsecurity/CVE-2022-41082
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=throbbing-breeze name=crowdsecurity/CVE-2023-22515
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=icy-fog name=crowdsecurity/CVE-2022-37042
time="2024-02-05T16:41:56Z" level=info msg="Adding leaky bucket" cfg=cold-lake name=crowdsecurity/ssh-slow-bf
time="2024-02-05T16:41:56Z" level=info msg="Adding leaky bucket" cfg=wandering-mountain name=crowdsecurity/ssh-slow-bf_user-enum
time="2024-02-05T16:41:56Z" level=info msg="Adding leaky bucket" cfg=delicate-dream name=crowdsecurity/CVE-2022-46169-bf
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=young-shadow name=crowdsecurity/CVE-2022-46169-cmd
time="2024-02-05T16:41:56Z" level=info msg="Adding leaky bucket" cfg=rough-hill name=crowdsecurity/http-admin-interface-probing
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=wispy-silence name=crowdsecurity/CVE-2023-22518
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=black-wildflower name=crowdsecurity/CVE-2022-42889
time="2024-02-05T16:41:56Z" level=info msg="Adding leaky bucket" cfg=dark-fog name=crowdsecurity/CVE-2022-41697
time="2024-02-05T16:41:56Z" level=info msg="Adding leaky bucket" cfg=still-tree name=crowdsecurity/http-bad-user-agent
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=quiet-field name=crowdsecurity/http-cve-2021-41773
time="2024-02-05T16:41:56Z" level=info msg="Adding leaky bucket" cfg=ancient-dew name=crowdsecurity/http-sqli-probbing-detection
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=red-violet name=ltsich/http-w00tw00t
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=wispy-bird name=crowdsecurity/http-open-proxy
time="2024-02-05T16:41:56Z" level=info msg="Adding leaky bucket" cfg=divine-firefly name=crowdsecurity/http-xss-probbing
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=morning-sky name=crowdsecurity/grafana-cve-2021-43798
time="2024-02-05T16:41:56Z" level=info msg="Adding trigger bucket" cfg=cool-darkness name=crowdsecurity/jira_cve-2021-26086
time="2024-02-05T16:41:56Z" level=info msg="Adding leaky bucket" cfg=lively-forest name=crowdsecurity/ssh-bf
time="2024-02-05T16:41:56Z" level=info msg="Adding leaky bucket" cfg=dry-grass name=crowdsecurity/ssh-bf_user-enum
time="2024-02-05T16:41:56Z" level=info msg="Loaded 45 scenarios"
time="2024-02-05T16:41:56Z" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml"
time="2024-02-05T16:41:56Z" level=info msg="Adding file /var/log/nginx/error.log to datasources" type=file
time="2024-02-05T16:41:56Z" level=info msg="Adding file /var/log/nginx/fallback_access.log to datasources" type=file
time="2024-02-05T16:41:56Z" level=info msg="Adding file /var/log/nginx/fallback_error.log to datasources" type=file
time="2024-02-05T16:41:56Z" level=info msg="Adding file /var/log/nginx/proxy-host-1_access.log to datasources" type=file
time="2024-02-05T16:41:56Z" level=info msg="Adding file /var/log/nginx/proxy-host-1_error.log to datasources" type=file
time="2024-02-05T16:41:56Z" level=info msg="Adding file /var/log/nginx/proxy-host-2_access.log to datasources" type=file
time="2024-02-05T16:41:56Z" level=info msg="Adding file /var/log/nginx/proxy-host-2_error.log to datasources" type=file
time="2024-02-05T16:41:56Z" level=info msg="Adding file /var/log/nginx/proxy-host-3_access.log to datasources" type=file
time="2024-02-05T16:41:56Z" level=info msg="Adding file /var/log/nginx/proxy-host-3_error.log to datasources" type=file
time="2024-02-05T16:41:56Z" level=warning msg="No matching files for pattern ./tests/nginx/nginx.log" type=file
time="2024-02-05T16:41:56Z" level=warning msg="No matching files for pattern ~/var/log/nginx*.log" type=file
time="2024-02-05T16:41:56Z" level=info msg="Adding file /var/log/auth.log to datasources" type=file
time="2024-02-05T16:41:56Z" level=warning msg="No matching files for pattern /var/log/syslog" type=file
time="2024-02-05T16:41:56Z" level=warning msg="No matching files for pattern /var/log/apache2/*.log" type=file
time="2024-02-05T16:41:56Z" level=info msg="Starting processing data"
time="2024-02-05T16:41:56Z" level=info msg="127.0.0.1 - [Mon, 05 Feb 2024 16:41:56 UTC] \"POST /v1/watchers/login HTTP/1.1 200 95.317259ms \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-05T16:42:22Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:22 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 19.45227ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:27Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:27 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 46.911709ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:29Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:29 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 18.948364ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:31Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:31 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 43.319215ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:33Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:33 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 47.773901ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:35Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:35 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 48.894792ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:36Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:36 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 48.62443ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:37Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:37 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 46.572998ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:38Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:38 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 45.388191ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:39Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:39 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 45.575222ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:41Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:41 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 48.025814ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:42Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:42 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 49.698601ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:43Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:43 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 50.253767ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:44Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:44 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 26.791335ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:45Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:45 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 40.179973ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:47Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:47 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 45.948211ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:48Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:48 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 45.504321ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:50Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:50 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 44.004415ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:51Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:51 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 42.054634ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:52Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:52 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 48.862988ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:54Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:54 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 45.742882ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:55Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:55 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 46.695988ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:56Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:56 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 35.656926ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-05T16:42:56Z" level=info msg="127.0.0.1 - [Mon, 05 Feb 2024 16:42:56 UTC] \"GET /v1/heartbeat HTTP/1.1 200 546.588µs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-05T16:42:57Z" level=info msg="172.16.0.4 - [Mon, 05 Feb 2024 16:42:57 UTC] \"GET /v1/decisions?ip=176.6.188.72 HTTP/1.1 200 47.913959ms \"crowdsec-openresty-bouncer/v1.0.1\" \""

Acquis.yaml:

filenames:

- /var/log/nginx/*.log

- ./tests/nginx/nginx.log

#this is not a syslog log, indicate which kind of logs it is

labels:

type: nginx

---

filenames:

- ~/var/log/nginx*.log

labels:

type: nginx-proxy-manager

---

filenames:

- /var/log/auth.log

- /var/log/syslog

labels:

type: syslog

---

filename: /var/log/apache2/*.log

labels:

type: apache2

cscli metrics:

cscli metrics

Acquisition Metrics:
╭─────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮
│                   Source                    │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │
├─────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤
│ file:/var/log/auth.log                      │ 3          │ -            │ 3              │ -                      │
│ file:/var/log/nginx/fallback_error.log      │ 1          │ -            │ 1              │ -                      │
│ file:/var/log/nginx/proxy-host-3_access.log │ 79         │ -            │ 79             │ -                      │
╰─────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯

Parser Metrics:
╭─────────────────────────────────┬──────┬────────┬──────────╮
│             Parsers             │ Hits │ Parsed │ Unparsed │
├─────────────────────────────────┼──────┼────────┼──────────┤
│ child-crowdsecurity/sshd-logs   │ 11   │ -      │ 11       │
│ child-crowdsecurity/syslog-logs │ 3    │ 3      │ -        │
│ crowdsecurity/non-syslog        │ 80   │ 80     │ -        │
│ crowdsecurity/sshd-logs         │ 1    │ -      │ 1        │
│ crowdsecurity/syslog-logs       │ 3    │ 3      │ -        │
╰─────────────────────────────────┴──────┴────────┴──────────╯

Local API Metrics:
╭────────────────────┬────────┬──────╮
│       Route        │ Method │ Hits │
├────────────────────┼────────┼──────┤
│ /v1/decisions      │ GET    │ 44   │
│ /v1/heartbeat      │ GET    │ 8    │
│ /v1/watchers/login │ POST   │ 1    │
╰────────────────────┴────────┴──────╯

Local API Machines Metrics:
╭───────────┬───────────────┬────────┬──────╮
│  Machine  │     Route     │ Method │ Hits │
├───────────┼───────────────┼────────┼──────┤
│ localhost │ /v1/heartbeat │ GET    │ 8    │
╰───────────┴───────────────┴────────┴──────╯

Local API Bouncers Metrics:
╭─────────────┬───────────────┬────────┬──────╮
│   Bouncer   │     Route     │ Method │ Hits │
├─────────────┼───────────────┼────────┼──────┤
│ nginx-proxy │ /v1/decisions │ GET    │ 44   │
╰─────────────┴───────────────┴────────┴──────╯

Local API Bouncers Decisions:
╭─────────────┬───────────────┬───────────────────╮
│   Bouncer   │ Empty answers │ Non-empty answers │
├─────────────┼───────────────┼───────────────────┤
│ nginx-proxy │ 43            │ 1                 │
╰─────────────┴───────────────┴───────────────────╯

Local API Decisions:
╭────────────────────────────┬────────┬────────┬───────╮
│           Reason           │ Origin │ Action │ Count │
├────────────────────────────┼────────┼────────┼───────┤
│ firehol_cybercrime         │ lists  │ ban    │ 834   │
│ otx-webscanners            │ lists  │ ban    │ 8120  │
│ crowdsecurity/ssh-bf       │ CAPI   │ ban    │ 15407 │
│ crowdsecurity/ssh-slow-bf  │ CAPI   │ ban    │ 49    │
│ firehol_cruzit_web_attacks │ lists  │ ban    │ 13252 │
╰────────────────────────────┴────────┴────────┴───────╯

Local API Alerts:
╭───────────────────────────────┬───────╮
│            Reason             │ Count │
├───────────────────────────────┼───────┤
│ manual 'ban' from 'localhost' │ 3     │
╰───────────────────────────────┴───────╯

iiAmLoz · February 5, 2024, 6:52pm

Thats because the pattern you put doesn’t match any files, instead of your acquisition all you need is:

filenames:
  - /var/log/nginx/*.log
labels:
  type: nginx-proxy-manager
---
filenames:
  - /var/log/auth.log
  - /var/log/syslog
labels:
  type: syslog

Your just rushing too fast to spot the errors

Random-Human · February 6, 2024, 7:38am

Ok

Here the new log:

Local agent already registered
Check if lapi needs to register an additional agent
time="2024-02-06T07:31:49Z" level=info msg="hub index is up to date"
time="2024-02-06T07:31:49Z" level=info msg="Upgrading parsers"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/dateparse-enrich: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/http-logs: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/syslog-logs: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/cri-logs: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/geoip-enrich: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/sshd-logs: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/nginx-proxy-manager-logs: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/whitelists: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/docker-logs: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="Upgraded 0 parsers"
time="2024-02-06T07:31:49Z" level=info msg="Upgrading postoverflows"
time="2024-02-06T07:31:49Z" level=info msg="Upgraded 0 postoverflows"
time="2024-02-06T07:31:49Z" level=info msg="Upgrading scenarios"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/http-bad-user-agent: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/CVE-2019-18935: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/http-cve-2021-41773: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/CVE-2022-42889: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/http-sqli-probing: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/apache_log4j2_cve-2021-44228: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="ltsich/http-w00tw00t: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/CVE-2022-40684: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/vmware-vcenter-vmsa-2021-0027: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/f5-big-ip-cve-2020-5902: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/CVE-2022-41082: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/vmware-cve-2022-22954: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/CVE-2022-44877: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/thinkphp-cve-2018-20062: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/CVE-2022-46169: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/CVE-2022-37042: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/CVE-2023-22518: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/http-backdoors-attempts: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/CVE-2022-26134: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/ssh-bf: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/grafana-cve-2021-43798: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/CVE-2022-41697: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/http-generic-bf: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/CVE-2022-35914: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/http-cve-2021-42013: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/http-probing: up-to-date"
time="2024-02-06T07:31:49Z" level=info msg="crowdsecurity/jira_cve-2021-26086: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/netgear_rce: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/spring4shell_cve-2022-22965: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/http-open-proxy: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/http-sensitive-files: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/fortinet-cve-2018-13379: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/http-path-traversal-probing: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/CVE-2023-49103: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/http-crawl-non_statics: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/pulse-secure-sslvpn-cve-2019-11510: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/ssh-slow-bf: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/http-admin-interface-probing: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/http-xss-probing: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/CVE-2023-22515: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="Upgraded 0 scenarios"
time="2024-02-06T07:31:50Z" level=info msg="Upgrading contexts"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/bf_base: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/http_base: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="Upgraded 0 contexts"
time="2024-02-06T07:31:50Z" level=info msg="Upgrading appsec-configs"
time="2024-02-06T07:31:50Z" level=info msg="Upgraded 0 appsec-configs"
time="2024-02-06T07:31:50Z" level=info msg="Upgrading appsec-rules"
time="2024-02-06T07:31:50Z" level=info msg="Upgraded 0 appsec-rules"
time="2024-02-06T07:31:50Z" level=info msg="Upgrading collections"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/http-cve: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/linux: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/base-http-scenarios: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/sshd: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="crowdsecurity/nginx-proxy-manager: up-to-date"
time="2024-02-06T07:31:50Z" level=info msg="Upgraded 0 collections"
Running: cscli  parsers install "crowdsecurity/docker-logs" 
time="2024-02-06T07:31:50Z" level=warning msg="crowdsecurity/docker-logs: overwrite"
time="2024-02-06T07:31:50Z" level=info msg="Enabled crowdsecurity/docker-logs"
time="2024-02-06T07:31:50Z" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective."
Running: cscli  parsers install "crowdsecurity/cri-logs" 
time="2024-02-06T07:31:51Z" level=warning msg="crowdsecurity/cri-logs: overwrite"
time="2024-02-06T07:31:51Z" level=info msg="Enabled crowdsecurity/cri-logs"
time="2024-02-06T07:31:51Z" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective."
time="2024-02-06T07:31:51Z" level=info msg="Enabled feature flags: <none>"
time="2024-02-06T07:31:51Z" level=info msg="Crowdsec v1.6.0-4192af30"
time="2024-02-06T07:31:51Z" level=info msg="Loading prometheus collectors"
time="2024-02-06T07:31:51Z" level=info msg="Loading CAPI manager"
time="2024-02-06T07:31:54Z" level=info msg="CAPI manager configured successfully"
time="2024-02-06T07:31:54Z" level=warning msg="Machine is not allowed to synchronize decisions, you can enable it with `cscli console enable console_management`"
time="2024-02-06T07:31:54Z" level=info msg="CrowdSec Local API listening on [::]:8080"
time="2024-02-06T07:31:54Z" level=info msg="Start push to CrowdSec Central API (interval: 4s once, then 10s)"
time="2024-02-06T07:31:54Z" level=info msg="Start sending metrics to CrowdSec Central API (interval: 39m31s once, then 30m0s)"
time="2024-02-06T07:31:54Z" level=info msg="capi metrics: sending"
time="2024-02-06T07:31:54Z" level=info msg="Loading grok library /etc/crowdsec/patterns"
time="2024-02-06T07:31:54Z" level=info msg="last CAPI pull is newer than 1h30, skip."
time="2024-02-06T07:31:54Z" level=info msg="Start pull from CrowdSec Central API (interval: 2h3m23s once, then 2h0m0s)"
time="2024-02-06T07:31:55Z" level=info msg="Loading enrich plugins"
time="2024-02-06T07:31:55Z" level=info msg="Successfully registered enricher 'GeoIpCity'"
time="2024-02-06T07:31:55Z" level=info msg="Successfully registered enricher 'GeoIpASN'"
time="2024-02-06T07:31:55Z" level=info msg="Successfully registered enricher 'IpToRange'"
time="2024-02-06T07:31:55Z" level=info msg="Successfully registered enricher 'reverse_dns'"
time="2024-02-06T07:31:55Z" level=info msg="Successfully registered enricher 'ParseDate'"
time="2024-02-06T07:31:55Z" level=info msg="Successfully registered enricher 'UnmarshalJSON'"
time="2024-02-06T07:31:55Z" level=info msg="Loading parsers from 9 files"
time="2024-02-06T07:31:55Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s00-raw/cri-logs.yaml stage=s00-raw
time="2024-02-06T07:31:55Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s00-raw/docker-logs.yaml stage=s00-raw
time="2024-02-06T07:31:55Z" level=info msg="Loaded 2 parser nodes" file=/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml stage=s00-raw
time="2024-02-06T07:31:55Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/nginx-proxy-manager-logs.yaml stage=s01-parse
time="2024-02-06T07:31:55Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml stage=s01-parse
time="2024-02-06T07:31:55Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml stage=s02-enrich
time="2024-02-06T07:31:55Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml stage=s02-enrich
time="2024-02-06T07:31:55Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/http-logs.yaml stage=s02-enrich
time="2024-02-06T07:31:55Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/whitelists.yaml stage=s02-enrich
time="2024-02-06T07:31:55Z" level=info msg="Loaded 10 nodes from 3 stages"
time="2024-02-06T07:31:55Z" level=info msg="No postoverflow parsers to load"
time="2024-02-06T07:31:55Z" level=info msg="Loading 40 scenario files"
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=shy-darkness name=crowdsecurity/apache_log4j2_cve-2021-44228
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=weathered-meadow name=crowdsecurity/CVE-2022-37042
time="2024-02-06T07:31:55Z" level=info msg="Adding leaky bucket" cfg=green-pond name=crowdsecurity/http-path-traversal-probing
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=patient-hill name=crowdsecurity/jira_cve-2021-26086
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=small-wave name=crowdsecurity/vmware-vcenter-vmsa-2021-0027
time="2024-02-06T07:31:55Z" level=info msg="Adding leaky bucket" cfg=delicate-wave name=crowdsecurity/http-admin-interface-probing
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=old-river name=crowdsecurity/CVE-2022-35914
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=lively-fire name=crowdsecurity/netgear_rce
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=morning-wind name=crowdsecurity/http-cve-2021-41773
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=damp-dawn name=crowdsecurity/CVE-2023-49103
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=misty-river name=crowdsecurity/f5-big-ip-cve-2020-5902
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=frosty-paper name=crowdsecurity/http-open-proxy
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=ancient-surf name=crowdsecurity/CVE-2022-44877
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=broken-waterfall name=crowdsecurity/pulse-secure-sslvpn-cve-2019-11510
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=green-bush name=crowdsecurity/CVE-2022-26134
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=winter-field name=crowdsecurity/spring4shell_cve-2022-22965
time="2024-02-06T07:31:55Z" level=info msg="Adding leaky bucket" cfg=polished-sunset name=crowdsecurity/CVE-2022-46169-bf
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=weathered-breeze name=crowdsecurity/CVE-2022-46169-cmd
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=dark-fog name=crowdsecurity/vmware-cve-2022-22954
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=little-firefly name=crowdsecurity/fortinet-cve-2018-13379
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=little-rain name=crowdsecurity/fortinet-cve-2022-40684
time="2024-02-06T07:31:55Z" level=info msg="Adding leaky bucket" cfg=cold-sun name=crowdsecurity/http-generic-bf
time="2024-02-06T07:31:55Z" level=info msg="Adding leaky bucket" cfg=misty-fire name=LePresidente/http-generic-401-bf
time="2024-02-06T07:31:55Z" level=info msg="Adding leaky bucket" cfg=aged-thunder name=LePresidente/http-generic-403-bf
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=autumn-shadow name=crowdsecurity/CVE-2022-42889
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=black-pine name=crowdsecurity/CVE-2023-22518
time="2024-02-06T07:31:55Z" level=info msg="Adding leaky bucket" cfg=bold-pine name=crowdsecurity/CVE-2022-41697
time="2024-02-06T07:31:55Z" level=info msg="Adding leaky bucket" cfg=still-silence name=crowdsecurity/http-sensitive-files
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=falling-bush name=crowdsecurity/thinkphp-cve-2018-20062
time="2024-02-06T07:31:55Z" level=info msg="Adding leaky bucket" cfg=frosty-frog name=crowdsecurity/http-bad-user-agent
time="2024-02-06T07:31:55Z" level=info msg="Adding leaky bucket" cfg=dark-water name=crowdsecurity/ssh-bf
time="2024-02-06T07:31:55Z" level=info msg="Adding leaky bucket" cfg=blue-wildflower name=crowdsecurity/ssh-bf_user-enum
time="2024-02-06T07:31:55Z" level=info msg="Adding leaky bucket" cfg=throbbing-pine name=crowdsecurity/http-xss-probbing
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=white-thunder name=crowdsecurity/CVE-2022-41082
time="2024-02-06T07:31:55Z" level=info msg="Adding leaky bucket" cfg=broken-wave name=crowdsecurity/http-probing
time="2024-02-06T07:31:55Z" level=info msg="Adding leaky bucket" cfg=solitary-wildflower name=crowdsecurity/http-sqli-probbing-detection
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=late-leaf name=crowdsecurity/CVE-2023-22515
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=purple-thunder name=crowdsecurity/http-cve-2021-42013
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=spring-sunset name=ltsich/http-w00tw00t
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=blue-frost name=crowdsecurity/CVE-2019-18935
time="2024-02-06T07:31:55Z" level=info msg="Adding leaky bucket" cfg=icy-field name=crowdsecurity/ssh-slow-bf
time="2024-02-06T07:31:55Z" level=info msg="Adding leaky bucket" cfg=floral-morning name=crowdsecurity/ssh-slow-bf_user-enum
time="2024-02-06T07:31:55Z" level=info msg="Adding leaky bucket" cfg=little-haze name=crowdsecurity/http-crawl-non_statics
time="2024-02-06T07:31:55Z" level=info msg="Adding leaky bucket" cfg=bold-hill name=crowdsecurity/http-backdoors-attempts
time="2024-02-06T07:31:55Z" level=info msg="Adding trigger bucket" cfg=cold-snowflake name=crowdsecurity/grafana-cve-2021-43798
time="2024-02-06T07:31:55Z" level=info msg="Loaded 45 scenarios"
time="2024-02-06T07:31:55Z" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml"
time="2024-02-06T07:31:55Z" level=info msg="Adding file /var/log/auth.log to datasources" type=file
time="2024-02-06T07:31:55Z" level=info msg="Adding file /var/log/auth.log to datasources" type=file
time="2024-02-06T07:31:55Z" level=info msg="Adding file /var/log/syslog to datasources" type=file
time="2024-02-06T07:31:55Z" level=info msg="Starting processing data"
time="2024-02-06T07:31:55Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 07:31:55 UTC] \"POST /v1/watchers/login HTTP/1.1 200 86.406291ms \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T07:32:45Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:32:45 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 48.964742ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:32:48Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:32:48 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 77.093646ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:32:49Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:32:49 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 71.663214ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:32:51Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:32:51 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 74.778297ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:32:52Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:32:52 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 77.388007ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:32:53Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:32:53 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 44.530393ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:32:55Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:32:55 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 68.636883ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:32:55Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 07:32:55 UTC] \"GET /v1/heartbeat HTTP/1.1 200 670.938µs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T07:32:56Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:32:56 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 75.106729ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:32:57Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:32:57 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 72.508353ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:32:58Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:32:58 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 71.826862ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:32:59Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:32:59 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 71.726369ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:33:01Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:33:01 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 38.382866ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:33:02Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:33:02 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 37.502008ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:33:03Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:33:03 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 37.717886ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:33:04Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:33:04 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 37.36692ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:33:05Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:33:05 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 74.810774ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:33:06Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:33:06 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 79.970983ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:33:08Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:33:08 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 77.203814ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:33:09Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:33:09 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 74.493444ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:33:10Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:33:10 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 70.393061ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:33:11Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:33:11 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 79.771543ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:33:12Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:33:12 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 50.366251ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:33:14Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:33:14 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 73.76734ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T07:33:15Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 07:33:15 UTC] \"GET /v1/decisions?ip=176.6.185.9 HTTP/1.1 200 75.628289ms \"crowdsec-openresty-bouncer/v1.0.1\" \""

Metrics:

Acquisition Metrics:
╭────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮
│         Source         │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │
├────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤
│ file:/var/log/auth.log │ 5          │ -            │ 5              │ -                      │
│ file:/var/log/syslog   │ 159        │ -            │ 159            │ -                      │
╰────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯

Parser Metrics:
╭──────────────────────────────────────────────┬──────┬────────┬──────────╮
│                   Parsers                    │ Hits │ Parsed │ Unparsed │
├──────────────────────────────────────────────┼──────┼────────┼──────────┤
│ child-crowdsecurity/nginx-proxy-manager-logs │ 6    │ -      │ 6        │
│ child-crowdsecurity/sshd-logs                │ 11   │ -      │ 11       │
│ child-crowdsecurity/syslog-logs              │ 162  │ 162    │ -        │
│ crowdsecurity/nginx-proxy-manager-logs       │ 2    │ -      │ 2        │
│ crowdsecurity/non-syslog                     │ 2    │ 2      │ -        │
│ crowdsecurity/sshd-logs                      │ 1    │ -      │ 1        │
│ crowdsecurity/syslog-logs                    │ 162  │ 162    │ -        │
╰──────────────────────────────────────────────┴──────┴────────┴──────────╯

Local API Metrics:
╭────────────────────┬────────┬──────╮
│       Route        │ Method │ Hits │
├────────────────────┼────────┼──────┤
│ /v1/decisions      │ GET    │ 24   │
│ /v1/heartbeat      │ GET    │ 7    │
│ /v1/watchers/login │ POST   │ 1    │
╰────────────────────┴────────┴──────╯

Local API Machines Metrics:
╭───────────┬───────────────┬────────┬──────╮
│  Machine  │     Route     │ Method │ Hits │
├───────────┼───────────────┼────────┼──────┤
│ localhost │ /v1/heartbeat │ GET    │ 7    │
╰───────────┴───────────────┴────────┴──────╯

Local API Bouncers Metrics:
╭─────────────┬───────────────┬────────┬──────╮
│   Bouncer   │     Route     │ Method │ Hits │
├─────────────┼───────────────┼────────┼──────┤
│ nginx-proxy │ /v1/decisions │ GET    │ 24   │
╰─────────────┴───────────────┴────────┴──────╯

Local API Bouncers Decisions:
╭─────────────┬───────────────┬───────────────────╮
│   Bouncer   │ Empty answers │ Non-empty answers │
├─────────────┼───────────────┼───────────────────┤
│ nginx-proxy │ 24            │ 0                 │
╰─────────────┴───────────────┴───────────────────╯

Local API Decisions:
╭────────────────────────────────────────────┬────────┬────────┬───────╮
│                   Reason                   │ Origin │ Action │ Count │
├────────────────────────────────────────────┼────────┼────────┼───────┤
│ crowdsecurity/http-generic-bf              │ CAPI   │ ban    │ 11    │
│ crowdsecurity/jira_cve-2021-26086          │ CAPI   │ ban    │ 10    │
│ crowdsecurity/CVE-2019-18935               │ CAPI   │ ban    │ 80    │
│ crowdsecurity/CVE-2023-22518               │ CAPI   │ ban    │ 10    │
│ crowdsecurity/http-bad-user-agent          │ CAPI   │ ban    │ 13333 │
│ crowdsecurity/http-cve-2021-42013          │ CAPI   │ ban    │ 5     │
│ crowdsecurity/http-open-proxy              │ CAPI   │ ban    │ 803   │
│ crowdsecurity/http-sensitive-files         │ CAPI   │ ban    │ 35    │
│ crowdsecurity/thinkphp-cve-2018-20062      │ CAPI   │ ban    │ 5     │
│ crowdsecurity/CVE-2022-35914               │ CAPI   │ ban    │ 48    │
│ crowdsecurity/http-crawl-non_statics       │ CAPI   │ ban    │ 405   │
│ crowdsecurity/ssh-slow-bf                  │ CAPI   │ ban    │ 43    │
│ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI   │ ban    │ 365   │
│ crowdsecurity/CVE-2023-22515               │ CAPI   │ ban    │ 17    │
│ crowdsecurity/fortinet-cve-2018-13379      │ CAPI   │ ban    │ 56    │
│ crowdsecurity/http-admin-interface-probing │ CAPI   │ ban    │ 1341  │
│ firehol_cybercrime                         │ lists  │ ban    │ 840   │
│ crowdsecurity/CVE-2022-37042               │ CAPI   │ ban    │ 21    │
│ crowdsecurity/CVE-2022-41082               │ CAPI   │ ban    │ 858   │
│ crowdsecurity/CVE-2023-49103               │ CAPI   │ ban    │ 179   │
│ crowdsecurity/http-path-traversal-probing  │ CAPI   │ ban    │ 167   │
│ crowdsecurity/http-probing                 │ CAPI   │ ban    │ 1221  │
│ crowdsecurity/CVE-2022-26134               │ CAPI   │ ban    │ 215   │
│ crowdsecurity/http-backdoors-attempts      │ CAPI   │ ban    │ 1120  │
│ crowdsecurity/f5-big-ip-cve-2020-5902      │ CAPI   │ ban    │ 23    │
│ crowdsecurity/netgear_rce                  │ CAPI   │ ban    │ 4     │
│ firehol_cruzit_web_attacks                 │ lists  │ ban    │ 13252 │
│ crowdsecurity/CVE-2022-42889               │ CAPI   │ ban    │ 4     │
│ crowdsecurity/http-cve-2021-41773          │ CAPI   │ ban    │ 19    │
│ crowdsecurity/ssh-bf                       │ CAPI   │ ban    │ 13975 │
│ otx-webscanners                            │ lists  │ ban    │ 8225  │
│ crowdsecurity/grafana-cve-2021-43798       │ CAPI   │ ban    │ 48    │
╰────────────────────────────────────────────┴────────┴────────┴───────╯

Local API Alerts:
╭───────────────────────────────┬───────╮
│            Reason             │ Count │
├───────────────────────────────┼───────┤
│ manual 'ban' from 'localhost' │ 3     │
╰───────────────────────────────┴───────╯

iiAmLoz · February 6, 2024, 9:01am

Random-Human:

time="2024-02-06T07:31:55Z" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml"
time="2024-02-06T07:31:55Z" level=info msg="Adding file /var/log/auth.log to datasources" type=file
time="2024-02-06T07:31:55Z" level=info msg="Adding file /var/log/auth.log to datasources" type=file
time="2024-02-06T07:31:55Z" level=info msg="Adding file /var/log/syslog to datasources" type=file

The files are not detected, can you make sure they are mounted to the location and have the correct path within acquisition

Random-Human · February 6, 2024, 1:56pm

The NPM logfiles are correct mounted now. Syslog and auth.log were not changed, they were already in the right place (in container and host @/var/logs).

Local agent already registered
Check if lapi needs to register an additional agent
time="2024-02-06T13:43:52Z" level=info msg="hub index is up to date"
time="2024-02-06T13:43:52Z" level=info msg="Upgrading parsers"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/nginx-proxy-manager-logs: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/http-logs: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/cri-logs: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/sshd-logs: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/syslog-logs: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/whitelists: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/geoip-enrich: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/dateparse-enrich: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/docker-logs: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="Upgraded 0 parsers"
time="2024-02-06T13:43:52Z" level=info msg="Upgrading postoverflows"
time="2024-02-06T13:43:52Z" level=info msg="Upgraded 0 postoverflows"
time="2024-02-06T13:43:52Z" level=info msg="Upgrading scenarios"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/ssh-slow-bf: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/CVE-2022-42889: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/CVE-2023-22518: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/ssh-bf: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/CVE-2019-18935: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/http-cve-2021-41773: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/http-crawl-non_statics: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/http-cve-2021-42013: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/CVE-2022-44877: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/f5-big-ip-cve-2020-5902: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/CVE-2022-26134: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/http-admin-interface-probing: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/http-open-proxy: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/http-path-traversal-probing: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/CVE-2023-22515: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/jira_cve-2021-26086: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/http-bad-user-agent: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/http-sqli-probing: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/spring4shell_cve-2022-22965: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/http-backdoors-attempts: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/CVE-2022-41697: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/CVE-2022-41082: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/fortinet-cve-2018-13379: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/vmware-cve-2022-22954: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/CVE-2022-46169: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/CVE-2022-35914: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/http-probing: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/http-xss-probing: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/netgear_rce: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/thinkphp-cve-2018-20062: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/pulse-secure-sslvpn-cve-2019-11510: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/apache_log4j2_cve-2021-44228: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/http-sensitive-files: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/vmware-vcenter-vmsa-2021-0027: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/CVE-2022-40684: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="ltsich/http-w00tw00t: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/grafana-cve-2021-43798: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/http-generic-bf: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/CVE-2022-37042: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/CVE-2023-49103: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="Upgraded 0 scenarios"
time="2024-02-06T13:43:52Z" level=info msg="Upgrading contexts"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/bf_base: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/http_base: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="Upgraded 0 contexts"
time="2024-02-06T13:43:52Z" level=info msg="Upgrading appsec-configs"
time="2024-02-06T13:43:52Z" level=info msg="Upgraded 0 appsec-configs"
time="2024-02-06T13:43:52Z" level=info msg="Upgrading appsec-rules"
time="2024-02-06T13:43:52Z" level=info msg="Upgraded 0 appsec-rules"
time="2024-02-06T13:43:52Z" level=info msg="Upgrading collections"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/linux: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/nginx-proxy-manager: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/http-cve: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/base-http-scenarios: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="crowdsecurity/sshd: up-to-date"
time="2024-02-06T13:43:52Z" level=info msg="Upgraded 0 collections"
Running: cscli  parsers install "crowdsecurity/docker-logs" 
time="2024-02-06T13:43:53Z" level=warning msg="crowdsecurity/docker-logs: overwrite"
time="2024-02-06T13:43:53Z" level=info msg="Enabled crowdsecurity/docker-logs"
time="2024-02-06T13:43:53Z" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective."
Running: cscli  parsers install "crowdsecurity/cri-logs" 
time="2024-02-06T13:43:53Z" level=warning msg="crowdsecurity/cri-logs: overwrite"
time="2024-02-06T13:43:53Z" level=info msg="Enabled crowdsecurity/cri-logs"
time="2024-02-06T13:43:53Z" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective."
time="2024-02-06T13:43:54Z" level=info msg="Enabled feature flags: <none>"
time="2024-02-06T13:43:54Z" level=info msg="Crowdsec v1.6.0-4192af30"
time="2024-02-06T13:43:54Z" level=info msg="Loading prometheus collectors"
time="2024-02-06T13:43:54Z" level=info msg="Loading CAPI manager"
time="2024-02-06T13:43:55Z" level=info msg="CAPI manager configured successfully"
time="2024-02-06T13:43:55Z" level=warning msg="Machine is not allowed to synchronize decisions, you can enable it with `cscli console enable console_management`"
time="2024-02-06T13:43:55Z" level=info msg="CrowdSec Local API listening on [::]:8080"
time="2024-02-06T13:43:55Z" level=info msg="Start sending metrics to CrowdSec Central API (interval: 18m5s once, then 30m0s)"
time="2024-02-06T13:43:55Z" level=info msg="Start push to CrowdSec Central API (interval: 12s once, then 10s)"
time="2024-02-06T13:43:55Z" level=info msg="capi metrics: sending"
time="2024-02-06T13:43:55Z" level=info msg="Loading grok library /etc/crowdsec/patterns"
time="2024-02-06T13:43:55Z" level=info msg="last CAPI pull is newer than 1h30, skip."
time="2024-02-06T13:43:55Z" level=info msg="Start pull from CrowdSec Central API (interval: 1h56m51s once, then 2h0m0s)"
time="2024-02-06T13:43:56Z" level=info msg="Loading enrich plugins"
time="2024-02-06T13:43:56Z" level=info msg="Successfully registered enricher 'GeoIpCity'"
time="2024-02-06T13:43:56Z" level=info msg="Successfully registered enricher 'GeoIpASN'"
time="2024-02-06T13:43:56Z" level=info msg="Successfully registered enricher 'IpToRange'"
time="2024-02-06T13:43:56Z" level=info msg="Successfully registered enricher 'reverse_dns'"
time="2024-02-06T13:43:56Z" level=info msg="Successfully registered enricher 'ParseDate'"
time="2024-02-06T13:43:56Z" level=info msg="Successfully registered enricher 'UnmarshalJSON'"
time="2024-02-06T13:43:56Z" level=info msg="Loading parsers from 9 files"
time="2024-02-06T13:43:56Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s00-raw/cri-logs.yaml stage=s00-raw
time="2024-02-06T13:43:56Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s00-raw/docker-logs.yaml stage=s00-raw
time="2024-02-06T13:43:56Z" level=info msg="Loaded 2 parser nodes" file=/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml stage=s00-raw
time="2024-02-06T13:43:56Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/nginx-proxy-manager-logs.yaml stage=s01-parse
time="2024-02-06T13:43:56Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml stage=s01-parse
time="2024-02-06T13:43:56Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml stage=s02-enrich
time="2024-02-06T13:43:56Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml stage=s02-enrich
time="2024-02-06T13:43:56Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/http-logs.yaml stage=s02-enrich
time="2024-02-06T13:43:56Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/whitelists.yaml stage=s02-enrich
time="2024-02-06T13:43:56Z" level=info msg="Loaded 10 nodes from 3 stages"
time="2024-02-06T13:43:56Z" level=info msg="No postoverflow parsers to load"
time="2024-02-06T13:43:56Z" level=info msg="Loading 40 scenario files"
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=lively-sunset name=crowdsecurity/CVE-2023-22518
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=snowy-fire name=crowdsecurity/netgear_rce
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=snowy-star name=crowdsecurity/grafana-cve-2021-43798
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=cold-flower name=crowdsecurity/fortinet-cve-2022-40684
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=white-meadow name=ltsich/http-w00tw00t
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=ancient-cloud name=crowdsecurity/vmware-cve-2022-22954
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=blue-fire name=crowdsecurity/jira_cve-2021-26086
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=misty-fog name=crowdsecurity/CVE-2022-35914
time="2024-02-06T13:43:56Z" level=info msg="Adding leaky bucket" cfg=black-sky name=crowdsecurity/http-bad-user-agent
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=cool-sky name=crowdsecurity/CVE-2022-41082
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=morning-hill name=crowdsecurity/CVE-2023-49103
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=summer-hill name=crowdsecurity/pulse-secure-sslvpn-cve-2019-11510
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=polished-leaf name=crowdsecurity/CVE-2022-37042
time="2024-02-06T13:43:56Z" level=info msg="Adding leaky bucket" cfg=old-smoke name=crowdsecurity/ssh-bf
time="2024-02-06T13:43:56Z" level=info msg="Adding leaky bucket" cfg=holy-wind name=crowdsecurity/ssh-bf_user-enum
time="2024-02-06T13:43:56Z" level=info msg="Adding leaky bucket" cfg=crimson-pond name=crowdsecurity/CVE-2022-41697
time="2024-02-06T13:43:56Z" level=info msg="Adding leaky bucket" cfg=ancient-tree name=crowdsecurity/http-probing
time="2024-02-06T13:43:56Z" level=info msg="Adding leaky bucket" cfg=still-leaf name=crowdsecurity/http-crawl-non_statics
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=solitary-river name=crowdsecurity/thinkphp-cve-2018-20062
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=restless-resonance name=crowdsecurity/CVE-2022-26134
time="2024-02-06T13:43:56Z" level=info msg="Adding leaky bucket" cfg=floral-moon name=crowdsecurity/ssh-slow-bf
time="2024-02-06T13:43:56Z" level=info msg="Adding leaky bucket" cfg=white-voice name=crowdsecurity/ssh-slow-bf_user-enum
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=bitter-water name=crowdsecurity/CVE-2022-44877
time="2024-02-06T13:43:56Z" level=info msg="Adding leaky bucket" cfg=misty-fog name=crowdsecurity/http-xss-probbing
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=damp-darkness name=crowdsecurity/f5-big-ip-cve-2020-5902
time="2024-02-06T13:43:56Z" level=info msg="Adding leaky bucket" cfg=autumn-moon name=crowdsecurity/http-path-traversal-probing
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=wild-glade name=crowdsecurity/http-cve-2021-41773
time="2024-02-06T13:43:56Z" level=info msg="Adding leaky bucket" cfg=still-forest name=crowdsecurity/http-generic-bf
time="2024-02-06T13:43:56Z" level=info msg="Adding leaky bucket" cfg=shy-river name=LePresidente/http-generic-401-bf
time="2024-02-06T13:43:56Z" level=info msg="Adding leaky bucket" cfg=delicate-leaf name=LePresidente/http-generic-403-bf
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=wild-snow name=crowdsecurity/http-open-proxy
time="2024-02-06T13:43:56Z" level=info msg="Adding leaky bucket" cfg=small-brook name=crowdsecurity/http-backdoors-attempts
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=dark-forest name=crowdsecurity/fortinet-cve-2018-13379
time="2024-02-06T13:43:56Z" level=info msg="Adding leaky bucket" cfg=rough-mountain name=crowdsecurity/CVE-2022-46169-bf
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=delicate-bush name=crowdsecurity/CVE-2022-46169-cmd
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=summer-smoke name=crowdsecurity/CVE-2019-18935
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=white-hill name=crowdsecurity/http-cve-2021-42013
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=dawn-leaf name=crowdsecurity/CVE-2023-22515
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=blue-dawn name=crowdsecurity/vmware-vcenter-vmsa-2021-0027
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=restless-mountain name=crowdsecurity/CVE-2022-42889
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=floral-snow name=crowdsecurity/apache_log4j2_cve-2021-44228
time="2024-02-06T13:43:56Z" level=info msg="Adding leaky bucket" cfg=delicate-snow name=crowdsecurity/http-sqli-probbing-detection
time="2024-02-06T13:43:56Z" level=info msg="Adding trigger bucket" cfg=small-snowflake name=crowdsecurity/spring4shell_cve-2022-22965
time="2024-02-06T13:43:56Z" level=info msg="Adding leaky bucket" cfg=rough-meadow name=crowdsecurity/http-sensitive-files
time="2024-02-06T13:43:56Z" level=info msg="Adding leaky bucket" cfg=restless-rain name=crowdsecurity/http-admin-interface-probing
time="2024-02-06T13:43:56Z" level=info msg="Loaded 45 scenarios"
time="2024-02-06T13:43:56Z" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml"
time="2024-02-06T13:43:56Z" level=info msg="Adding file /var/log/nginx/error.log to datasources" type=file
time="2024-02-06T13:43:56Z" level=info msg="Adding file /var/log/nginx/fallback_access.log to datasources" type=file
time="2024-02-06T13:43:56Z" level=info msg="Adding file /var/log/nginx/fallback_error.log to datasources" type=file
time="2024-02-06T13:43:56Z" level=info msg="Adding file /var/log/nginx/proxy-host-1_access.log to datasources" type=file
time="2024-02-06T13:43:56Z" level=info msg="Adding file /var/log/nginx/proxy-host-1_error.log to datasources" type=file
time="2024-02-06T13:43:56Z" level=info msg="Adding file /var/log/nginx/proxy-host-2_access.log to datasources" type=file
time="2024-02-06T13:43:56Z" level=info msg="Adding file /var/log/nginx/proxy-host-2_error.log to datasources" type=file
time="2024-02-06T13:43:56Z" level=info msg="Adding file /var/log/nginx/proxy-host-3_access.log to datasources" type=file
time="2024-02-06T13:43:56Z" level=info msg="Adding file /var/log/nginx/proxy-host-3_error.log to datasources" type=file
time="2024-02-06T13:43:56Z" level=info msg="Adding file /var/log/auth.log to datasources" type=file
time="2024-02-06T13:43:56Z" level=info msg="Adding file /var/log/syslog to datasources" type=file
time="2024-02-06T13:43:56Z" level=info msg="Starting processing data"
time="2024-02-06T13:43:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 13:43:57 UTC] \"POST /v1/watchers/login HTTP/1.1 200 95.910053ms \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T13:44:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 13:44:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 525.045µs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T13:45:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 13:45:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 995.999µs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T13:45:57Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:45:57 UTC] \"GET /v1/decisions?ip=87.236.176.90 HTTP/1.1 200 82.347206ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:45:58Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:45:58 UTC] \"GET /v1/decisions?ip=87.236.176.155 HTTP/1.1 200 84.278141ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:45:58Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:45:58 UTC] \"GET /v1/decisions?ip=87.236.176.172 HTTP/1.1 200 89.838141ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:45:58Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:45:58 UTC] \"GET /v1/decisions?ip=87.236.176.28 HTTP/1.1 200 95.204541ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:45:58Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:45:58 UTC] \"GET /v1/decisions?ip=87.236.176.159 HTTP/1.1 200 95.228083ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:46:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 13:46:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 1.13791ms \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T13:47:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 13:47:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 1.008854ms \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T13:48:08Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:08 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 78.323805ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:09Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:09 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 39.964693ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:11Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:11 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 78.957782ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:13Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:13 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 80.175651ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:14Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:14 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 41.264835ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:15Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:15 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 80.572364ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:16Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:16 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 70.731499ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:18Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:18 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 81.163576ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:19Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:19 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 39.687781ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:21Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:21 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 80.418187ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:22Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:22 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 78.11629ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:23Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:23 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 76.357594ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:24Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:24 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 84.106465ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:26Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:26 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 75.032339ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:27Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:27 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 84.203227ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:28Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:28 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 80.015872ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:29Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:29 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 85.050231ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:30Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:30 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 41.157817ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:32Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:32 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 71.863238ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:33Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:33 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 63.642629ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:34Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:34 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 57.022199ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:35Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:35 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 65.790477ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:37Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 13:48:37 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 84.481896ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T13:48:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 13:48:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 1.073023ms \"crowdsec/v1.6.0-4192af30\" \""

Acquisition Metrics:


╭─────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮
│                   Source                    │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │
├─────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤
│ file:/var/log/auth.log                      │ 2          │ -            │ 2              │ -                      │
│ file:/var/log/nginx/proxy-host-3_access.log │ 50         │ 50           │ -              │ -                      │
│ file:/var/log/syslog                        │ 106        │ -            │ 106            │ -                      │
╰─────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯

Parser Metrics:
╭──────────────────────────────────────────────┬──────┬────────┬──────────╮
│                   Parsers                    │ Hits │ Parsed │ Unparsed │
├──────────────────────────────────────────────┼──────┼────────┼──────────┤
│ child-crowdsecurity/http-logs                │ 150  │ 100    │ 50       │
│ child-crowdsecurity/nginx-proxy-manager-logs │ 50   │ 50     │ -        │
│ child-crowdsecurity/syslog-logs              │ 108  │ 108    │ -        │
│ crowdsecurity/dateparse-enrich               │ 50   │ 50     │ -        │
│ crowdsecurity/geoip-enrich                   │ 50   │ 50     │ -        │
│ crowdsecurity/http-logs                      │ 50   │ 50     │ -        │
│ crowdsecurity/nginx-proxy-manager-logs       │ 50   │ 50     │ -        │
│ crowdsecurity/non-syslog                     │ 50   │ 50     │ -        │
│ crowdsecurity/syslog-logs                    │ 108  │ 108    │ -        │
│ crowdsecurity/whitelists                     │ 50   │ 50     │ -        │
╰──────────────────────────────────────────────┴──────┴────────┴──────────╯

Local API Metrics:
╭────────────────────┬────────┬──────╮
│       Route        │ Method │ Hits │
├────────────────────┼────────┼──────┤
│ /v1/decisions      │ GET    │ 28   │
│ /v1/heartbeat      │ GET    │ 8    │
│ /v1/watchers/login │ POST   │ 1    │
╰────────────────────┴────────┴──────╯

Local API Machines Metrics:
╭───────────┬───────────────┬────────┬──────╮
│  Machine  │     Route     │ Method │ Hits │
├───────────┼───────────────┼────────┼──────┤
│ localhost │ /v1/heartbeat │ GET    │ 8    │
╰───────────┴───────────────┴────────┴──────╯

Local API Bouncers Metrics:
╭─────────────┬───────────────┬────────┬──────╮
│   Bouncer   │     Route     │ Method │ Hits │
├─────────────┼───────────────┼────────┼──────┤
│ nginx-proxy │ /v1/decisions │ GET    │ 28   │
╰─────────────┴───────────────┴────────┴──────╯

Local API Bouncers Decisions:
╭─────────────┬───────────────┬───────────────────╮
│   Bouncer   │ Empty answers │ Non-empty answers │
├─────────────┼───────────────┼───────────────────┤
│ nginx-proxy │ 28            │ 0                 │
╰─────────────┴───────────────┴───────────────────╯

Local API Decisions:
╭────────────────────────────────────────────┬────────┬────────┬───────╮
│                   Reason                   │ Origin │ Action │ Count │
├────────────────────────────────────────────┼────────┼────────┼───────┤
│ crowdsecurity/http-crawl-non_statics       │ CAPI   │ ban    │ 423   │
│ crowdsecurity/netgear_rce                  │ CAPI   │ ban    │ 4     │
│ crowdsecurity/thinkphp-cve-2018-20062      │ CAPI   │ ban    │ 6     │
│ crowdsecurity/CVE-2022-37042               │ CAPI   │ ban    │ 21    │
│ crowdsecurity/CVE-2023-22515               │ CAPI   │ ban    │ 17    │
│ crowdsecurity/grafana-cve-2021-43798       │ CAPI   │ ban    │ 49    │
│ crowdsecurity/http-bad-user-agent          │ CAPI   │ ban    │ 14122 │
│ crowdsecurity/http-sensitive-files         │ CAPI   │ ban    │ 38    │
│ crowdsecurity/jira_cve-2021-26086          │ CAPI   │ ban    │ 10    │
│ crowdsecurity/ssh-slow-bf                  │ CAPI   │ ban    │ 45    │
│ ltsich/http-w00tw00t                       │ CAPI   │ ban    │ 1     │
│ crowdsecurity/CVE-2022-26134               │ CAPI   │ ban    │ 216   │
│ crowdsecurity/CVE-2022-35914               │ CAPI   │ ban    │ 48    │
│ crowdsecurity/http-cve-2021-42013          │ CAPI   │ ban    │ 5     │
│ firehol_cybercrime                         │ lists  │ ban    │ 840   │
│ crowdsecurity/CVE-2023-49103               │ CAPI   │ ban    │ 220   │
│ crowdsecurity/http-cve-2021-41773          │ CAPI   │ ban    │ 19    │
│ crowdsecurity/http-generic-bf              │ CAPI   │ ban    │ 15    │
│ crowdsecurity/CVE-2022-42889               │ CAPI   │ ban    │ 4     │
│ crowdsecurity/http-backdoors-attempts      │ CAPI   │ ban    │ 1184  │
│ crowdsecurity/CVE-2023-22518               │ CAPI   │ ban    │ 10    │
│ crowdsecurity/http-path-traversal-probing  │ CAPI   │ ban    │ 178   │
│ crowdsecurity/fortinet-cve-2018-13379      │ CAPI   │ ban    │ 58    │
│ crowdsecurity/ssh-bf                       │ CAPI   │ ban    │ 14044 │
│ crowdsecurity/CVE-2019-18935               │ CAPI   │ ban    │ 85    │
│ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI   │ ban    │ 372   │
│ firehol_cruzit_web_attacks                 │ lists  │ ban    │ 13252 │
│ crowdsecurity/http-admin-interface-probing │ CAPI   │ ban    │ 1404  │
│ crowdsecurity/http-probing                 │ CAPI   │ ban    │ 1270  │
│ crowdsecurity/http-open-proxy              │ CAPI   │ ban    │ 865   │
│ otx-webscanners                            │ lists  │ ban    │ 8225  │
│ crowdsecurity/CVE-2022-41082               │ CAPI   │ ban    │ 871   │
│ crowdsecurity/f5-big-ip-cve-2020-5902      │ CAPI   │ ban    │ 23    │
╰────────────────────────────────────────────┴────────┴────────┴───────╯

Local API Alerts:
╭───────────────────────────────┬───────╮
│            Reason             │ Count │
├───────────────────────────────┼───────┤
│ manual 'ban' from 'localhost' │ 3     │
╰───────────────────────────────┴───────╯

iiAmLoz · February 6, 2024, 2:04pm

Okay so the file is parsing, can you try within the container

tail -n1 /var/log/nginx/proxy-host-3_access.log | cscli explain -f- -t nginx-proxy-manager

Random-Human · February 6, 2024, 2:08pm

6cb0aab71698:/# tail -n1 /var/log/nginx/proxy-host-3_access.log | cscli explain -f- -t nginx-proxy-manager
line: [06/Feb/2024:14:48:38 +0100] - 200 200 - POST https ha129x01.duckdns.org "/auth/login_flow/d3a05d77708511783e8d7735ff04c381" [Client 176.6.179.224] [Length 210] [Gzip -] [Sent-to 192.168.178.41] "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Mobile Safari/537.36" "-"
        ├ s00-raw
        |       ├ 🔴 crowdsecurity/cri-logs
        |       ├ 🔴 crowdsecurity/docker-logs
        |       ├ 🔴 crowdsecurity/syslog-logs
        |       └ 🟢 crowdsecurity/non-syslog (+5 ~8)
        ├ s01-parse
        |       └ 🟢 crowdsecurity/nginx-proxy-manager-logs (+22 ~2)
        ├ s02-enrich
        |       ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2)
        |       ├ 🟢 crowdsecurity/geoip-enrich (+13)
        |       ├ 🟢 crowdsecurity/http-logs (+7)
        |       └ 🟢 crowdsecurity/whitelists (unchanged)
        ├-------- parser success 🟢
        ├ Scenarios

iiAmLoz · February 6, 2024, 2:18pm

Okay so it parses fine but that line in particular didnt match any scenarios. So it should be good to go now.

Random-Human · February 6, 2024, 2:26pm

Unfortunately, my smartphone is not banned if I enter the wrong password 30 times (coming from the internet, not locally).

iiAmLoz · February 6, 2024, 2:29pm

Okay, does the log line actually correctly log it as an unauthorized attempt with status 401/403? or with most applications put it as status 200?

Cause then you need to write a custom scenario for that

Topic		Replies	Views
Crowdsec deeply blocks my IP and I cannot revert it crowdsec	1	329	January 19, 2024
Whitelist enabled,tainted crowdsec	2	482	December 21, 2023
Server ban it self with http-crawl-non_statics error crowdsec	2	715	December 6, 2021
I am constantly being banned from my server crowdsec	3	1012	June 13, 2023
Beginner issues, not everything getting blocked crowdsec	4	443	January 14, 2024

Nginx-proxy-manager+crowdsec (Docker) ban only local

Related Topics