I have an issue with the profiles configuration, have the default profiles.yaml file in /etc/crowdsec/profiles.yaml. I want to use my own profiles.yaml in /etc/crowdsec/profiles/profiles.yaml like this:
I have updated the config.yaml file to change the profiles_path variable to mine. But when i see the decisions (cscli decisions list) i see the ban for my ip for 4h. Can someone help me please ? ive tried a lot of configurations but its not working.
Thanks for your answer, yes i restarted the crowdsec container and also deleted manually the ip to test again the profiles but not working. I’am using an http parser with scenarios both are working i only have the issue with the profile which take default 4h ban always
Yes /etc/crowdsec/profiles.yaml still exists i tried to modify it also but it doesnt work, my crowdsec version is v1.1.1 under docker. in my /etc/crowdsec/conf.d/config.yaml the profiles_path: /etc/crowdsec/profiles/profiles.yaml. Because i use a custom profile located in /etc/crowdsec/profiles/profiles.yaml.
How do you run your container ?
By default, crowdsec will only look in /etc/crowdsec/config.yaml for its main configuration, not in /etc/crowdsec/conf.d/config.yaml.
If you want to use this configuration file, you will have to pass it with the -c flag.
Yes i use the crowdsec -c /etc/crowdsec/conf.d/config.yaml -dsn file:///etc/crowdsec/tests/httpd.log -type crowdsecurity/http-w00tw00t command to specify my custom config file.
I can see that my scenario matched with parsers. But the profiles always take the default ban duration (4h)
I know that we see the profiles.yaml file is located in the default path /etc/crowdsec/profiles.yaml But when i launch the scenario test i use my own config with the crowdsec -c /etc/crowdsec/conf.d/config.yaml -dsn file:///etc/crowdsec/tests/httpd.log -type crowdsecurity/http-w00tw00t command. And in my config.yaml file the profiles file is located here /etc/crowdsec/profiles/profiles.yaml. So it should work right ?
Please keep in mind that the profiles are evaluated by the local api and not by the crowdsec agent.
Is your local api running with the configuration pointing to your alternative profiles config ?
I’m sure I understand your setup completely, this sounds like a configuration issue rather than a bug, but looking forward to solve it with you
Thanks for your answer thibault, how can i know if my local api is running with the configuration pointing to my alternative profiles config ?
Because i though only have to put the profiles_path in my custom config.yaml if i refer to the documentation. I have a local_api_credentials.yaml file but it is only for credentials
The local api is usually the “long running” process that will receive alerts from the agent. So it’s a bit hard to tell without knowing your setup. Typically, if you have the crowdsec service running “in the background”, what is relevant would be the configuration with which this service runs.