Hi !
I’m trying to use the http notification plugin for telegram.
I followed the howto, but it looks the notification plugin is never parsed / used.
# cat profiles.yaml
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 8h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
- http_default
# - email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
# cat notifications/http.yaml
type: http # Don't change
name: http_default # Must match the registered plugin in the profile
# One of "trace", "debug", "info", "warn", "error", "off"
log_level: info
#group_wait: 0 # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
#group_threshold: 0 # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
# max_retry: # Number of attempts to relay messages to plugins in case of error
# timeout: # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"
#-------------------------
# plugin-specific options
# The following template receives a list of models.Alert objects
# The output goes in the http request body
# Replace with your Telegram chat ID
format: |
{
"chat_id": "-<My_Chat_ID>",
"text": "
{{range . -}}
{{$alert := . -}}
{{range .Decisions -}}
{{.Value}} will get {{.Type}} for next {{.Duration}} for triggering {{.Scenario}}.
{{end -}}
{{end -}}
",
"reply_markup": {
"inline_keyboard": [
{{ $arrLength := len . -}}
{{ range $i, $value := . -}}
{{ $V := $value.Source.Value -}}
[
{
"text": "See {{ $V }} on shodan.io",
"url": "https://www.shodan.io/host/{{ $V -}}"
},
{
"text": "See {{ $V }} on crowdsec.net",
"url": "https://app.crowdsec.net/cti/{{ $V -}}"
}
]{{if lt $i ( sub $arrLength 1) }},{{end }}
{{end -}}
]
}
url: https://api.telegram.org/botMY_PRIVATE_BOT_TOKEN/sendMessage # Replace <TELEGRAM_APY_KEY> with your APi key
method: POST
headers:
Content-Type: "application/json"
There is no other "http_default " plugins :
grep http_default notifications/*
notifications/http.yaml:name: http_default # Must match the registered plugin in the profile
and
cscli notifications inspect http_default
show me the http.yml file correctly.
When bruteforcing my ssh from outside, data are correctly processed :
time="08-08-2023 16:19:09" level=info msg="Ip 51.x.y.z performed 'crowdsecurity/ssh-bf' (4 events over 9.341265018s) at 2023-08-08 14:19:09.973706364 +0000 UTC"
and decision is made correctly .
But I I have no error / success information in crowdsec.log / syslog about this plugin.
I’m on a distributed setup, and this configuration is one of the “node server” (not hosting the lapi services).
What am I missing to activate this plugin ?