Registering windows node to remote lapi

crowdsec
1

I installed the windows bundle on a windows 10 machine and trying to register to a remote lapi. For some reason the local_api_credentials.yaml will not auto generate after the usual “cscli lapi register…” command. The command is successful and the remote lapi is reachable as i am able to see and validate the windows node from the remote lapi. Although the message indicates the credentials where created and provides the path, the file is always empty.

Is there an additional step that im missing to generate the credential?

2

Can you ensure that you run the command via an elevated admin prompt, there could be the case there is infact a write issue with permissions?

Plus ensure that the CrowdSec service is stopped as I know sometimes when a service has the file open there is issues.

3

Yes I’m doing everything on powershell running as admin. I finally was able to get it to generate the credentials but still having issues that I haven’t faced with the other 10 nodes running on linux. I register to the remote lapi, then go over to the cli on that machine and validate. Everything validates fine and it shows the checkmark on the new node and shows the first heartbeat. The problem is after I validate the node then there are no more heartbeats, only the first one and then nothing. When I go to the windows machine and run cscli metrics I get this:

level=warning msg="while fetching metrics: executing GET request for URL \"http://127.0.0.1:6060/metrics\" failed: Get \"http://127.0.0.1:6060/metrics\": dial tcp 127.0.0.1:6060: connectex: No connection could be made because the target machine actively refused it."

I have ports 8080, 6060 and 443 open on the windows firewall both in and out. Not sure what else to try. I have already removed and validated the windows node 10-12 times and I see the same behavior.

The Crowdsec service is in fact stopped. I actually noticed it will run and stop after a few seconds. Maybe that’s the clue? Here is my config on the windows node:

common:
  daemonize: false
  log_media: file
  log_level: info
  log_dir:  C:\ProgramData\CrowdSec\log\
config_paths:
  config_dir:  C:\ProgramData\CrowdSec\config\
  data_dir:  C:\ProgramData\CrowdSec\data\
  simulation_path:   C:\ProgramData\CrowdSec\config\simulation.yaml
  hub_dir:  C:\ProgramData\CrowdSec\hub\
  index_path:  C:\ProgramData\CrowdSec\hub\.index.json
  plugin_dir: C:\ProgramData\CrowdSec\plugins\
  notification_dir:  C:\ProgramData\CrowdSec\config\notifications\
crowdsec_service:
  #console_context_path: C:\ProgramData\CrowdSec\console\context.yaml
  acquisition_path:  C:\ProgramData\CrowdSec\config\acquis.yaml
  parser_routines: 1
cscli:
  output: human
db_config:
  log_level: info
  type: sqlite
  db_path:  C:\ProgramData\CrowdSec\data\crowdsec.db
  #user: 
  #password:
  #db_name:
  #host:
  #port:
  flush:
    max_items: 5000
    max_age: 7d
api:
  client:
    insecure_skip_verify: false
    credentials_path:  C:\ProgramData\CrowdSec\config\local_api_credentials.yaml
  # server:
  #   log_level: info
  #   listen_uri: 127.0.0.1:8080
  #   profiles_path: C:\ProgramData\Crowdsec\config\profiles.yaml
  #   online_client: # Crowdsec API credentials (to push signals and receive bad IPs)
  #     credentials_path:  C:\ProgramData\CrowdSec\config\online_api_credentials.yaml
  #   tls:
  #     cert_file: /etc/crowdsec/ssl/cert.pem
  #     key_file: /etc/crowdsec/ssl/key.pem
prometheus:
  enabled: true
  level: full
  listen_addr: 127.0.0.1
  listen_port: 6060
4

The crowdsec.api.log file doesn’t give much indication of the issue (that I can see)

time="2024-12-18T17:56:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 17:56:58 PST] \"POST /v1/watchers/login HTTP/1.1 200 65.6934ms \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T17:56:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 17:56:58 PST] \"POST /v1/usage-metrics HTTP/1.1 201 1.0602ms \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T17:57:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 17:57:58 PST] \"GET /v1/heartbeat HTTP/1.1 200 723.8µs \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T17:58:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 17:58:58 PST] \"GET /v1/heartbeat HTTP/1.1 200 0s \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T17:59:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 17:59:58 PST] \"GET /v1/heartbeat HTTP/1.1 200 0s \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T18:00:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 18:00:58 PST] \"GET /v1/heartbeat HTTP/1.1 200 516.1µs \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T18:01:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 18:01:58 PST] \"GET /v1/heartbeat HTTP/1.1 200 0s \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T18:02:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 18:02:58 PST] \"GET /v1/heartbeat HTTP/1.1 200 0s \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T18:03:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 18:03:58 PST] \"GET /v1/heartbeat HTTP/1.1 200 0s \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T18:04:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 18:04:58 PST] \"GET /v1/heartbeat HTTP/1.1 200 0s \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T18:05:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 18:05:58 PST] \"GET /v1/heartbeat HTTP/1.1 200 986.5µs \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T18:06:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 18:06:58 PST] \"GET /v1/heartbeat HTTP/1.1 200 0s \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T18:07:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 18:07:58 PST] \"GET /v1/heartbeat HTTP/1.1 200 999.7µs \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T18:08:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 18:08:58 PST] \"GET /v1/heartbeat HTTP/1.1 200 0s \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T18:09:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 18:09:58 PST] \"GET /v1/heartbeat HTTP/1.1 200 0s \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T18:10:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 18:10:58 PST] \"GET /v1/heartbeat HTTP/1.1 200 0s \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T18:11:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 18:11:58 PST] \"GET /v1/heartbeat HTTP/1.1 200 523.1µs \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T18:12:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 18:12:58 PST] \"GET /v1/heartbeat HTTP/1.1 200 0s \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T18:13:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 18:13:58 PST] \"GET /v1/heartbeat HTTP/1.1 200 0s \"crowdsec/v1.6.4-fb733ee4-windows\" \""
time="2024-12-18T18:27:58-08:00" level=info msg="127.0.0.1 - [Wed, 18 Dec 2024 18:27:58 PST] \"GET /v1/decisions/stream?startup=true&scope=ip,range HTTP/1.1 200 2.9962ms \"cs-windows-fw-bouncer/0.0.5\" \""
5

In case it matters. Here is the output of cscli lapi status

PS C:\WINDOWS\system32> cscli lapi status
Loaded credentials from C:\ProgramData\CrowdSec\config\local_api_credentials.yaml
Trying to authenticate with username xxxxx on http://192.168.x.x:8080/
You can successfully interact with Local API (LAPI)
6

Looks like the issue was the acquis file preventing the service from running. This entry was the culprit:

# source: wineventlog
# event_channel: Microsoft-IIS-Logging/Logs
# event_ids:
#  - 6200
# event_level: information
# labels:
#  type: iis

I installed the crowdsecurity/iis collection so I’m not sure what I’m missing still but at least I have a working agent after commenting out that entry

7

Do you have any log entries that gives some information about why the acquisition was causing an issue?

8

Yes this is what I saw in the logs:

time="2024-12-18T18:20:05-08:00" level=info msg="loading acquisition file : C:\\ProgramData\\CrowdSec\\config\\acquis.yaml"
time="2024-12-18T18:20:05-08:00" level=warning msg="No matching files for pattern C:\\Windows\\System32\\LogFiles\\Firewall\\*.log" type=file
time="2024-12-18T18:20:05-08:00" level=warning msg="No matching files for pattern C:\\inetpub\\logs\\LogFiles\\*\\*.log" type=file
time="2024-12-18T18:20:05-08:00" level=info msg="Starting processing data"
time="2024-12-18T18:20:05-08:00" level=error msg="Failed to subscribe to event log: wevtapi.EvtSubscribe(): The specified channel could not be found." type=wineventlog
time="2024-12-18T18:20:05-08:00" level=info msg="wineventlog is dying" type=wineventlog
time="2024-12-18T18:20:06-08:00" level=info msg="wineventlog is dying" type=wineventlog
time="2024-12-18T18:20:06-08:00" level=info msg="Acquisition is finished, shutting down"
time="2024-12-18T18:20:06-08:00" level=fatal msg="unable to start crowdsec routines: starting acquisition error: wevtapi.EvtSubscribe(): The specified channel could not be found."
9

I thought I had IIS on my machine since I have a few homelab service sites hosted on it but it looks like I don’t have it installed. The error pointed me in the right direction but it took a while since it wasn’t clear what was missing or which entry was the issue.

Capture

10

I do have a new issue but I’ll start a new thread since it’s related to the firewall bouncer.