Notification another identifiing machine than id

crowdsec
1

Hi there,

Is there another fashion to identify machine in notification with a more human readable way than the MachineID ?

Thanks for your lights :slight_smile:

2

How many machines do you have? Crowdsec only know machineids but you can create a lookup table and map a machineid to a nicer name

3

Hello @iiAmLoz

I don’t like lookup table, not easy to maintains.

Can we access machine ENV variable from go_template ?

Cheers

4

They already do via sprig OS Functions | sprig

However, systemd has a sandbox feature that the service doesn’t have access to all environments so you will have to edit the service file to add the environment key you wish for it to have.

[Service]
Environment=HOSTNAME=MYHOSTNAME

Then inside the template you should be able to do

{{ env "HOSTNAME" }}
1 Like
5

Argh!
HOSTNAME is not present in system environment (env |grep HOSTNAME say nothing) but only present with bash (echo $HOSTNAME reply the hostname) :frowning:

6

Hence why I said you got to edit the environment within the service to add it.

7

I found a solution, without to modify Crowdsec’s published files :slight_smile:

(no need to add Environment= in the service file)

Create the file /etc/systemd/system-environment-generators/99-hostname.sh with

#!/bin/sh
HOSTNAME=`hostname -f`
echo "HOSTNAME=${HOSTNAME}"

and chmod +x it.

(of course, create folder /etc/systemd/system-environment-generators if does not exists)

then

sudo systemctl daemon-reload
sudo systemctl restart crowdsec.service

Et HOP ! the go_template directive {{ env "HOSTNAME" }} works like a charm :slight_smile:

more info at systemd.environment-generator

1 Like
8

My new Slack template is :

format: |
  from ({{ env "HOSTNAME" }}):
  {{range . -}}
   {{$alert := . -}}
   {{range .Decisions -}}
    {{if $alert.Source.Cn -}}
     :flag-{{$alert.Source.Cn}}: <https://www.whois.com/whois/{{.Value}}|{{.Value}}> ({{ $alert.Source.AsName }}) will>
    {{if not $alert.Source.Cn -}}
     :pirate_flag: <https://www.whois.com/whois/{{.Value}}|{{.Value}}> ({{ $alert.Source.AsName }}) will get {{.Type}}>
   {{end -}}
  {{end -}}

I use it to post on Mattermost with incoming webhook.

1 Like
9

I came back after some times, more precisely after some reboot and … Grrrr :frowning:

It seems that the system-environment-generators it not run at boot time but only on systemctl daemon-reload that is not as expected… I’m searching a reason to make this solution effective.

So I’ll be back here as soon as :wink:

10

Hi @iiAmLoz

My solution with system-environment-generators doesn’t work at boot. After many reading I only found that systemd defines a “%H” variable, so your proposal can be updated like

[Service]
Environment=HOSTNAME=%H

That works after a reboot.

The mess is that we have to modify an official crowdsec distributed file :frowning:

11

I created a pull request :stuck_out_tongue:

12

My PR was refused because is too Debian specifics, but devs added a function Hostname() helper available in expr and template ! :slight_smile: