I saved a copy of the http.yaml file as orig_http.yaml in the same folder. Because of this?
Yep thats the issue, it tries to find all .yaml files and loads them if they have same name it will then overwrite to other.
Thank you very much, friend
I am running into this same issue. I could never get the email notification to work so Iâm trying telegram. I am able to run the curl
in the container from above and post a message to telegram.
I copied the URL and chat ID from my working curl into the http.yaml but it doesnât work when I manually ban an IP. Is it because I manually banned? They show up fine in the alerts on the console webpage.
Here are my yaml.
profiles.yaml
> name: default_ip_remediation
> #debug: true
> filters:
> - Alert.Remediation == true && Alert.GetScope() == "Ip"
> decisions:
> - type: ban
> duration: 4h
> #duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
> notifications:
> # - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
> # - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
> - http_tele # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
> # - email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
> on_success: break
http.yaml
type: http # Don't change
name: http_tele # Must match the registered plugin in the profile
# One of "trace", "debug", "info", "warn", "error", "off"
log_level: info
# group_wait: # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
# group_threshold: # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
# max_retry: # Number of attempts to relay messages to plugins in case of error
# timeout: # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"
#-------------------------
# plugin-specific options
# The following template receives a list of models.Alert objects
# The output goes in the http request body
# Replace XXXXXXXXX with your Telegram chat ID
format: |
{
"chat_id": "chat_id_without - at beginning",
"text": "
{{range . -}}
{{$alert := . -}}
{{range .Decisions -}}
{{.Value}} will get {{.Type}} for next {{.Duration}} for triggering {{.Scenario}}.
{{end -}}
{{end -}}
",
"reply_markup": {
"inline_keyboard": [
{{ $arrLength := len . -}}
{{ range $i, $value := . -}}
{{ $V := $value.Source.Value -}}
[
{
"text": "See {{ $V }} on shodan.io",
"url": "https://www.shodan.io/host/{{ $V -}}"
},
{
"text": "See {{ $V }} on crowdsec.net",
"url": "https://app.crowdsec.net/cti/{{ $V -}}"
}
]{{if lt $i ( sub $arrLength 1) }},{{end }}
{{end -}}
]
}
}
url: https://api.telegram.org/bot_my_api/sendMessage # Replace <TELEGRAM_API_KEY> with your API key
method: POST
headers:
Content-Type: "application/json"
Manually banned IP address do not trigger the alert pipeline and therefore it doesnt get to notifications. If you want to run the notification hook afterwards you can find the alert id via cscli alerts list
then run cscli notifications reinject <id>
Well thatâs definitely helpful information that should be documented. I have multiple manual alerts trying to get this to work.
Which it still doesnât. Iâm trying email and telegram at the same time now and theyâre all acting the same.
d753b79babdc:/# cscli notifications reinject 190
DEBU[0000] starting plugin args="[/usr/local/lib/crowdsec/plugins/notification-email]" path=/usr/local/lib/crowdsec/plugins/notification-email
DEBU[0000] plugin started path=/usr/local/lib/crowdsec/plugins/notification-email pid=485
DEBU[0000] waiting for RPC address path=/usr/local/lib/crowdsec/plugins/notification-email
DEBU[0000] using plugin version=1
TRAC[0000] waiting for stdio data
INFO[2024-02-29T14:47:47Z] registered plugin email_default
DEBU[0000] starting plugin args="[/usr/local/lib/crowdsec/plugins/notification-http]" path=/usr/local/lib/crowdsec/plugins/notification-http
DEBU[0000] plugin started path=/usr/local/lib/crowdsec/plugins/notification-http pid=492
DEBU[0000] waiting for RPC address path=/usr/local/lib/crowdsec/plugins/notification-http
DEBU[0000] using plugin version=1
TRAC[0000] waiting for stdio data
INFO[2024-02-29T14:47:47Z] registered plugin ntfy
INFO[2024-02-29T14:47:47Z] registered plugin http_default
INFO[2024-02-29T14:47:47Z] registered plugin http_tele
INFO[2024-02-29T14:47:47Z] The profile default_ip_remediation didn't match
INFO[2024-02-29T14:47:47Z] pluginTomb dying
INFO[2024-02-29T14:47:47Z] killing all plugins
DEBU[0000] received EOF, stopping recv loop err="rpc error: code = Unavailable desc = error reading from server: EOF"
INFO[0000] plugin process exited path=/usr/local/lib/crowdsec/plugins/notification-email pid=485
DEBU[0000] plugin exited
DEBU[0000] received EOF, stopping recv loop err="rpc error: code = Unavailable desc = error reading from server: EOF"
INFO[0000] plugin process exited path=/usr/local/lib/crowdsec/plugins/notification-http pid=492
DEBU[0000] plugin exited ```
So I found out there an issue in latest 1.6.0
it âworkingâ as intended but its odd way of working
So to get it to work you must do cscli notifications reinject 190 -a '{ "remediation": true}'