Telegram notification : plugin not enabled?

Hi !

I’m trying to use the http notification plugin for telegram.

I followed the howto, but it looks the notification plugin is never parsed / used.

# cat profiles.yaml

name: default_ip_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 8h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)

notifications:
#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
  - http_default
#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break

# cat notifications/http.yaml
type: http          # Don't change
name: http_default  # Must match the registered plugin in the profile

# One of "trace", "debug", "info", "warn", "error", "off"
log_level: info

#group_wait: 0         # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
#group_threshold: 0    # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
# max_retry:          # Number of attempts to relay messages to plugins in case of error
# timeout:            # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"

#-------------------------
# plugin-specific options

# The following template receives a list of models.Alert objects
# The output goes in the http request body

# Replace with your Telegram chat ID

format: |
  {
   "chat_id": "-<My_Chat_ID>",
   "text": "
     {{range . -}}
     {{$alert := . -}}
     {{range .Decisions -}}
     {{.Value}} will get {{.Type}} for next {{.Duration}} for triggering {{.Scenario}}.
     {{end -}}
     {{end -}}
   ",
   "reply_markup": {
      "inline_keyboard": [
          {{ $arrLength := len . -}}
          {{ range $i, $value := . -}}
          {{ $V := $value.Source.Value -}}
          [
              {
                  "text": "See {{ $V }} on shodan.io",
                  "url": "https://www.shodan.io/host/{{ $V -}}"
              },
              {
                  "text": "See {{ $V }} on crowdsec.net",
                  "url": "https://app.crowdsec.net/cti/{{ $V -}}"
              }
          ]{{if lt $i ( sub $arrLength 1) }},{{end }}
      {{end -}}
      ]
  }

url: https://api.telegram.org/botMY_PRIVATE_BOT_TOKEN/sendMessage # Replace <TELEGRAM_APY_KEY> with your APi key

method: POST
headers:
  Content-Type: "application/json"

There is no other "http_default " plugins :

grep http_default notifications/*
notifications/http.yaml:name: http_default  # Must match the registered plugin in the profile

and
cscli notifications inspect http_default show me the http.yml file correctly.

When bruteforcing my ssh from outside, data are correctly processed :

time="08-08-2023 16:19:09" level=info msg="Ip 51.x.y.z performed 'crowdsecurity/ssh-bf' (4 events over 9.341265018s) at 2023-08-08 14:19:09.973706364 +0000 UTC"

and decision is made correctly .

But I I have no error / success information in crowdsec.log / syslog about this plugin.

I’m on a distributed setup, and this configuration is one of the “node server” (not hosting the lapi services).

What am I missing to activate this plugin ?

Looks like notification plugins are not parsed locally when using a distributed installation.

When moved to LAPI server, telegram notification works immediately.

So 2 questions :

  • is it possible to use notification locally ?
  • if not, is it possible to filter notification from only specific log processors (node for me) and/or scenarios ?

Filter on scenario (profiles.yaml on lapi server) :

name: notif_server1
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() in ["crowdsecurity/mariadb-bf"]
decisions:
 - type: ban
   duration: 8h
duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
 - http_default #Telegram notification

on_success: break
---
name: default_ip_remediation
#default case
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 4h
duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)

#notifications:
#   - slack_default  # Set the webhook in /usr/local/etc/crowdsec/notifications/slack.yaml before enabling this.
#   - splunk_default # Set the splunk url and token in /usr/local/etc/crowdsec/notifications/splunk.yaml before enabling this.
# - http_default   # Set the required http parameters in /usr/local/etc/crowdsec/notifications/http.yaml before enabling this.
#   - email_default  # Set the required email parameters in /usr/local/etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break

But I still don’t know if I can filter on the source node (haven’t found the information)

is it possible to use notification locally ?

No, as the local profiles are not evaluated hence notifications dont live here.

if not, is it possible to filter notification from only specific log processors (node for me) and/or scenarios ?

Yeah, as you have done is define 2 profiles then do a machine check

- Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() in ["crowdsecurity/mariadb-bf"] && Alert.MachineID in ['XXXXX']

I am trying to get a more simpler notification filter through RFC Profile notification filter · Issue #2327 · crowdsecurity/crowdsec · GitHub

Thank you for the detailed answer, and nice idea to get an easy notification filter !

1 Like