Notification test is working but fail when it's for real

crowdsec
1

Hello,
I have a gotify http notification configuration that works. The name of the notification is gotify but it’s in fact a http notification.

# cscli notifications test gotify
DEBU[0000] starting plugin                               args="[/usr/lib/crowdsec/plugins/notification-http]" path=/usr/lib/crowdsec/plugins/notification-http
DEBU[0000] plugin started                                path=/usr/lib/crowdsec/plugins/notification-http pid=26626
DEBU[0000] waiting for RPC address                       path=/usr/lib/crowdsec/plugins/notification-http
DEBU[0000] using plugin                                  version=1
TRAC[0000] waiting for stdio data                       
INFO registered plugin gotify                     
INFO registered plugin http_default               
INFO pluginTomb dying                             
INFO[0000] received signal for gotify config             @module=http-plugin
INFO killing all plugins                          
DEBU[0000] received EOF, stopping recv loop              err="rpc error: code = Unavailable desc = error reading from server: EOF"
INFO[0000] plugin process exited                         path=/usr/lib/crowdsec/plugins/notification-http pid=26626
DEBU[0000] plugin exited

After the test, I have a notification in gotify. So the test is a success.

The notification is enabled in the profile.

# cat profiles.yaml 
name: alert_on_remediation
filters:
 - Alert.Remediation == true
notifications:
  - gotify
---
name: default_ip_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
#   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
---
name: default_range_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
 - type: ban
   duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
# notifications:
#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
#   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break

But then, I have an actual alert in the I don’t have the notification. The log is like this:

time="2025-03-22T11:59:52+01:00" level=info msg="(XXX/crowdsec) crowdsecurity/http-probing by ip 172.105.246.139 (DE/63949) : 4h ban on Ip 172.105.246.139"
time="2025-03-22T11:59:52+01:00" level=info msg="Signal push: 1 signals to push"
time="2025-03-22T11:59:52+01:00" level=info msg="received signal for gotify config" @module=http-plugin
time="2025-03-22T11:59:52+01:00" level=warning msg="HTTP server returned non 200 status code: 400" @module=http-plugin
time="2025-03-22T11:59:55+01:00" level=info msg="Ip 172.105.246.139 performed 'crowdsecurity/http-admin-interface-probing' (5 events over 2.473874922s) at 2025-03-22 10:59:55.664462426 +0000 UTC"
time="2025-03-22T11:59:55+01:00" level=warning msg="Cannot send alert to Plugin channel (try: 0)"

So I have this "HTTP server returned non 200 status code: 400" @module=http-plugin that seems to be the problem while I have no such things when testing. Any idea?

2

At this stage you have 0 decisions for the incoming alert and since this is the first profile if your template relies on Alert.Decisions to generate text (if you copied it from the docs then yes it relies on it) then since there is none it will be empty hence why gotify is returning a non 200 status.

The test command, generates an alert with a single decision so that is why test works and the actual pipeline wont, best to remove this profile and enable notifications on both default_ip_remediation and default_range_remediation if applicable.

if you want to keep that notifications are defined in a single profile, then you would need to flip the logic EG: this profile is last and you remove the break statements from the others so when the alerts get to the last profile then it will already have decisions generate by the previous. However, this is not recommend depending if you decide to make a more complex profiles as you may get lost in the filter logic and which breaks where.

3

okay, so following what you wrote, here is my new profile. It’s in place. Now, let’s wait a decision.

name: default_ip_remediation
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
  - gotify
on_success: break
---
name: default_range_remediation
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
 - type: ban
   duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
  - gotify
on_success: break
1 Like
4

… and it worked. Thank you!

1 Like